Since the emergence of “Modern Portfolio Theory” and the “Capital Asset Pricing Model” in the late 1960s, institutional investors have taken a quantitatively driven approach to portfolio construction, looking to create portfolio diversification and obtain better risk-adjusted returns by balancing their asset-class exposures. This journey has seen several important advancements in thinking about how to optimally achieve desired results.
Funds that want to take the total portfolio approach first need to get the total portfolio view. To do that they not only need data – and lots of it – but a rock-solid understanding of exactly how they’re going to use it.
APRA takes stock and issues stark warning in the middle of cyber security study
APRA has issued a warning to banks, insurers and superannuation trustees that it is taking notice of cyber-security laggards as it reaches the mid-point of a landmark study into entities’ readiness for online threats.
The regulator says it is “rigorously targeting” areas of non-compliance after assessing 24 per cent of its regulated entities and finding seven “common control gaps”.
These areas of compliance fallibility include “incomplete identification and classification”, shortfalls in the assessment of security levels at third party providers and the “inadequate definition and execution” of control testing programs.
APRA also took issue with poor incident response plans, limited information security control reviews and “inconsistent reporting of material incidents”.
The regulator’s study into cyber security comes after PwC, in partnership with Gateway Network Governance Body, released a 2021 report calling for a collaborative approach to combative cyber threats in the super system, after $30 billion was lost by Australian businesses to cyber attacks in the preceding year.
In May 2022, Spirit Super (shortly after the merged entity was created out of Tasplan and MTAA Super) reported 50,000 members were hit by a data breach in the form of a phishing attack.
One of PwC’s key findings was that no one entity is clearly responsible for cybersecurity oversight in superannuation.
“There is a lack of accountability and cyber risk leadership for end to-end cyber resilience of the ecosystem,” the PwC report stated. “While there are a number of regulators in the ecosystem, each has a different area of focus and none has ultimate or overall accountability.”
There was also no “common standard” for cybersecurity, PwC noted, and lower cybersecurity engagement among superannuation fund members, who didn’t interact with their fund often.
“In combination with the lack of a holistic and coordinated approach to respond to cyber incidents in the ecosystem, it is only a matter of time before a well-coordinated cyber attack could result in significant and widespread disruption,” PwC warned.
In response APRA has spoken to 300 banks, insurers and superannuation trustees as part of its cyber security audit. The second and third tranches of its assessment are currently being undertaken, while the fourth and final tranche of insights is due to be rolled out before the end of the year.
Meanwhile, the regulator has put funds and large entities on notice.
“APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.”
