Speaking on the sidelines of the 2017 ASFA conference, Link Group chief information security and technology officer David Cowan said that super funds are unaware of the risks they are taking on by embracing big data.
Link Group subsidiary Empirics is one of a number of data analytics companies that work with super funds to help them engage and retain members.
But according to Mr Cowan, super funds are taking risks by making all of their members’ data available to third-party providers.
“They ask us questions around data security throughout the year, and we do present to the boards of these super funds just to give them awareness of what they should be asking us,” Mr Cowan said.
However, super funds are probably accumulating lots of data inadvertently, which makes them vulnerable to “someone trying to extract that data or effectively trying to use it against them”.
“So extortion is on the risk radar for super funds as well as [Link Group],” Mr Cowan said.
“Where is the data going, and is that data protected? Because ultimately we’re all on the hook. If something goes wrong, the super funds will be reputationally damaged, we will be reputationally damaged and the industry will be reputationally damaged.”
Super funds are sharing their members’ data with other organisation multiple times in the cloud and via outsourcing arrangements, the chief security and technology officer said.
“What they are really trying to do is to get more output from the raw data to aid their strategy, but at the same time they probably haven’t thought about the risk and control mechanisms that need to be put in place to protect that data,” Mr Cowan said.
To further raise the alarm bells for super funds, he added, they will fall under the mandatory data breach notification laws that come into effect in Australia on 22 February 2018.
“That means that if there is any serious harm to an individual, that needs to be reported to the Information Commissioner’s Office within 30 days,” Mr Cowan said.
“Super funds fall under it because of the personal information that they store, collect, use and disclose.
“They can’t outsource that responsibility to other organisations. But equally, their supply chain will be involved in any disclosure as well.
“That’s going to be a game changer for Australia because, to date, all of the data breaches and all of the media has been about US organisations.”