Securing the future: Protecting Australia's superannuation ecosystem against cybersecurity threats
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Securing the future: Protecting Australia’s superannuation ecosystem against cybersecurity threats
Contents
Glossary of key terms 04
About this research 05
Executive summary 06
The superannuation ecosystem:
09
A highly attractive target for cybercriminals
A unique, sizeable, dynamic
13
and highly networked ecosystem
A fragmented yet evolving regulatory landscape 15
Key players in the superannuation ecosystem 18
A way forward: An industry, organisational
20
and member approach to managing cyber risks
Securing the future
2
Disclaimer
This report has been commissioned by Gateway Network Governance
Body Ltd (“GNGB”), and co-authored by PwC Australia and GNGB.
This report is not intended to be relied upon by anyone other than
GNGB. The report was prepared solely for GNGB’s use and benefit in
accordance with and for the purpose set out in the PwC engagement
letter with GNGB dated 8 October 2020. In doing so, PwC acted
exclusively for GNGB and considered no-one else’s interests.
PwC accepts no responsibility, duty or liability:
• To anyone other than GNGB in connection with this report; and
• To GNGB for the consequences of using or relying on it for a
purpose other than that referred to above.
PwC makes no representation concerning the appropriateness of
this report for anyone other than GNGB. If anyone other than GNGB
chooses to use or rely on it they do so at their own risk.
This disclaimer applies:
• To the maximum extent permitted by law and, without limitation,
to liability arising in negligence or under statute; and
• Even if PwC consents to anyone other than GNGB receiving or
using this report.
PwC’s liability is limited by a scheme approved under Professional
Standards legislation.
Securing the future
3
Glossary of
key terms
Superannuation ecosystem: Phishing: A targeted email
Interconnected network of or series of emails sent by a
organisations that govern, cybercriminal in an attempt
participate and provide services to trick recipients into sharing
across the superannuation sensitive information such as
system. The superannuation online banking logins, credit card
ecosystem spans some of details, business login credentials
Australia’s largest financial or passwords.
institutions, over 880,000
employer organisations and Ransomware: A type of malicious
the accountants, bookkeepers, software or malware used
clearing houses, gateways, by cybercriminals to restrict
administrators and more that a recipient’s access to files or
comprise the supply chain. services, often until payment is
made.
Cybersecurity resilience: The
ability to safeguard an account Identity theft: A cybercriminals’
holder’s member data, and efforts to access personal
withstand or quickly recover from information to steal money,
cyber incidents in an attempt to apply for loans or gain other
protect superannuation savings. benefits. Identity theft can
involve the creation of fake
Cyber risk: The potential identity documents using a
likelihood and impact of loss victims’ details along with a false
events during which digital assets photograph.
and services are intentionally or
accidentally compromised.
Cyber threats: A threat actor’s
successful or unsuccessful
attempt to compromise a digital
asset or service.
Securing the future
4
About this
research
Among the myriad of negative Because of the interconnected To help answer those questions,
headlines in Australia’s news nature of our superannuation GNGB with PwC Australia,
landscape over 2020, cyber ecosystem, we depend on undertook a national research
threats loomed large. Cyber each other to protect the study and gathered the views
incidents, including ransomware superannuation savings of all of more than 80 executives
infections and data breaches, Australians. The super ecosystem and professionals across the
were consistently reported is complex, relying on a range of superannuation industry. We
across a wide variety of sectors, stakeholders including members, offer sincere thanks to those
including transport, health employers, advisers, payroll individuals for sharing their
and education. In response providers, gateway providers, experiences with us. This report
to increasing threats, in June administrators, custodians, captures these expert’s insights
2020 the Prime Minister, Scott investment managers, regulators and outlines practical strategies
Morrison, issued a media release and super funds to all work that we, as an industry, should
alerting all Australians of an together to deliver the member consider for the long-term
active campaign of targeted experience. Given the rapidly security of the superannuation
attacks on a national scale1. evolving cyber landscape, we ecosystem.
Overall in 2020, cyber crimes must all work together now to
directly affected almost one ensure that our services continue Though the results showed us
in three Australians and cost to safeguard the superannuation that the journey to a cohesive
Australian businesses around savings entrusted to us by retired approach will not be without
$29 billion2. and working Australians. challenge, it also showed us that
we are as an industry a ‘collective
Comparatively, in Australia’s The Gateway Network of the willing’, and we now have
superannuation industry, no Governance Body (GNGB) a great opportunity. There is
material cyber incidents have remit is to ensure the security, no better time to focus on our
been reported to date. While integrity and efficiency of the approach to cyber risks and to
we have seen cases of stolen Superannuation Transaction optimise our cyber resilience. We
credentials used to fraudulently Network (STN): the data hope that you will join us – to
transact and access savings, a infrastructure that transports debate, design and develop our
material systemic compromise in contributions and rollover path forward together.
the superannuation ecosystem transactions. The STN relies
has not yet been identified. heavily on the ability to identify Kind regards,
But we cannot afford to be and mitigate cyber risk. Given
complacent. The cyber landscape the interconnectedness of our
is changing: digitisation and superannuation sector, we set
remote working have accelerated out to understand the following:
as a result of the COVID-19 What are the top cyber risks in
pandemic, and the changes we the superannuation ecosystem?
are seeing are here to stay. What are the most common Michelle Bower
cyber threats that introduce Executive Officer, GNGB
Our superannuation ecosystem these risks? What are the main
is used to change and deals with challenges for the ecosystem in
it well, but this new and growing managing these cyber risks, for
threat calls on us to work together both individual entities and as a
more closely than ever before. collective? What actions should
we take as an industry to improve
cyber resilience in the ecosystem?
