The Albanese Government’s tweaks to the Future Fund’s mandate might be measured and well-intentioned, but will inevitably reduce confidence in its ability to fulfill it by introducing uncertainty around where its priorities lie.
With heightened anxiety around service outages, and CPS230 coming into effect next year, State Street and a slew of other custodians are working with ACSA to enhance their response to the critical operational needs of super fund clients.
‘Reputation is the first casualty’: ACSA warns on cyber risk for super funds, custodians
The Australian Custodial Services Association (ACSA) has issued a warning to custodians and super funds alike on the dangers of cyber-attacks, telling them that they need to construct powerful defences against them and be prepared to rebuild their reputation if those defences fail.
“Superannuation is the main source of retirement income for many people,” J.P. Morgan’s Ugur Keskin said in the report. “You’re impacting their lives if systems are offline and they can’t access their funds, or if a custodian can’t issue an accurate net asset valuation.”
But those defences don’t need to be extraordinarily sophisticated to succeed. Humans are the “primary attack vector” for an organisation; data suggests that 88 per cent of attacks enter through internal staff, and a survey of 50 countries cited in the report found that 103 million people use “123456” as a password, which takes hackers “less than a second to crack”. Solving vulnerabilities like that can save hundreds of millions on security technology investment, but getting people to understand how easily a breach occurs is “remarkably challenging”.
“It’s a link,” said Steven Locke, Northern Trust global chief information security officer. “You click on it and game over. I’ve said that for the last 20 years, and people are still surprised.”
Beyond addressing vulnerabilities in their security, big institutions need to keep any eye on how they publicly respond to a cyber-attack. If they mishandle it, they can see continued disruption and enormous lost value from customer relationships and contract revenue. For super and custodial institutions to which stakeholders entrust their assets and personal data, reputational damage from a breach could be “shattering”.
“In addition to financial loss and reputational damage, diminished goodwill has the most detrimental impact from a cyber breach – and can take years to recover from,” the report says. “This is particularly pertinent for superannuation funds, which want to attract and retain their members for the long term as a trusted financial partner. Importantly, the extent of reputational damage will largely depend on how an organisation manages the aftermath of a breach.”
If “everything is down”, says HSBC’s Rajeev Tummala, “be transparent” by informing stakeholders. Organisations should be as thoroughly prepared as possible for a cyber-attack, with a “strong and well-rehearsed business continuity plan” (BCP) and a communication strategy to control how people hear about it.
The extent of reputational damage will largely depend on how an organisation manages the aftermath of a breach,” the report says. “Firms with a robust BCP and ongoing dialogue with affected stakeholders are more likely to recover their reputation – even compared to entities that experience a less serious cyber breach.”
The ACSA report comes after APRA hit NGS Super with additional licence conditions after hackers gained access to its system. The new conditions require NGS to hire outside help to provide assurance regarding its remediation activities and conduct an operational effectiveness review.
