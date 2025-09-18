While financial services organisations may be comfortable with taking risks, certainly when it comes to investing, there are other types of risks they're not so familiar with. It may be 2025, but we continue to consistently see examples of organisations, including some of our biggest institutional investors, falling well below the standard when it comes to cybersecurity.

It doesn't bode well, given cybersecurity risks are increasing. Constant advancements in artificial intelligence (AI), increased digitisation of operations, and inadequate digital personal security measures are just some of the factors driving this.

As we enter a more volatile and insecure ecosystem, many businesses are still yet to fortify their cybersecurity infrastructure, according to HLB Mann Judd partner Kapil Kukreja.

In recent times, there have been several cyberattacks on Australian organisations, with superannuation funds increasingly targeted given the mounting honey pot of retirement savings they oversee. This highlights the urgency of strengthening "basic cyber hygiene" within their operational and management systems.

According to the HLB Cybersecurity Report, 39% of businesses around the world reported a rise in the number of attacks on their systems, with a further 29% experiencing more "severe consequences" from cyberattacks in the past year.

Despite the urgency, Kukreja says that many businesses are still underinvested in security measures with only 29% implementing AI-related security and governance controls, and just a quarter (24%) running cyber awareness training.

Still, companies are generally confident in their ability to recover from a cyber incident.

In the same report (Figure 1), 28% were 'very confident', 47% were 'confident', and 16% were 'slightly confident' they'd recover quickly from a cyberattack. Only 3% displayed a lack of confidence in this instance.

Could this be why businesses remain relatively lax in improving their cybersecurity?

For organisations like super funds, this can have an opposing effect as they are the most prominent players in managing their members' retirement funds.

Although expectations and standards remain relatively high for these organisations, cybercriminals were still able to slip through the cracks earlier this year, stealing member information and money from the nation's largest super fund.

Super-sized risks

At AustralianSuper, a total of 10 members had a combined $750,000 transferred out of their accounts in a series of cyberattacks targeting super funds earlier this year. The attacks came in the form of what's known as 'credential stuffing', where cyber criminals attempt repeatedly to gain access to an online account using usernames and passwords obtained on the dark web.

The hackers were able to withdraw money from retiree members' accounts and, while the victims were reimbursed, many were baffled by how such a well-established institution, one of such scale, could allow such a breach to occur.

The answer? Well, in part, it was the lack of double verification requirements. The nation's largest super fund did not have multi-factor authentication (MFA) technology in place to verify transactions or changes being made on members' accounts were legitimate.

Naturally, this led to calls for super funds to implement industry-wide improvements in cybersecurity.

APRA's recently released 2025-26 Corporate Plan sets new standards, where, at a minimum, APRA expects entities to require MFA or an equivalent mechanism when members are altering their details, withdrawing funds, or using any other functionality that would be considered "high risk".

Conscious of the consequences from the series of attacks earlier this year, APRA brought forward the deadline for super funds to comply with the new security measures by 12 months, now due on August 31.

AustralianSuper and HESTA have since implemented the mandatory MFA feature on their systems. CareSuper has also rolled out wider use of MFA, and smaller funds like Australian Food Super also adopted it.

Touching on whether regulators should attempt to unify legislation in cybersecurity for all financial institutions, Northern Trust head of Australia and New Zealand Leon Stavrou points out that this is already the case, to an extent.

Asset servicing banks and super funds are regulated by APRA, and these institutions must comply with Prudential Standards CPS220 Risk Management, CPS234 Information Security, and the recently enforced CPS230 Operational Risk Management, he says.

"And the recently released 2025-26 Corporate Plan builds on those instruments, as well, giving you a sense of what the regulator expects and believes will be important as an industry, what we can do to safeguard our clients, financial assets and retirement income savings," Stavrou says.

APRA's focused enforcement is also supported by the Association of Superannuation Funds of Australia (ASFA) chief executive Mary Delahunty.

ASFA established the Financial Crimes Protection Initiative in September 2024, which includes a cybersecurity toolkit to bring together the super sector in combating the growing threat of cyber and financial crime.

It has also partnered with JANA Investment Advisers to lead a "cross-industry" collaboration to update industry guidance on investment operational due diligence, adapted to the CPS230.

"It's a multi-faceted approach bringing together several pieces of work which will significantly uplift the super sector's united approach to keeping data and member funds safe," Delahunty says.

"We released the ASFA Cyber Security Toolkit in May 2025, to provide clear guidance on navigating obligations under CPS230, CPS234, and various legislation so funds and their providers can clearly understand what is required legally and from regulation.