Securing the future
5
Executive
summary
No industry is immune It is crucial that we understand
this industry’s risks and
from cybersecurity challenges, and implement a
attacks coordinated capability to improve
protection and cyber resilience of
Superannuation is a crucial
its ecosystem.
platform for the retirement
and financial wellbeing of The secured future
both working and retired
people in Australia. But the With the input, effort and
superannuation industry and its ownership of all stakeholders that
supporting ecosystem, which comprise the superannuation
processes assets of value, ecosystem, imagine an ecosystem
such as personally identifiable with the following cyber resilience
information for millions of characteristics as a possibility.
members and manages
approximately $2.9 trillion in Characteristics Benefits
funds3, is a lucrative target for
cybersecurity-related activity. In All stakeholders in the ecosystem This would lift the ecosystem’s
2020 alone, the industry saw a have consistently implemented and overall ability to protect itself
number of cybersecurity-related are appropriately managing the from common and rudimentary
attacks (and near misses) which minimum essential cybersecurity cybersecurity attacks, which would
have made the building of cyber controls. in turn reduce the likelihood of a
resilience and trust within the cyber incident.
ecosystem top priorities.
A systematic process for sharing As soon as a part of the ecosystem
The key cybersecurity risks cyber threat and incident comes under attack, the rest of
and incidents identified in this intelligence dynamically across the ecosystem is made aware
research include: the ecosystem. and appropriate responses and
prevention plans can be put in place
• Theft of member data that to minimise the risk of a repeat or
is then used to commit fraud ecosystem-wide disruption.
for financial gain;
• Loss/theft of member data The capabilities to prevent or Members are alleviated from being
counter risks from member solely responsible for maintaining a
resulting in a privacy breach
behaviour (accidental or intentional) high level of security.
and associated fines and are built into the ecosystem rather
penalties; and than being solely the responsibility
• Compromised business of members.
systems that affect
business operations and A well-rehearsed and coordinated Organisations are prepared to
therefore jeopardise member ecosystem-wide approach exists rapidly and effectively respond to
for responding to cyber incidents, cyber incidents, minimising potential
services and funds under
including continual testing and impacts to themselves as well as
management. improvement. their ecosystem.
These risks are not unique to the
superannuation industry, but the
nature of its assets is such that In the above imagined future, common cybersecurity attacks would
failure to address them will result be prevented and damage from more choreographed or advanced
in far-reaching consequences. attacks blunted.
Securing the future
6
The importance of a
coordinated approach
Facing the challenges
To realise an ecosystem with such cyber characteristics, this research
identified that the following challenges need to be addressed:
• There is a lack of accountability and cyber risk leadership for end-
to-end cyber resilience of the ecosystem. While there are a number
of regulators in the ecosystem, each has a different area of focus
and none has ultimate or overall accountability;
• There is no common standard for cybersecurity, and as a result
approaches to managing cyber risks across the ecosystem are
inconsistent and uncoordinated. Not all stakeholders in the
ecosystem are required to adhere to a standard (e.g. the Australian
Taxation Office (ATO)’s Digital Service Providers (DSP) Operational
Framework or the Australian Prudential Regulation Authority
(APRA)‘s Information Security Cross-Industry Prudential Standard
CPS 234), and among those organisations that do adhere to one,
those standards are not always applied with the same level of
consistency and maturity. It’s worth noting that some ecosystem
participants are global organisations with headquarters outside of
Australia, creating a global consistency challenge;
• Compounding these challenges, there is lower cybersecurity
awareness among superannuation members who, understandably,
may not interact often with their superannuation; and
• Given the barriers to sharing cyber threat intelligence across the
ecosystem and an absence of a trusted mechanism for doing so,
it is difficult to systemically share instances of organisations or
members being compromised.
In combination with the lack of a holistic and coordinated approach to
respond to cyber incidents in the ecosystem, it is only a matter of time
before a well-coordinated cyber attack could result in significant and
widespread disruption.
Securing the future
7
Building sustainable
cyber resilience
The time is now
The time to address these challenges is now. The post COVID-19
pandemic acceleration of digital initiatives in 2020, coupled with the
increased options for members to interact with, and access their
superannuation early, has also multiplied the nature and range of
cybersecurity risks for the industry. We need to come together and
collectively take responsibility in order to move forward.
The superannuation ecosystem needs an overarching strategy to
combat cyber risk, which includes the following elements:
• Roles and responsibilities for building cyber resilience in the
ecosystem need to be clarified;
• A basic set of standards (e.g. the Australian Cyber Security Centre
(ACSC)’s Essential Eight and underpinning controls) need to be
agreed upon and consistently implemented across all parts of the
ecosystem. This also includes addressing legacy systems;
• A coordinated system-wide approach is needed to influence
and educate member awareness and behaviour in relation to
cybersecurity risks;
• A structured, safe and confidential cyber threat-sharing
platform for all ecosystem participants needs to be designed and
implemented; and
• A coordinated cyber response and recovery strategy needs to be
developed and regularly tested.
Embracing cyber resilience may seem daunting at first, but minor
actions can make major change when it comes to building a robust
retirement savings system for all Australians. As an industry, we should
consider the following first steps:
1. Holding a roundtable of key representatives of all entities in the
ecosystem to establish a working group; and
2. Establishing the working group’s terms of reference and a specific
timeframe for the working group to achieve a desired and agreed
outcome: an ecosystem-wide strategy and plan for cyber resilience.
Ultimately, the continual protection of members’ privacy and financial
wellbeing will not happen automatically. It is up to all ecosystem
participants to come to terms with the systemic risks that cyber poses.
We must come together to coordinate a sustainable cyber resilience
strategy that ensures our superannuation ecosystem can continue to
support a quality of life that both working and retired individuals in
Australia deserve.
