A panel of experts at the Conference of Major Superannuation Funds stressed the importance for super funds to be prepared and have a cybersecurity strategy in place.

When asked if super funds should have "something in the bottom of the drawer of someone's desk that explains the first port of call", The Secure Board director Claire Pales gave a definitive answer.

"Absolutely... The best thing you can do is to practice that document that you should have printed in the bottom drawer, because if you have to shut all your systems down, you can't access that document anyway," she said.

"But the simplest tabletop scenario super funds can go through is to walk through that document and even just make sure the phone numbers are up to date... It's quite simple, and boards, directors, executives and lots of people across the organisation should be involved in practicing these activities, as your third party should be."

Pales noted if a super fund has a material third party that it can't do business without, it should be practicing cybersecurity drills with them as well.

They don't have to be fancy, she said.

"It can be very, very basic - just walking through your document and making sure it actually works and thinking through some decisions that you might have to make in the face of a crisis," she advised.

"For example, who would shut the systems down? And who is allowed to make that decision to shut the systems down?

"There's a huge opportunity to do lots of pre-thinking so that when you're in the face of a crisis, you might not be able to leverage the legal clauses or the audits... but if you can leverage the experience you've had together in responding to what a scenario crisis is, that's good."

Pales likened it to the effectiveness of a fire drill.

"We all walk down 25 flights of stairs out into the grass area out the front of Exhibition Street or wherever you are... Fire drills work, and people know what to do," she said.

"We can't impress enough the importance of having drills and starting small, just in a cyber team and then spreading that out to include tech.

"Practice the ripple effect of bringing more people into those experiences, and make the scenarios as damning as possible, because if you look around at what's happened to some other companies, they've been pretty detrimental."

Financial Standard is the official media partner of the Australian Institute of Superannuation Trustees' 2023 Conference of Major Superannuation Funds. You can subscribe to AIST's free newsletter here.