"We've updated our Minimum Fraud Controls for superannuation funds, which are in line with APRA's requirement for multi-factor authentication or equivalent controls across high-risk activities."

Delahunty notes that cybersecurity is now a "core responsibility" for super trustees given the scale and sensitive data they hold, meaning that the stakes are immensely high.

She stresses that the super system must be ready for what's ahead.

"Superannuation funds and their providers take cybersecurity very seriously and the sector is laser-focused on making sure members' data and funds are protected," Delahunty says.

"Looking forward, we are developing a framework which has at its core bespoke platforms for real-time, secure intelligence sharing between funds.

"This will sit alongside industry-wide playbooks and coordination plans for cyber incident prevention and response."

But, independent of any industry guidance, there are also super funds that are taking proactive steps to protect their members.

Just days before the credential stuffing attacks, Commonwealth Superannuation Corporation (CSC) told Financial Standard how it had taken to surfing the dark web for members' stolen data. By notifying members of their data and passwords being compromised, the fund is also protecting itself from potential breaches.

Over the course of a year, the super fund was able to detect over 100 cases of compromised information, not only for its members but also for its employees.

Outsourcing who?

One of the focal points of CPS230 is the use of outsourced service providers, especially those located offshore.

The prudential standard aims to ensure that an APRA-regulated entity effectively manages its operational risks, maintains critical operations through disruptions, and manages the risks arising from service providers, it states.

Under the standard, an entity engaging with offshore must notify APRA before entering any "material arrangement".

Thereafter, the entity is obliged to regularly review and report on compliance with the service provider's management policy.

To many, attaining service providers requires such comprehensive procedures, but many companies hire service providers to some extent to cut costs and leverage expertise. For example, according to ASFA's data nearly half (44%) of super funds outsourced member administration as of 30 June 2020.

At the time, ASFA noted that it expected the number of funds with in-house admin functions would grow as "funds look to increase their control", the super sector has since undergone an industry-wide consolidation where many smaller to mid-sized funds have merged into bigger players.

CareSuper, Meat Industry Employees' Superannuation Fund (MIESF) and TelstraSuper are among the few remaining that manage their administration internally; CareSuper and MIESF are set to merge on October 1, and TelstraSuper is in merger talks with Aware Super.

ASFA has previously said that an outsourced lower-cost service presents a false economy if members find they are transferred multiple times through a call centre when requesting information or making changes to their investments and insurance.

Furthermore, many may argue that offshore operators carry higher risks due to a lack of control, heightened third-party risks, as well as inadequate physical security. Stavrou believes, however, that if appropriately managed, outsourcing can, in some cases, reduce risk.

"When you outsource critical operations or processes, you're doing it because you believe that the third party can do it at scale with controls in place, and stand behind what they are providing you," Stavrou explains.

"That is part of what a lot of the asset servicing custodian banks' value proposition is, as well as other service providers as well.

"So, of itself, outsourcing doesn't necessarily increase or decrease your risk. However, [it's about] the way that you think about your service provider is critical, as an extension of your operations, and importantly the fact that you can outsource the process but you can't outsource the risk.

"As a fund, you own that risk, and it's incumbent on you through the legislation and prudential standards, to perform due diligence to ensure that your service provider is protecting you and doing the right thing across a number of areas, including things like cybersecurity."

However, HLB's report reveals that 37% of organisations experienced a breach through third-party vendor, while concerningly a further 20% are uncertain about their vendors'

security status.

Kukreja notes there are often challenges with third-party vendors, including around adherence to contractual obligations, lack of robust security measures, minimal staff training, and lack of awareness.

Not a competitive advantage

Everything has been laid on the table for super funds to improve, but what are some crucial next steps to ensure all risks are managed?

Stavrou says cybersecurity should not be seen as a competitive advantage among institutions. Instead, it should be tackled as an

industry.

Currently operating alongside several super funds in Australia, Stavrou notes that recent incidents have certainly highlighted how the industry is evolving, but he believes the issue will lead to a better outcome as the industry comes together.

"The entire industry needs to be protected, that's what I'm seeing more of, and I expect that to be further highlighted by the APRA industry stress test," Stavrou says.

"It's not just the super industry; it's the banking industry, as well, and the interconnectivity of those two.

"One thing to note with super as an industry is that financial services is comparatively quite mature when it comes to resiliency and security. That's because of the nature of what we do."

He highlights that asset safety is always the number one priority for them, as they constantly look for possible vulnerabilities, various forms of cyberattacks, and how they are being addressed.