Securing the future
8
The superannuation ecosystem:
A highly attractive target
for cybercriminals
Sensitive member data, What are the potential
retirement savings and
reputations are all at risk in impacts of cyber risks
the event of a cyber attack. It on the superannuation Super is an attractive
is critical to identify cyber risk
events, their potential impacts
ecosystem? target – compared to
The impacts of cyber incidents
bank accounts, day to day
and how these risks can arise in
the superannuation ecosystem. across the superannuation engagement is lower and
ecosystem are potentially the pace of digitisation
What is at risk? significant, as outlined below. has vastly increased the
Cyber resilience in the 1. Loss of member attack surface.”
superannuation ecosystem
superannuation savings Industry representative
primarily involves the protection
of member data, sensitive Stolen member data that is used
corporate and financial data to commit fraud, was identified
(such as investment information), by survey respondents as the What are the most
and ultimately the safeguarding most common cyber incident. common cyber
of members’ superannuation Cybercriminals, motivated by
savings. With over 24.4 million financial gain, leverage stolen incidents across
superannuation accounts and member data or user credentials the superannuation
approximately $2.9 trillion to obtain unauthorised access
in assets, the Australian to online superannuation
ecosystem?
superannuation system is one accounts. These incidents could
of the largest in the world4. lead to fraudulent withdrawals 75%
Working and retired people in or transfers of members’ Stolen member data used
Australia are dependent on retirement savings into forged to commit fraud.
the superannuation ecosystem bank accounts. As customer
for their wellbeing, long-term identification procedures are
financial stability and quality of not generally performed for 72%
life in their retirement years. incoming transactions, the risk of Cyber incidents resulting
fraudulent or suspicious activity from a third party/related
An evolving superannuation not being detected in a timely party being compromised.
ecosystem and digital threat manner is elevated.
landscape introduce risks
that could result in the loss
This threat is real: recent APRA 71%
data shows that by the end Loss/theft of personally
of members’ superannuation
of October 2020, regulated
savings and disruption of the
superannuation funds had
identifiable information,
digital ecosystem infrastructure,
reported a total of 1,703 resulting in a privacy
potentially leading to loss of trust breach.
fraudulent payments – out
in the Australian superannuation
of a total of 4.5 million Early
ecosystem.
Release Scheme payments – to 64%
members5. While this remains
Cyber threats pose a system- System disruptions
a relatively small percentage of
wide risk, and could represent
total withdrawals (0.04%), it that affect business
significant threats for operations.
illustrates that the increasingly
superannuation members,
digitised nature of super
fund managers and the entire Percentage of survey respondents
transactions are increasing
ecosystem itself. Their risk cannot who advised these incidents occur
cyber risks. Furthermore, these often and sometimes.
be overstated.
Securing the future
9
reported incidents represent through misuse of information or
87%
only detected incidents among 10% of the organisation’s annual
regulated entities. Given the domestic turnover.
generally low levels of member
Fines may limit capital for
engagement with their super, it
investment and could ultimately
may take some time before other
impact member experience, of respondents agreed
cyber incidents are identified. As
member returns and brand
this data does not cover non- that the industry should
reputation.
regulated organisations in the colaborate to co-develop
ecosystem nor non-reported 2. Crippled service response strategies for
incidents, the actual number capabilities caused
of fraudulent incidents of this
incidents that affect
nature could be higher.
by disruption of multiple entities.
digital ecosystem
Other types of incidents such as
infrastructure
targeted attacks at accounts
payable via impersonation As the ecosystem is highly
have also occurred within the networked and dependent a Distributed Denial of Service
superannuation ecosystem, on third (and subsequent) (DDoS) attack - an attempt
however these are not specific to parties, disruptions in its digital to render an online service
the industry. infrastructure could affect unavailable by overwhelming
multiple organisations across it with internet traffic. Trading
Organisations are also
the ecosystem. The time in which was maintained after switching
increasingly facing regulatory
to respond and the capacity to to a contingency plan, however
consequences of cyber incidents.
quickly contain a multi-party this example shows the impact
In August 2020, the Australian
cyber incident may be further of third party incidents in an
Securities and Investments
delayed by the lack of an organisation, as this attack
Commission (ASIC) filed the
industry-wide incident response originated from offshore via
first-of-its-kind legal proceedings
plan. Considerable time may NZX’s network service provider6.
against RI Advice, an Australian
lapse before business operations
financial services licensee, Our research found a current lack
and services across the supply
for failing to have adequate of response strategies or plans
chain are fully restored.
cybersecurity systems in place. to recover from cyber incidents
From 1st of January 2022, An outage of key networks or that affect multiple organisations
Section 56 of the Financial IT systems could disrupt critical across the ecosystem supply chain
Sector Reform (Hayne Royal business operations and services – a serious risk to the ongoing
Commission Response) Bill to members. These incidents operation and viability of the
2020 concerning the extension could temporarily cripple trading ecosystem. Moreover, 87% of
of indemnification prohibitions and investment capabilities of survey respondents indicated that
will also mean that any future investment managers, potentially organisations should collaborate
civil or criminal penalties can no resulting in lower annual member more to develop response
longer be funded from member returns. Such cyber incidents strategies for cyber incidents
funds, creating another area of could also prevent members that potentially affect multiple
exposure for Trustees. from accessing their online organisations in the ecosystem.
accounts, changing investment
Further, organisations that In addition to the risks
options, making additional
suffer a security breach of identified above, there is the
contributions, initiating rollovers
their member data may be possibility of a cyber attack
or withdrawals. When these
fined under the Privacy Act that involves the theft of a
transactions are temporarily
1988 (Privacy Act) or legally large amount of funds under
unavailable, members may miss
required to pay compensation management. While research
out on market opportunities
to individuals whose personal participants acknowledged this
and experience delayed income
data was compromised. In 2020, could significantly impact the
streams, with negative impacts
the Australian Government ecosystem, it was not deemed
on their overall returns and
announced an intention to to be a very likely event. Further,
erosion of trust in the system.
amend the Privacy Act: the incidents of this nature have
maximum penalties payable In 2020, an example of this type required fraud or business
by organisations with a data of cyber incident included the process control failures in
security breach would be multi-day outage experienced addition to cyber activity, and
increased to the higher of either by the New Zealand Exchange as a result are not a focus of
$10 million – three times the (NZX). NZX websites were this report.
