Bigger isn’t always better when it comes to member services. Megafunds might be able to mass customise, but when you’ve got two million members it’s tough to bring the personal touch.
The famous and closely watched US endowment model took a hit in FY23, with smaller, equity-heavy investors taking the lead. But the longer-term superiority of a chunkier exposure to alternatives remains unchallenged.
APRA takes stock and issues stark warning in the middle of cyber security study
APRA has issued a warning to banks, insurers and superannuation trustees that it is taking notice of cyber-security laggards as it reaches the mid-point of a landmark study into entities’ readiness for online threats.
The regulator says it is “rigorously targeting” areas of non-compliance after assessing 24 per cent of its regulated entities and finding seven “common control gaps”.
These areas of compliance fallibility include “incomplete identification and classification”, shortfalls in the assessment of security levels at third party providers and the “inadequate definition and execution” of control testing programs.
APRA also took issue with poor incident response plans, limited information security control reviews and “inconsistent reporting of material incidents”.
The regulator’s study into cyber security comes after PwC, in partnership with Gateway Network Governance Body, released a 2021 report calling for a collaborative approach to combative cyber threats in the super system, after $30 billion was lost by Australian businesses to cyber attacks in the preceding year.
In May 2022, Spirit Super (shortly after the merged entity was created out of Tasplan and MTAA Super) reported 50,000 members were hit by a data breach in the form of a phishing attack.
One of PwC’s key findings was that no one entity is clearly responsible for cybersecurity oversight in superannuation.
“There is a lack of accountability and cyber risk leadership for end to-end cyber resilience of the ecosystem,” the PwC report stated. “While there are a number of regulators in the ecosystem, each has a different area of focus and none has ultimate or overall accountability.”
There was also no “common standard” for cybersecurity, PwC noted, and lower cybersecurity engagement among superannuation fund members, who didn’t interact with their fund often.
“In combination with the lack of a holistic and coordinated approach to respond to cyber incidents in the ecosystem, it is only a matter of time before a well-coordinated cyber attack could result in significant and widespread disruption,” PwC warned.
In response APRA has spoken to 300 banks, insurers and superannuation trustees as part of its cyber security audit. The second and third tranches of its assessment are currently being undertaken, while the fourth and final tranche of insights is due to be rolled out before the end of the year.
Meanwhile, the regulator has put funds and large entities on notice.
“APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.”
