The Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) have urged superannuation trustee chief executives to consider establishing a cross industry forum to discuss trends and share learnings in relation to cyber risks and incidents.
Namely, ASIC and APRA hosted a superannuation CEO roundtable last month and revealed on Friday that its focus was on addressing cyber resilience within the industry.
Spearheaded by ASIC commissioner Danielle Press and APRA deputy chair Margaret Cole, the event was attended by 14 superannuation trustee CEOs and executives, representing a broad cross-section of the industry, as well as a representative of the ATO.
According to the regulatory bodies, the super fund CEOs were aligned in their understanding that while privacy, commercial, and competition concerns remain vital, the establishment of a dedicated “safe space” for sharing experiences would prove immensely valuable.
In response, APRA and ASIC have expressed their willingness to actively support and facilitate these discussions.
“In our growing digital economy, the frequency, breadth and scale of cyber attacks is escalating rapidly. As a result of growing scam, fraud and cyber threats, it is crucial that all superannuation trustees have adequate measures in place now to prevent, detect and respond to these threats,” the pair reported.
Moreover, attendees were said to have expressed a collective interest in sharing information relevant to addressing cyber risks more regularly and rapidly within the industry.
“The CEOs shared practices on how their organisations have uplifted cyber resilience, such as by reviewing their data management plans and implementing changes, uplifting the cyber capability of the board and key internal stakeholders, and developing and testing the operating effectiveness of response plans to material cyber incidents,” ASIC and APRA recounted in a joint statement.
The two regulatory bodies also said they contributed insights gained from recent cyber attacks, both within and outside the superannuation sector.
Key takeaways included the need for strong data and IT systems governance measures that include the decommissioning of legacy systems and adequate service provider oversight; as well as preparedness for future incidents occurring and clear delineation between board and management responsibilities established in advance of any real threat scenario.
Superannuation executives in attendance at the roundtable included Paul Schroder from AustralianSuper, Bernard Reilly from Australian Retirement Trust and Aware Super’s Deanne Stewart.