value of any benefit obtained impacted for several days due to
Securing the future
103. Erosion of trust the operating model of the not only access systems holding
in the Australian superannuation ecosystem. sensitive data but also gain
unauthorised access to member
superannuation system To date, Australia’s
accounts, allowing them to make
superannuation ecosystem has
Cyber incidents can have fraudulent rollover or withdrawal
not reported a major, sector-wide
significant operational, financial requests. According to the ACSC,
incident. However, it has become
and reputational impacts many of the techniques used by
increasingly clear that cyber
on not only businesses and cybercriminals to compromise
risks pose system-wide risks
members, but also the Australian sensitive personal and financial
which could lead to devastating
superannuation system itself. data can be mitigated through
impacts for the super ecosystem.
simple measures, such as
• If member trust in the The Australian Government also
not responding to unsolicited
system erodes and they feel recognises this in its Security
emails and text messages,
unable or unwilling to rely Legislation Amendment (Critical
and implementing stronger
on trustees and the other Infrastructure) Bill 2020, which
authentication mechanisms (e.g.
parties to protect their seeks to expand the range of
multi-factor authentication)8.
retirement savings and data, critical infrastructure entities
they may decide to stop that are protected to, among
additional contributions and others, financial services and
rely on other investment markets, data storage or
instruments. This behaviour processing entities, and health What are the most
would eventually undermine care and medical entities. As common cyber
industry growth. Members the number of cyber threats
may decide to switch to a and incidents increase, now threats across the
self-managed superannuation is the time to act and build a superannuation
fund (SMSF) as they perceive cyber resilient superannuation
they may have more control ecosystem.
ecosystem?
over their fund and data;
• Members may decide to stop
How are cyber risks 82%
using additional services introduced into the Phishing emails
in the superannuation superannuation
ecosystem, such as insurance 56%
products and financial advice, ecosystem? Identity theft/
in fear that their information A variety of cyber threats for impersonation
is not well protected. Again, the super ecosystem can lead
such behaviour could thwart
growth prospects in the
to the cyber incidents discussed
earlier. Our research identified
55%
superannuation industry; that phishing emails, identity Human error/
theft, human error and malware negligence
• Businesses across the
(e.g. ransomware) are among the
ecosystem may find it harder
to trust third parties to most commonly noted threats 46%
securely process and protect in the ecosystem. Some of these Malware (computer
threats are on the rise and
member data on their behalf. viruses, ransomware,
This would make it harder for becoming more sophisticated. The
ACSC reported that in the last etc.)
these organisations to find
trustworthy service providers, year, ransomware incidents had Percentage of survey
which could impact their significantly increased and are respondents who advised these
operations, and ultimately expected to continue increasing7. threats occur often.
member experience; and Phishing emails are becoming
increasingly sophisticated and
• Government may convincing, replicating messages
lose confidence in the from reputable senders and
superannuation industry’s targeting individuals with access Phishing is still our
ability to deliver what it to highly sensitive personal or biggest attack – looking
was originally tasked to financial data.
do – protect and grow
for staff and member
the retirement savings of Cybercriminals exploit credentials.”
workers in Australia. That vulnerabilities, such as weak
access controls, unpatched Retail super fund
could impact policy settings
and, in the longer term, software and open ports, to representative
Securing the future
11An increasingly
targeted ecosystem
Why is the superannuation ecosystem
increasingly targeted?
• The size of the industry’s membership and assets make it an
attractive target: The main assets targeted are confidential member
data, with the ultimate aim of stealing members’ retirement savings.
With 24.4 million superannuation accounts and $2.9 trillion in assets
(one of the largest in the world)9, the Australian superannuation
ecosystem is a highly attractive environment for cybercriminals. In
addition, increasing digitisation and interconnectivity of services
expand the ecosystem’s cyber threat environment;
• Superannuation members are historically less likely to monitor
their superannuation accounts compared to, for example, a
transactional banking account. This decreases member likelihood of
identifying and reporting unusual account activity. More than half
(54%) of survey respondents indicated that members’ infrequent
checking of their accounts is one of the main drivers of cyber risk in
superannuation. Malicious actors prefer to target environments in
which their actions are less likely to attract notice; and
• Cybercriminals are becoming increasingly sophisticated. The primary
motivation of cyber threat actors is to steal individuals’ personal
and financial information with the aim of generating profit10. These
actors are becoming increasingly sophisticated. Hacking tools,
playbooks and cybercrime-as-service products are becoming readily
available through underground black markets (often referred to as
darknet marketplaces). As a result, illicit tools, services and stolen
data are accessible and, in many cases, minimal technical expertise is
needed to launch cyber attacks.
In addition to the above factors, the unique characteristics of the
superannuation ecosystem also add a layer of challenges for effectively
managing cybersecurity risk – we examine these challenges next.
Securing the future
12A unique, sizeable,
dynamic and highly
networked ecosystem
The Australian superannuation Highly networked
ecosystem is one of a kind,
highly networked and dynamic. Since the introduction of the
$2.9 trillion in
It continues to evolve as it superannuation guarantee in
matures and regulation changes. the early 1990s, the ecosystem
Understanding its intricacies is a continues to evolve in response assets, one of the
to changes in its environment.
critical starting point for building
In 2010, the Super System
largest in the world.
cyber resilience.
Review (Cooper Review) Of this total, 0.7
Unique
identified that the ‘back trillion are held by
office’ of the superannuation
The 2020 Retirement Income industry was based on highly
SMSFs14
Review highlighted that manual transactions and
Australia’s pension system
is unique compared to that
lacked industry data standards,
inhibiting efficient processing
165M
of other countries11. Locally, of member accounts12. With transactions per
our superannuation system is the implementation of the year processed by
based on compulsory, privately SuperStream government gateway providers15
managed funds with a large package, the ecosystem now
number of participants who are has a faster and digitised ‘back
highly interconnected. office’ environment compared 24.4M
to that in 2010. Examples of key Member
SuperStream and associated
Sizeable reforms include the introduction accounts16
Superannuation funds are of the Superannuation Data
diverse, varying in size,
complexity and target market.
and Payment Standards in
2012 and the creation of the
+880K
In addition, there is a high level Superannuation Transaction Employers17
of involvement of third parties Network in 2013 to transport
who work on behalf of employers,
members and funds.
contributions and rollovers
between employers and
+593K
superannuation funds. The STN SMSFs18
currently processes approximately
165 million transactions per year13.
