Superannuation and Cyber Security – Are you safe? | Australian Markets

Financial Newswire’s financial technology columnist, Andy Forbes analyses what occurred with respect to the cyber-attacks on a number of superannuation funds and how to counter such cases.

Across the final weekend in March 2025, malicious actors launched coordinated cyber assaults at many of Australia’s superannuation funds. Some of the largest names within the sector had been focused corresponding to AustralianSuper, Hostplus, Rest, Insignia Financial’s MLC Expand platform and Australian Retirement Trust.

The success of our superannuation industry and the market focus of the large suppliers make it an engaging goal for cybercriminals. So, what occurred?

Australian Super reported the theft of $500,000 throughout ten members accounts. Rest has confirmed that while some members’ accounts had been accessed, no member funds had been illegally transferred.  Thankfully it’s a comparable story with Hostplus, MLC Expand and Australian Retirement Trust – noting suspicious exercise, probably accessed accounts, and disruptions to service however no experiences of misplaced money.

Whilst the total extent of the breach stays below investigation, data we now have to this point reveals that this was not a technically subtle cyber-attack – deliberate yes, however technically subtle, no.  The hackers used a approach referred to as ‘credential stuffing’ – the place electronic mail addresses and passwords from earlier unrelated breaches are used to attempt entry to different systems. More merely, exploiting people that use the identical passwords throughout totally different websites.  With this comparatively unsophisticated strategy hackers had been in a position to gain entry to accounts and triggered panic and disruption to our superannuation sector.

The scale and simplicity of this assault raises the query: is Australia’s superannuation protected?

It will not be a query requested evenly.  The concept that these funds might be accessed by hackers, bank particulars modified, and money stolen by way of credential stuffing is alarming.  If easy hacking strategies work, what about more subtle threats?

To perceive the panorama, it’s important to step back and assess what is occurring within the broader world of cyber security. Cybercriminals are no longer lone actors, some working with the size and co-ordination of skilled enterprises. They use malware, darkish web marketplaces, gaps in technology and mass automation to take advantage of system weak spot.  Teams inside superannuation suppliers battle these threats with strict IT insurance policies, minimal password lengths, enforced Multi Factor Authentication (MFA), common functionality audits, firewalls, web utility firewalls (WAFs), anti-virus and different intrusion detection and prevention systems.

Sophisticated systems will be undone by gaps in any of the above areas.  In this incident there have been two regarding lapses, firstly members utilizing the identical password throughout a quantity of websites, and secondly the shortage of MFA in some superannuation member or adviser portals.

It is unlucky that that being sluggish to implement MFA on externally dealing with accounts may need undone  in any other case wonderful cyber security packages within these funds.  Perhaps involved the industry was not implementing MFA fast enough, in May 2023 APRA wrote a letter to their regulated entities reminding them of the significance of multi-factor authentication as security measure. Implementing security best apply is usually slower than it must be.

So, no, the exhausting actuality is that we can’t simply assume our superannuation accounts are protected.

A failure by both the person, their adviser or the establishment will be enough to let a hacker in.  The superannuation industry generally laments the “out of sight, out of mind” strategy many Australians need to their super.  Sadly, this saying usually additionally applies to Australians and digital security, till it’s too late.

Security of your superannuation account is a shared accountability. In an more and more hostile cybersecurity setting people, advisers and establishments each need to play their position to keep superannuation protected.

At the person degree you ought to undertake sturdy, distinctive passwords.  In earlier years security professionals would suggest utilizing numbers, capitals, and symbols.  This is nice, however password size issues more. To help you generate and handle these long distinctive passwords think about using a password supervisor.

Worried you may need re-used passwords already? Free instruments like ‘have i been pwned’ let you test your electronic mail towards identified breaches.  Similarly trendy web browsers like Chrome include a password supervisor that may test your accounts for identified breaches.

If MFA is optionally available in your financial systems – set it up.  In the unfortunate occasion that your account is breached the MFA problem will stop them of their tracks.

At the Adviser degree, all of the above applies however with the skilled accountability of trying after consumer accounts.  A breached adviser account that has the power to set off funds on behalf of purchasers might be an assault vector.

Then institutionally, super funds that had been delaying MFA enforcement should speed up their timelines. There are encouraging indicators that every one are taking this very significantly now.  More usually, these funds should proceed to maneuver from reactive to proactive measures – corresponding to investing in darkish web monitoring, elevated intrusion detection, quicker cyber incident responses and sharing of risk intelligence.  Finally, because the weakest hyperlink is commonly human behaviour superannuation funds need to play a position in educating their members, advisers and workers on cybersecurity.

Self-Managed Super Funds (SMSFs) current a distinctive security profile value particular consideration. By their very nature, SMSFs decentralise risk. Each fund has one or more devoted bank accounts, and probably a number of investment systems in use.  Each of these convey their own bank-level security.

This uncommon construction of SMSFs, coupled with banking and investment platform security, can create a stronger defence posture. The option of a number of bank accounts means you can diversify your banking, and in flip cut back general risk ought to a breach happen in a single.

However, SMSFs usually are not immune. Their security is determined by the vigilance of the trustees. This contains all the standard advice – understanding phishing threats, avoiding sign-in hyperlinks by way of SMS or emails, by no means sharing MFA codes, and making certain personal units are up to this point and protected. SMSF professionals within the provide chain play their half too, making certain their systems are fortified with controls to stop malicious behaviour.  Thankfully specialist SMSF software program utilized by accountants corresponding to SuperMate, BGL and Class have had MFA mandated by the ATO for a few years now.

Whether industry, retail or self-managed, the current assaults are a sobering reminder that the success of our superannuation industry makes it a huge goal.  Cyber criminals are actively in search of any weak spot and as soon as discovered will attempt to take advantage of at them scale. Safety requires that people get the fundamentals proper corresponding to password hygiene and MFA.  Superannuation funds need to proceed to invest in detection and defence of cyber security threats, while serving to to teach customers of their merchandise on how to minimise their publicity.

Superannuation security ought to by no means be out of sight, out of thoughts. We all have a position to play to make sure the continued security of Australia’s superannuation system.

Andy Forbes is Chief Technology Officer at Super Concepts.