Curious to see if the strength of cybersecurity may be a marketable feature for any of these organisations, Stavrou believes that should not be the case.

"That's not the way the industry thinks, and the reason for that is the trust and confidence that Australians have with the super sector," Stavrou says.

"If there is a wavering of that confidence because of a series of cybersecurity and data exfiltration incidents, as a systemic level it really doesn't matter which fund it was that people are going to lose confidence in the industry.

"We want to stay ahead of that game, ensuring that there is that confidence even when bad things happen that we're well-positioned to respond, recover and move forward.

"We want to compete on returns, service levels, products and innovation. We don't want to be competing on outages or cybersecurity

incidents."

That sentiment extends across the entire financial services industry, as Viola Private Wealth chief executive Sean Ward argues that if one fails to uphold the standard, it will affect the entire sector.

He also notes that financial firms remain prime targets, given the sensitive data they contain - implying that it is incumbent on every business operator to ensure they have the best protection in place.

"Encrypting communications not just externally but internally, using multi-factor authentication and utilisation specialist IT service providers are minimum ticket to the game these days," Ward says.

"I don't understand why advice firms grow their businesses in the darkness of night. We need to share best practices more between ourselves. Any data breach hurts us all.

"Cybersecurity is critical given it is a fundamental pillar supporting the firm's reputation, client relationships, and long-term viability."

Broken trust

It was mentioned that cybersecurity should not be used as a token for competing, but Ward warns that any kind of breaches will damage the relationship between organisations and their clients.

Russell Investments' latest Value of an Adviser Report further details the importance of trust between clients and advisers, as it emerges as the single biggest driver of client satisfaction.

"Building trust takes time, but more frequent, meaningful contact accelerates it. Most advisers (91%) still rely on in-person meetings, phone calls, and emails to connect with clients," the report states.

"Yet advisers who use secure portals and video calls tend to connect with clients more often, averaging five interactions per year compared with 3.6 interactions on average across the survey."

Trust between an organisation and its clients operates as a crucial catalyst, and once that is breached, it can irreparably harm a firm's reputation, leading to the loss of clients, Ward adds.

"The breaches we've all seen in the media and the countless others which likely haven't hit the media have us continually talking to our staff around safe practices," Ward explains.

"For a while now we've been running formal training sessions around ransomware, phishing and social engineering scams.

"We also run an education platform focused on cyber risks that all staff must complete as well as regularly testing staff, over and above all we have in place ensuring our staff are education and appropriately alert compliments our defence."

Furthermore, resetting a member's account can be much more complex than anticipated, as affected members will need to have their driver's licences and passports reissued, as well as reset login details for every account, Ward continues.

Therefore, it remains prudent to maintain that relationship while strengthening security from top to bottom for all organisations.

Furthermore, Kukreja believes that cybersecurity has now become a "strategic issue," as this aspect has been complicated by multiple layers, including AI, increasing attack frequency, and gaps in governance.

"Many organisations are still approaching cybersecurity as a one-off investment rather than a continuous, evolving discipline," Kukreja warns.

"The growing sophistication of cyber threats demands not only more innovative technologies, but a proactive mindset, embedding security into every layer of the business.

"The threat landscape is evolving rapidly, and businesses must evolve with it - including governance, operations, technology, and culture. Boards, executives, IT leaders and staff all have a role to play.

"Cybersecurity is no longer optional. It's foundational to business continuity, reputation, and trust. The organisations that act now will be far better positioned for the future."

Considering these emerging issues, Kukreja outlines some key recommendations for businesses looking to strengthen their systems, such as increasing the frequency of ongoing cybersecurity training, keeping systems patched and updated to prevent known vulnerabilities from being exploited, and testing incident response plans regularly to minimise disruption and recovery time.

"There can be a gap in governance due to a lack of commitment from senior management, which leads to inadequate processes for identification, reporting, remediating and monitoring of cybersecurity risks," Kukreja adds.

"Tone at the top is critical, and allocating the right level of resources (people, process and technology) on an ongoing basis is vital as the landscape is changing at a rapid pace."

Stavrou agrees, saying a risk culture within a business is essential.

"For any organisation, having a strong risk culture and governance is going to hold you in good stead," Stavrou says.

"That accountability for superannuation funds has recently been formalised via the Financial Accountability Regime from an accountability perspective, and I think that will shift the way that people think about their responsibilities but also how they demonstrate that they are meeting those objectives.

"The other cultural point is the third-party oversight and understanding of the role of the outsourcing and the oversight of the outsourcing provider. Conducting your due diligence and managing it to the expectations that the regulators have."