GNGB and PwC call for cyber standards in superannuation industry

15 March 2021 3 min. read

A collaborative approach across the entire superannuation ecosystem is crucial to mitigating potentially devastating cyber threats. This is according to a new PwC report – commissioned and co-authored by the Gateway Network Governance Body (GNGB).

Australian businesses lost nearly $30 billion to cyber attacks last year, as criminals looked to exploit pandemic-induced vulnerabilities. With organisations stretched across a plethora of public and private networks, IT infrastructures were left more insecure than ever.

Superannuation was a heavily targeted industry in this barrage, for several reasons. One, the thriving sector holds nearly $3 trillion of Australian money. Second is the vast pool of identifiable personal data on offer. And last is the vastness and unpredictability of its ecosystem.

GNGB and PwC call for cyber standards in superannuation industry

“The superannuation ecosystem spans some of Australia’s largest financial institutions, over 880,000 employer organisations and the accountants, bookkeepers, clearing houses, gateways, administrators and more that comprise the supply chain,” according to the PwC report.

Most attacks on the sector have fallen short so far, although a decisive breach of any one of these stakeholders could disrupt superannuation services and erode trust in the system in the best case, and affect the savings of more than 24 million Australians in the worst.

With cyber criminals scoping the sector, security is urgent to say the least. Per the experts, the core issue is that security measures from individual actors is not enough – as it still leaves them vulnerable to breaches in other parts of the ecosystem. Making matters worse is that many stakeholders remain primitive in their approach to cyber security.

A pan-ecosystem strategy

What superannuation needs is a pan-ecosystem strategy, where stakeholders collaborate to minimise overall risk. The report laid down four pillars of a “secured future” – an imagined ideal for stakeholders to work towards. 

One is a self-monitoring mindset, where each stakeholder maintains and updates minimum essential cyber security controls. “This would lift the ecosystem’s overall ability to protect itself from common and rudimentary cyber security attacks,” reads the report.

Next is a real time information sharing system, where actors across the ecosystem are notified if any one part is under attack. “Appropriate responses and prevention plans can be put in place to minimise the risk of a repeat or ecosystem-wide disruption.”

Third, there should be built-in response mechanisms for risks caused by member behaviour, be it accidental or intentional. This reduces the reliance of ecosystem security on the actions of a single member. And the last pillar is a well-rehearsed, coordinated incident response plan, which is continually tested and improved by every member of the ecosystem.

“In the above imagined future, common cybersecurity attacks would be prevented and damage from more choreographed or advanced attacks blunted,” concluded the report, against the backdrop of an increasingly complex and sophisticated cyber threat profile.