1605
Small APRA funds19
Securing the future
13Dynamic
Moreover, the superannuation Increased connectivity and
ecosystem structure is in a engagement of superannuation
constant state of flux. Regulatory
focus on fund performance has
organisations with third parties
add entry points for threat
+300
driven various funds and trustees actors and introduce additional Payroll providers22
to merge or consolidate. The 1,511 complexity to securing the
superannuation organisations in
2004 had decreased to 207
environment and building
trust in the network. Other
101
in 201920. emerging conditions, such as Retail funds23
the introduction of the New
Because of the economic impacts
of the COVID-19 pandemic, in
Payments Platform, Open
Banking and the Consumer
35
2020 the Australian Government Data Right Rules, will continue Industry funds24
introduced changes that would to drive changes to how the
allow eligible individuals to access
their superannuation retirement
ecosystem operates and the
participants interact, and will 25
savings earlier (as opposed to potentially affect the ecosystem’s Pooled
preservation age). From inception overall cyber risk profile. With superannuation
of this scheme on 20 April to 20 the expansion of digitisation, a
December, 3.4 million applications data governance strategy and a trusts25
(one application could come from secure framework for the use of
one of more members) were
received and a total of $35.9
open Application Programming
Interfaces will be needed.
19
billion in payments were made Public sector
– 44% of the applications were funds26
processed within 1–3 business
days21. These figures show how
quick the transactions were, with 17
minimal time for detection and Corporate funds27
recovery of lost funds in the event
11
of fraudulent activity.
Custodians28
9
Gateway
operators29
2
Major
administrators
Securing the future
14A fragmented yet evolving
regulatory landscape
What could be
improved in
Is the current APRA-regulated entities, such existing regulatory
regulatory approach
as funds, insurers and banks frameworks and
must comply with CPS 234.
optimal? However, a large number of standards to enhance
The role of regulators is
organisations and funds, such cyber resilience in
as SMSFs in the superannuation the Superannuation
critical to building trust and
ecosystem, are not regulated
cyber resilience. Is the current
by APRA nor are they required industry?
regulatory approach optimal
to have cybersecurity controls
for safeguarding the retirement
savings of more than 24.4 million
in place. SMSFs, for example,
are not regulated by APRA and
92%
member accounts30? of respondents agreed that
as of June 2019, collectively minimum common cybersecurity
represent 26% of all super assets control baseline standards
Industry research suggests that
under management32. Between should be introduced industry-
Australian regulation of the
2015 and 2020, the number of wide.
superannuation ecosystem in
SMSF accounts has increased
relation to cyber is still evolving,
with considerable room for
improvement in areas such as
by 11.2 percent, and the number
of APRA-regulated funds 85%
decreased by 28.5 percent33. The of respondents agreed that
clarifying roles, reducing overlap existing frameworks and
approach of focusing on bigger
of responsibilities and reflecting standards should be aligned and
players and making individual
current priorities31. streamlined.
organisations accountable for
their own environments is no
Responsibility for governance of
the Australian superannuation
longer sufficient in a networked,
co-dependent ecosystem.
75%
ecosystem is fragmented across of respondents agreed that
multiple regulators. There are frameworks and standards
In addition, even where standards should be tailored to address
three main regulators: APRA,
exist for regulated entities, industry specific development
ASIC and the ATO. In addition,
these are often principles and threats.
other entities, such as the
based, leading to inconsistent
Treasury, Australian Transaction
interpretation and application
Reports and Analysis Centre
across organisations.
(AUSTRAC) and the GNGB
regulate specific aspects of the
Introduced requirements, such
ecosystem. The focus of the three
as APRA’s CPS 234 Information
main regulators (APRA, ASIC,
Security Standard and the
ATO) is on particular outcomes
updated ATO DSP Operational
CPS 234 has been a
across the financial system, not benefit in focusing
Framework (for organisations
just superannuation. From a
who have digital interaction with attention and budgets
cybersecurity perspective, there
is currently no single regulator
the ATO), are meaningful strides but compliance does not
towards closing the gap between mean you are secure. To
responsible for governing
superannuation regulation and
cyber resilience across the
digital reality. However, there
be secure, there are a core
superannuation ecosystem. set of tasks, no matter
is work to do to drive effective
end-to-end cyber resilience and how big you are.”
There are siloed and inconsistent
to adopt a consistent sustainable
cyber-regulatory expectations Industry super fund
approach for all players in the
of entities across the representative
ecosystem. Currently there are
superannuation ecosystem.
Securing the future
15no specific requirements or Regulatory timeline in the
clear guidance on areas such as
managing cyber risk associated superannuation ecosystem
with third parties, cloud security,
APRA SPS 220 Risk
or cyber risk identification and Management, SPS 231 Superannuation
quantification. Finally, a large Outsourcing, SPS 232 Data and Payment
Business Continuity Standards 2012 Stronger Super Legislation
number of small- to medium-
A range of principle Requirements pertaining Introduced a package of
sized organisations, such as based requirements to to transfer of message reforms in superannuation,
employers or those providing the design and model and payments for such as the Superannuation
over risk management employers and trustees Data and Payments
services to employers, are not (including cyber risk), of APRA-regulated Standards 2012 and
required to meet cybersecurity outsourcing and business superannuation funds the Superannuation
continuity practices. and SMSFs. Transaction Network.
standards and/or may lack the
guidance specific to their role in
the ecosystem. APRA CPG
235 Managing
Data Risk 2013 2012
The diagram on the right Aims to assist
provides an indicative timeline regulated
of the key legislation, regulatory entities in Superannuation Transaction
managing Network (STN) Process and
requirements and guidelines data risk. Requirements for Gateway
AUSTRAC Money
Laundering and
on cybersecurity applicable to Operators Terrorism Financing
the superannuation ecosystem. 2014 Requirements for new (ML/TF) Risk
Gateway Operators to Assessment and
Note that the information in the operate in the STN, including Guidance
timeline is not exhaustive. security requirements. ML/TF risk (including
cyber crime risk) for
We understand that APRA is in the superannuation
sector was assessed
the process of harmonising and from Low to Medium.
