APRA 'continuing to monitor' UniSuper outage

UniSuper has commenced the restoration of its services, as APRA confirms it is monitoring the situation which arose when the fund's private cloud was inadvertently deleted.

In a brief statement to Financial Standard, APRA said it is "aware of the system outage affecting services and is continuing to monitor the situation."

It also cited a speech delivered by Therese McCarthy Hockey in August of last year on the regulator's expectations in relation to Prudential Standard CPS 230 Operational Risk Management, which all APRA-regulated entities must comply with from 1 July 2025.

In that speech, McCarthy Hockey said: "Perhaps the most significant change introduced by our new standard is the requirement for an end-to-end view of operational risk, with a focus on critical operations, including those performed by third and fourth parties."

"APRA-regulated entities will no longer need to simply be aware of their own internal operational vulnerabilities and have plans to mitigate them. From 1 July 2025, they must have the same level of understanding of their most critical third-party service providers - as well as their most critical fourth-party service providers.

"An insurer may not be directly responsible for its website going offline when a network gateway fails, but it will be responsible for the outcome - which is the inability of customers to lodge claims or access other services."

Meanwhile, corporate regulator ASIC said that the matter "predominantly concerns APRA," but offered a general comment on member services failures.

"Member services failures are an enforcement priority for ASIC, we expect trustees to communicate proactively with members, deal responsibly with members' money, and deliver good value for money. This is regardless of the phase of membership of the member," a spokesperson said.

"Through our surveillance and enforcement work over recent years it has become increasingly clear that in many cases member services provided by superannuation funds are falling short of these expectations. In particular, we have observed that services are too often slow, unresponsive, and not member focused."

Overnight, UniSuper told members they would be able to log in to their accounts from midday today and that account balances displayed would be as at last week. Still, transactions will not be possible, the fund said.

"Every effort from my team has been taken to get systems back online as quickly as possible, while maintaining safety and security. We are conducting rigorous systems testing to ensure that once services are online, they will be stable," UniSuper chief executive Peter Chun said.

In a joint statement, Chun and Google Cloud chief executive Thomas Kurian said Google Cloud has now confirmed the outage is the result of "an unprecedented sequence of events whereby an inadvertent misconfiguration during provisioning of UniSuper's private cloud services ultimately resulted in the deletion of UniSuper's private cloud subscription."

Google Cloud described the situation as a 'one-of-a-kind occurrence' and said it has never previously happened with any of its clients globally.

As for why the outage, which has been ongoing for more than 10 days now, has lasted so long, they explained that UniSuper had duplication in two geographies to guard against outages and loss.

"However, when the deletion of UniSuper's private cloud subscription occurred, it caused deletion across both of these geographies," they said.

"Restoring UniSuper's private cloud instance has called for an incredible amount of focus, effort, and partnership between our teams to enable an extensive recovery of all the core systems. The dedication and collaboration between UniSuper and Google Cloud has led to an extensive recovery of our private cloud which includes hundreds of virtual machines, databases and applications."

UniSuper explained that it had backups in place with another service provider, which minimised data loss, and "significantly improved the ability of UniSuper and Google Cloud to complete the restoration."

In a further statement to Financial Standard, UniSuper said: "Member data is safe - no UniSuper data has been exposed to unauthorised third parties as a result of this incident. We have encountered absolutely minimal data loss during our progressive restoration of services, with this data being predominately related to our internal operating processes. Members can be assured all member data is rigorously backed up and these backups are secure. UniSuper does not expect this to have any impact on members."