Home / Custody / Custodians have key role to play preventing cyber-attacks: ACSA

With Australia’s retirement pool of savings at $4.2 trillion, this nefarious activity is going to become more prevalent, especially with hackers having access to increasingly sophisticated technology.

As the recent cyber-attacks on some of Australia’s largest super funds have highlighted, this nefarious activity will be just one of many challenges facing superannuation funds and their custodians in the coming decade.

The sheer size of the nation’s retirement savings pool – at December 31, 2024, it totalled $4.2 trillion – is proving attractive to scammers who are using increasingly sophisticated technology to access this large pool of funds.

“The custodians certainly see that this is an issue across all aspects of the superannuation administration because there is so much data that flows around the industry,” Australian Custodial Services Association (ACSA) chief executive officer, David Travers (pictured), told Investor Strategy News.

There have been attempts to access superannuation funds in the past but via less sophisticated means than are available now. Travers says that what hackers can now do with AI and machine learning just makes it so much easier for large-scale attacks.

“It certainly reinforces the need for any part of the transaction process in a super fund, whether that’s the custodian, the investment manager or the administrators, to be vigilant. There’s a whole lot of touch points that need to be secured with the appropriate security protocols in place,” he says.

Travers says the recent cyber-attacks will draw more scrutiny from the regulator. “[For] super funds, as they’re looking at their operational resilience obligations, cyber is a big part of that, and we’ve seen APRA come out and make pronouncements around the importance of data security and cyber arrangements for the funds,” he says.

Most custodian banks are global operations with thousands of people working in their cyber-security departments with knowledge they can pass on to superannuation funds that are nowhere near that size.

“There’s experience and expertise that the custodians can bring to help the funds on that journey … some of the local Australian asset managers can learn and benefit from what the custodians can bring to the table in that respect,” Travers says.

While AI has the potential to help funds streamline processes, he points out that it is also one of the most important tools for cyber-criminals.

“AI can certainly help the custodian improve the way that it delivers products faster than it has before. It can identify exceptions quicker than it has before,” he says.

“There are still manual processes out there that are historical, and [AI] is something that can still be used to try to get efficiency around that. There’s both product and efficiency opportunities that come with AI for custodians and administration providers, but that cyber piece really needs to be strong.”

As well as ongoing challenges around cyber-security, super funds and their custodians are dealing with the regulatory requirements of the CPS 230 Operational Risk Management standard and the ongoing saga of CHESS replacement, which is years behind schedule (through no fault of the custodians).

“The key areas of regulatory change [custodians] are dealing with is risk and resiliency, and that really is around CPS 230 and looking at how the custodians can help superannuation funds meet their operational resilience obligations under those guidelines,” Travers says.

“We have issued some guidance, which is on our website, which is around critical operations, we’ve issued some guidance on tolerance-level setting and also on oversight arrangements.”

Depending on their size and structure, organisations will need to start reporting to APRA around the CPS 230 requirements from July. Also on ACSA’s radar is some recently issued ASIC guidance on digital asset licensing.

“That’s certainly something that’s of interest to custodians, as is future guidance that might come out around tokenisation of assets and how they should be properly regulated and administered. When we think about tokenisation and digital assets, we often go straight to Bitcoin but there’s a whole lot more to it than just Bitcoin.”

For superannuation funds, distributed-ledger-type technology might be involved in private equity or carbon trading schemes.

“Effectively, what ASIC has done is said if you got a custody licence, you could hold digital assets, but if you want to just hold digital assets, you just want to set up a business around that, you’ve got to meet all the existing licensing requirements that a custodian would have. So, there are no special categories that they’re putting in place.”

As an advocacy body, Travers says its role is often around assisting regulators with the implementation of what they’re asking funds to do or the practicality of providing the data they might be requesting. In the example of regulatory data, a particular type of derivative valuation might be requested by the regulators; however, that piece of information is not being produced by the custody platforms.

“But there might be five other data elements that we can give them that would have the same results. So that’s the sort of work that we do with the government to bring reality to what it’s trying to do,” he says.

The CHESS replacement saga remains an issue for custodians and superannuation funds. Now over a decade behind schedule and still causing problems, as evidenced by the ASX outage late last year, a replacement for the ageing system that manages the settlement of share transactions still has five years to run on its program.

“T+1 is going to happen at the end of the CHESS replacement. So that’s another 12 to 18 months of project work that needs to be done after that. And the government is also considering what it does in relation to central bond clearing, because the US is going to a central bond clearing model, and the government here is thinking about that,” Travers said.