2015 Subsequently,
consolidating some of its current 2016 guidance was issued
prudential standards into cross in 2020.
industry standards which will be Office of the Australian
Information Commissioner
applicable to superannuation. Notifiable Data Breach APRA CPS 234 ACSC’s Essential
(NDB) Scheme Information Eight Mitigation
Security Strategies for Cyber
A strategy for Requires to notify when a
data breach is likely to result Information
Incidents
cybersecurity in in serious harm to individuals
whose personal information
security
principles aimed
Formerly the
Essential Four.
the Australian is involved in the breach. at protecting
data.
Recommended list of
baseline mitigation
superannuation 2017 strategies to assist in
protecting systems
against a range of
ecosystem 2018
adversaries.
The unique characteristics of
the Australian superannuation APRA Guidance on ATO Digital Service Provider
ecosystem distinguish it from Outsourcing Involving Cloud Operational Framework
other retirement systems Computing Services
Seeks to protect
2019
overseas and from other industry Prudential considerations and superannuation related
key principles when adopting information as well as the
sectors. In some countries, such use of cloud computing integrity of the superannuation
as in Singapore, the national services. It was introduced in systems. It was last updated in
2015, and last updated in 2018. January 2020.
government manages the
retirement savings of all workers
through a single national fund. 2020 2021 Onwards
In contrast, the Australian
superannuation ecosystem
is sizeable, dynamic, highly ASIC Cyber Resilience Security Legislation Amendment
Good Practices (Critical Infrastructure) Draft Bill
networked and governed by
multiple regulators. Guidelines to improve the Seeks to expand the scope of the
cyber resilience, including Security of Critical Infrastructure
those operating in Act to include superannuation.
However, although there is no superannuation.
other system that is directly
Securing the future
16comparable, the learnings The AESCSF provides a basis
AESCSF Journey Overview
of other industries like the for energy sector participants
Australian energy sector may be to assess, in a standardised
applicable to the superannuation manner, their current state of
context. cybersecurity capability and Summary of
maturity. It also empowers activities performed
Learning from the participants to make informed
decisions about what they need
Australian energy to do to become cyber resilient34. Establish
sector The framework is based on Established
AEMO response
Established
Cyber Security
recognised industry standards, team Industry Working
In 2018, industry and government such as the National Institute Group (CSIWG)
stakeholders collaborated to of Standards and Technology’s
develop a tailored cybersecurity Cyber Security Framework
framework for the Australian (NIST CSF), ISO/IEC 27001
energy sector: the Australian and Australian-specific control
Energy Sector Cyber Security references, such as the ACSC’s Develop
Framework (AESCSF). The Essential Eight Strategies Stocktake Developed Developed
framework was a response to to Mitigate Cyber Security of Market Criticality AESCSF
Rules Assessment
the recommendations from Incidents, the Australian Privacy Tool
the 2017 Finkel Review Report Principles, and the NDB scheme.
(Independent Review into the
Future Security of the National The AESCSF has provided
Electricity Market: Blueprint for sector-wide visibility of the
the Future), which recommended overall state of cybersecurity Engage
the following to enhance cyber maturity across the energy Engaged Held 10 815
resilience in the energy sector: sector, enabling the facilitation 145 CEOs education downloads of
workshops framework
of coordinated efforts to better arterfacts
• An assessment of the cyber protect critical energy assets
maturity of all energy market across Australia. In light of
participants to identify and recently announced reforms
understand vulnerabilities; to the Security of Critical
Infrastructure Act, the AESCSF Self-assessments against
• A stocktake of current framework
provides a leading example
regulatory procedures to
of a coordinated sector-wide
ensure their sufficiency 17 facilitated 46
effort, with collaboration across self-assessments self-assessments
for potential cyber
Government and Industry,
incidents in the National
to drive the cybersecurity
Electricity Market;
agenda forward.
• An assessment of the
Australian Energy Market Report and next steps
Operator’s (AEMO’s)
cybersecurity capabilities Prepare reports Define next steps
and third party testing; and
• An update from all energy
market participants on
how they undertake routine
testing and assessment of
cybersecurity awareness
and detection, including
requirements for employee
training before accessing
key systems.
Securing the future
17Key players in the
superannuation ecosystem
The superannuation ecosystem consists of a large number of organisations, from some of the largest
financial institutions in the country to over 880,000 employer organisations, some of whom are micro
businesses in size. Accountants, bookkeepers, clearing houses, gateways, administrators and more make
up the data supply chain. The image below provides an overview of the key players, including the main
regulatory bodies, and illustrates the highly networked environment and the many possible integration points
that comprise the ecosystem.
In such a complex and interconnected ecosystem, each organisation is a potential source of cyber
vulnerabilities that can be introduced via a multitude of pathways. It is critical that all participants in this
ecosystem play a part in collectively building cyber resilience across the ecosystem.
