The cyber security threat landscape is becoming more sophisticated with the attack surface increasingly broader. While the evolution of technology has created significant space for innovation and efficiency in the workplace, this innovation has also unlocked huge opportunity for cyber attackers, including those less skilled, to leverage advanced techniques and tools to compromise systems and cause devastating impacts to business operations and reputations. This heightened cyber risk is especially pertinent to the Super industry, who are caretakers for vast amounts of personal data and as an industry hold more than $3.3 trillion in member assets.
In addition to the change in and exacerbation of cyber threat, the superannuation industry is also trying to juggle a complex and evolving technology, business and regulatory environment, which includes a high level of market consolidation activity.
One of the most significant regulatory changes for superannuation trustees has been the introduction of the Australian Prudential Regulation Authority (APRA), Prudential Standard CPS 230 – Operational Risk Management. CPS 230 expects superannuation trustees to meet enhanced requirements with respect to the management of operational risk, business continuity, and service providers. Together with CPS 234, the related prudential standard on Information Security, it forms APRA’s proposed new operational resilience framework for the financial services institutions it regulates.
To meet these revised operational resilience requirements and the broader threat challenges, it is imperative that superannuation trustees review their cyber security frameworks as they relate to internal operations and third- and fourth-party services providers. Frameworks need to ensure the robust and sustainable management of cyber risks, not only as they relate to the superannuation organisation but also as they relate to the strategic outcomes for superannuation members.
Without an earnest shift in focus to what is important – having cybersecurity capabilities that align with their business’ risk appetites and fulfil their regulatory obligations – superannuation trustees face the very real risk of financial and reputational shortfall.
In this paper we will examine some of these key changes and security challenges the superannuation industry is facing. Taking lessons learnt from recent incidents, we propose steps for how organisations can better protect themselves and the financial interests of their members.