The missive from the Australian Prudential Regulation Authority (APRA) was unambiguous: address persistent weaknesses in information security and authentication controls to protect members’ data, money and interests.
Weak controls have become exposed in recent years due to rapid changes in the way that funds are engaged. Australia’s ageing population means that more retirees are seeking to access and withdraw funds. In addition, awareness campaigns by tax authorities and others have consistently encouraged younger demographics to log into their superannuation accounts more frequently.
The end result - rapid growth of member engagement - appears to have caught parts of the sector off-guard, or at least without the capacity to enable secure self-service of the influx of requests.
A further complicating factor is that the superannuation sector, like others, is still undergoing a digital transformation of its systems and processes. With an almost unfathomable amount of retirement savings under management, these transformations are proving to be neither painless nor easy, both for trustees and members.
It’s not just member experience that is driving transformation: cybersecurity is also an important consideration and investment driver. After the credential stuffing attacks, the focus on security has become even more urgent.
It’s past time for the other major cohort of companies holding significant wealth in Australia’s financial sector, superannuation funds and trustees, to step up their security protections and capabilities.
Identity security upgrades are a key first and foundational step to creating the secure experience and interactions that both members and regulators want to see.
What’s good for banking is also good for super
For several years now, banks have been the public face of the Australian financial system’s exposure to security threats, with one of the Big Four declaring last year that “every bank is being attacked all the time.”
Regulatory attention on banking cybersecurity has not been in vain. An extraordinary amount of rigour from the likes of APRA over the last decade has seen Australia’s banks adopt best-of-breed solutions to not only comply with regulatory requirements, but also be the absolute best that they can at securing funds under management and customers.
As a result, whenever I am asked ‘Who does identity security right today?’ I am quick to cite the banks. Why? Because they’ve demonstrated they care. They have got the nation’s wealth in their hands, they’ve got the ability to invest, they’ve got good teams and experts inside their business, and they engage the right people to come in and advise and help them build, architect and deliver really meaningful outcomes.
In parallel, they’ve had APRA with a firm hand on their shoulder saying, ‘This is what you must do’, and that has resulted in them having quite literally world-class solutions for any kind of security, protecting individuals and money.
An equivalent level of protections, and information security and authentication controls uplift, is both desirable and achievable in the superannuation sector. Given the nature of the attack vector used against funds - involving the use of stolen credentials to gain access to members’ accounts - enhancing identity security is an obvious response.
What best-practice identity management looks like
For superannuation funds, the best-practice future of identity services is likely to involve the adoption and acceptance of verifiable credentials, such as Apple’s ID in Wallet, and attribute-based access controls in the backend to govern what someone logging in with that credential is able to do.
Verifiable credentials are cryptographically secure digital proofs containing any identity data, issued to users’ biometrically secured device wallets. They contain important information about the issuer, who it was issued to, specific identity attributes, and expiration, ensuring the provenance of the credential and a chain of trust. Verifiable credentials are used for any data that necessitates real-time verification.
Importantly, acceptance of verifiable credentials by many organisations is seen as a more user-centric approach to identity. Rather than requiring users to have a separate identity for every service they use or organisation with which they engage, they can use one credential to access everything. This also reduces the burden on organisations to collect, store and hold identity data, reducing organisations’ attack surface.
For organisations such as superannuation funds, the question is how to ingest that verifiable credential in a meaningful way so we can verify who a member is, and then not hold onto any of those details. An identity and access management platform can act as that connective thread, and manage authentication across the member journey and experience with minimal friction but also maximum security.
The same platform can also help organisations to implement attribute-based access controls to support how members interact with digital superannuation systems and services. These manage what the member is allowed to access once authenticated, in what environment, and for what period of time.
They also govern the signals and usage patterns being monitored around that member interaction, such that when an anomalous behaviour is detected, an additional identity-related challenge, such as multi-factor authentication, can be issued. Fine-grained consent controls hanging off attribute-based access are relevant to most identity security-based uplifts today.
Australian superannuation funds have had a serious scare, and are under regulatory guidance to act. An identity and access management platform is a key foundational element of the response.