Superannuation ecosystem
Key superannuation industry regulatory / governance bodies
ATO APRA ASIC Treasury GNGB
ATO
Report
employees’
Provides services
APRA
tax and super
information to which may include
the ATO
Validation Report
services Report information
information to the ATO
SuperMatch Report to APRA
service information
to the ATO Members
Employers Clearing house
May make May
May voluntary choose
involve contributions a fund
through
Trustees
Other APRA ATO
Technology regulated regulated regulated Receive
providers retirement Financial
benefits advisors
Tax agents
Promoters /
Audit and Distributors
Funds
accountanting Public Industry Retail Corporate SMSFs
sector
firms
May
directly
involve
Payroll providers
Fund may
outsource Insurers
Gateway the following
operators services
Clearing houses
Member
Experience Operations Investment
Money
Legend Administrators Distributors Investment transfer
managers
Claims Fourth
Superannuation Services Gateway Audit, accounting
ecosystem operators processing parties
and tax firms Custodians
participant Technology
Insurers Actuaries services
Main supervisor / regulator Technology
Financial advisors providers
ATO ASIC
APRA GNGB
Securing the future
18Superannuation ecosystem - supporting notes
• Employers are required to pay the Superannuation Guarantee (SG)
for eligible employees. To facilitate the payment of SG obligations
to employee-nominated super funds, employers may engage third
parties, such as payroll providers and clearing houses;
• Members receive their SG benefits from a superannuation fund,
which may be selected by them or their employer. Members can
make additional contributions to their superannuation fund either
via their employers or directly into the fund. A superannuation
member can generally access their fund once they reach retirement
age. However, under certain circumstances some eligible members
may withdraw some of their funds earlier (e.g. as a result of the
Early Release Scheme implemented during the COVID-19 pandemic
in 2020);
• If not selected by a member, a default ‘MySuper’ product and
death and permanent disability insurance provider is selected via
the employer;
• In Australia, superannuation funds operate under a trustee model
in which the trustee has the ultimate responsibility for and the
obligation to manage and protect their members’ assets. There are
three main types of funds that may be managed: Exempt Public
Sector Superannuation Schemes (EPSSSs), APRA-regulated funds
or SMSFs. APRA-regulated funds can be segmented in many ways
but are generally classified into four types: public sector funds,
industry funds, retail funds and corporate funds. Management
of superannuation funds may involve third party services, such as
administrators, distributors and investment managers; and
• The ATO plays a supervisory as well as operational role in the
superannuation ecosystem. The ATO provides services, such as
digital validation services. The ATO also offers a free clearing house
service for small business employers.
Securing the future
19A way forward:
An industry, organisational
and member approach to
managing cyber risks
Cybersecurity is everyone’s
responsibility and, as such,
everyone in the ecosystem has a
role to play in addressing these ...Too many boards 72%
challenges. In this section we of respondents indicated
still lack visibility or
describe the main challenges the ecosystem should
identified in our research and understanding of the work together to clarify
outline calls to system-wide problems, while internal accountabilities and
action for consideration. audit functions can lack responsibilities related to
the specialist skills to managing cyber risk.
Challenge one: challenge boards and
A lack of system
accountability and
management to plug
urgent gaps35.”
62%
of survey respondents
cyber risk leadership Geoff Summerhayes, APRA
highlighted that limited
understanding of cyber risk
There is a lack of accountability Executive Board Member in senior management is
for end-to-end cybersecurity
a limitation for managing
resilience across the Australian
cyber risks. Leaders need to
superannuation system. Due to Importantly, members don’t often
be able to drive a cyber risk–
the ecosystems’s complexity and adopt behaviours to protect
aware culture.
highly networked environment, their money and data. Our
organisations, third parties and research showed that individuals
members do not always clearly
understand their responsibilities.
have an important role to play
when it comes to cybersecurity.
55%
of respondents agreed
However, more education is
Each organisation is ultimately that there are unclear
needed to help them understand
accountable for their own contractual requirements
the ways in which cyber threats
environments and data (including or expectations among
could compromise their personal
the data managed by their related parties in relation to
information and retirement
service providers). Boards, in managing cyber risk.
savings, and safeguard their
particular, are expected to
future in the process (also refer to
demonstrate accountability for
Challenge Three).
cybersecurity. There is an urgent
need for cyber leadership with
good understanding of cyber
threats and of the importance of
prioritising cybersecurity.
Securing the future
20Calls to action
Clarify roles and responsibilities to build cyber resilience
Industry leaders Organisational leaders Members / individuals
Government agencies, regulators and Business leaders of organisations that Superannuation members, employees
industry bodies that together govern the participate in the superannuation and individuals who participate in the
superannuation ecosystem. ecosystem, including employers and superannuation ecosystem.
organisations that provide services.
Key considerations Key considerations Key considerations
• Define a framework that helps • Upskill on cybersecurity, drive a cyber • Take accountability for their own
organisations in the system to clarify risk–aware culture and commit data security and practice secure
cybersecurity roles and responsibilities, resources to maintain a secure online behaviours, including (but not
which would inform a system-wide environment and protect their limited to):
strategy for building resilience and members; • Limiting the amount of personal
a response to cybersecurity risks • Take responsibility for implementing information shared online or with
(e.g. define an ecosystem-wide and maintaining secure products and unknown people and organisations;
responsibility assignment matrix or services, and protecting sensitive
RACI); and • Being suspicious of any requests
data (e.g. personal data of members/ for personal information or money
• Define a consistent and practical employees); transfers; and
approach to help those in the • Assess and manage cybersecurity risks
superannuation ecosystem to address • Recognising and reporting cyber
when selecting service providers; and incidents.
third party security risks.
• Understand where critical information
assets sit, their key threats and risks,
including information assets and
controls managed by third parties or
related parties.
Challenge two: In addition, competing business
priorities in small- and medium-
Inconsistent sized businesses represent
cybersecurity a barrier to prioritising time (The) number one (focus
and resources to the risk of
capabilities cyber threats.
area) is to establish
The superannuation ecosystem a baseline of cyber
The lack of a requirement for controls by reinforcing
consists of a variety of
a common minimum baseline
organisations of different sizes
of cyber controls also leads to
the embedding of
and complexity. Organisations non-negotiable cyber
inconsistent practices. While
with weak cybersecurity
capabilities are particularly
CPS 234 extends to the third practices, facilitating
vulnerable, ultimately posing
and related parties of APRA- better sharing of cyber
regulated entities, it does not information and enabling
a safety risk for the rest of
extend to all organisations in
the ecosystem.
the ecosystem and fourth
more effective incident
Some participants in the parties. Non-APRA-regulated response processes. It’s
ecosystem, such as smaller entities, such as tax agents and close to 18 months since
payroll providers, financial payroll providers, may engage CPS 234 came into effect,
advisers and SMSFs have with other third parties who and we are still seeing
very basic capabilities, while are not required to comply
others – like banks and with any specific cybersecurity
too many basic cyber
global administrators – have requirements. In addition, various hygiene issues across the
specialised resources and more employer organisations, who industry37.”
sophisticated processes and send superannuation data and
tools. In the 2020 ACSC Small money into the ecosystem, are Geoff Summerhayes, APRA
Businesses Survey, almost half not subject to baseline security Executive Board Member
the Australian small and medium requirements.
business respondents rated their
cybersecurity understanding as
‘average’ or ‘below average’ and
had poor cybersecurity practices36.
Securing the future
21Business leaders need to place Cybersecurity is not normally a
cybersecurity at the forefront key consideration for members,
of their business strategy. Our as they often select funds based
research shows allocation of on performance and/or fees.
resources to mitigate cyber risks Therefore, funds do not often
has started to increase – this see cybersecurity as a
focus needs to continue at pace. competitive differentiator.
Calls to action
The ecosystem needs to get the basics right
Industry leaders Organisational leaders Members / individuals
Government agencies, regulators and Business leaders of organisations that Superannuation members, employees
industry bodies that together govern the participate in the superannuation and individuals who participate in the
superannuation ecosystem. ecosystem, including employers and superannuation ecosystem.
organisations that provide services.
Key considerations Key considerations Key considerations
• Define a minimum and common • Place cybersecurity at the forefront of • Ask service providers how they are
baseline of cybersecurity controls business strategy; protecting your data and consider
ecosystem-wide in consultation with • Plan for skilled resources, processes and cybersecurity risks when selecting
all stakeholders, that are: tools to meet requirements for baseline your service provider (e.g. privacy
• Clear and specific; and controls; protection and security features,
such as Multi-Factor Authentication
• Practical for organisations of • Monitor the operating effectiveness of (MFA) and transaction notifications);
different size and complexity to baseline controls across the business
implement. network; and • Protect your electronic devices and
information by following the latest
Examples can be obtained from • Assess your third parties’ adherence to advice from relevant trusted sources,
frameworks used in other industries, baseline controls. such as the ACSC and Scamwatch.
such as the AESCSF or the Australian At a minimum:
Government’s Strategies to Mitigate
Cyber Security Incidents (including • Use strong unique passwords
the Essential Eight mitigation online and enable MFA;
strategies)38. • Keep software up to date by
• Enforce and monitor industry installing the latest patches (e.g.
adherence through a defined operating systems, web browsers
mechanism (e.g. attestation or and plugins like Java); and
certification process). • Don’t access/provide sensitive
Note: information (e.g. access online
The 2020 Australia’s Cyber Security banking, superannuation account
Strategy will prioritise support for small- or make credit card payments)
to medium-sized enterprises through a when using public computers or
number of initiatives, including the ACSC accessing public wi-fi.
Small Business Cyber Security Guide,
ACSC-produced Step-by-Step Guides
and Quick Wins for Small Business39.
Securing the future
22Challenge three: some features, such as MySuper should also be made aware that
and insurance protection, are when their retirement savings
Low levels of cyber selected by default so there is are stolen, they may not be
awareness little incentive for members to reimbursed in all circumstances.
make considered choices and
Research shows individuals are Moreover, some members are
understand their implications.
often considered the weakest link unaware of cyber risks and basic
The lack of understanding about
in managing cyber risk. If cyber cyber hygiene practices, such as
super and the lack of interaction
resilience across the ecosystem the enablement of multi-factor
with superannuation accounts
is to be strengthened, all authentication and the use of
affects the timely identification
individuals, especially members, strong and unique passwords.
of illicit or erroneous activity.
need to be educated about cyber
risks and potential impacts on Accountability for the
their retirement savings. compensation of financial loss
from unauthorised access to a
More than half of our survey
member’s retirement savings is
respondents (54%) indicated that
currently unclear and determined
members infrequently checking
on a case-by-case basis. Clarity
their accounts is a main factor
is needed on who is responsible
that drives cyber risk. By design,
when compromised credentials
superannuation members engage
are used to access a member’s
with their superannuation
account without authorisation.
accounts less frequently than
Members need to be made aware
they do with their bank accounts;
that they are responsible for
that is, mostly until they near
keeping their information and
retirement age. In addition,
credentials confidential. They
Calls to action
Influence members’ cyber awareness, education and practices
Industry leaders Organisational leaders Members / individuals
Government agencies, regulators and Business leaders of organisations that Superannuation members, employees
industry bodies that together govern the participate in the superannuation and individuals who participate in the
superannuation ecosystem. ecosystem, including employers and superannuation ecosystem.
organisations that provide services.
Key considerations Key considerations Key considerations
Collaborate to design and deliver cyber • Collaborate on cyber awareness Know where to go for information
awareness and education campaigns campaigns and cyber education plans about cyber threats: refer to available
targeted at members. for all individuals in the ecosystem online resources, such as the ACSC
including members; website to learn about:
• Implement strong authentication • Cyber threats and risks;
techniques, such as multi-factor • How to better protect your personal
authentication; and financial information online; and
• Prompt members to enable strong • How to report a suspicious event
security settings through their online (e.g. scam, phishing, identity theft).
portal or application features; and
• Communicate to members of the
potential cyber risks and threats
through different distribution channels,
such as email communications,
application notifications and call centre
interactions.
Securing the future
23You can also read
