Super Consumers Australia chief executive Xavier O’Halloran believes the cyberattack that hit major super funds on Friday is “a failure” by the Association of Superannuation Funds of Australia.
ASX-listed Insignia Financial’s MLC Expand platform, along with industry funds AustralianSuper, Australian Retirement Trust, Rest and Hostplus had been hit with a cyberattack with four AustralianSuper members losing a collective $500,000 in retirement savings.
O’Halloran took to LinkedIn on the weekend, revealing how the consumer group had audited the super funds and warned “lobbyists” ASFA, Super Members Council and the Financial Services Council of these vulnerabilities in 2023.
While O’Halloran conceded the FSC had agreed to take coordinated action by rolling out a mandatory standard to assist with the rollout of improved multifactor authentication across its member funds, the call was rejected by ASFA and the SMC.
“They were aware of the problems,” O’Halloran tells Professional Planner.
“They were aware of the vulnerabilities. They’d had it raised multiple times, and all they’ve done is introduce a communications channel.”
In January, the corporate regulator wrote to trustees to warn them they needed to bolster their “anti-scam practices or risk exposing members to harm”.
This was rebuffed by ASFA with CEO Mary Delahunty claiming that ASIC’s letter to the trustees “seemingly ignores the super sector’s proactive measures to tackle these rare super scams” and that “the work of super funds and their services providers is effective” in combatting these scams.
O’Halloran says this was a hubristic statement and confirms he’s has not received a response from ASFA regarding his view that the association should have done much more to prevent a possible cyberattack.
‘Highest priority’
In response to the criticism from the consumer group, ASFA says protecting super from cybercrime is their “highest priority”.
“ASFA’s member funds from the retail, industry, public-sector and corporate sectors, as well as their critical service providers, have been working together over a number of years to stay ahead of ever evolving cyber-threats,” a spokesperson says.
The association says this is through two main pieces of work: the ASFA Better Practice Guidance, which includes recommendations for multi-factor authorisation at multiple points of member interaction, and the ASFA Financial Crimes Protection Unit, an initiative to increase the super sector’s defences.
The association also says it has been engaged in government consultations about strengthening cyber security protection laws.
SMC declined to comment, instead referring to ASFA’s “co-ordinated industry response” on the attack.
Series of failings
The cyberattack is the latest in a series of crises facing the superannuation sector, particularly for industry funds, with a recent ASIC report into death benefits claims handling revealing the depth of the issues plaguing funds.
The regulator had sued both AustralianSuper and Cbus for failures in processing death benefits and insurance claims, with AustralianSuper previously taken to court by ASIC for failing to merge duplicate member accounts.
In January, the Labor government announced a crackdown on poor member services in the super sector with the release of mandatory member standards.
“This is on the back of a number of really high-profile customer service failures, including the Cbus death benefits enforcement action late last year, the AustralianSuper story and an increase in dissatisfaction,” O’Halloran says.
O’Halloran urged the government to expedite adding superannuation to the Scams Prevention Framework, as well as implementing the mandatory service standards regime following Friday’s cyberattack.
He says the cyberattack will send a warning to the super funds and lobbyists, who did not have to security in place to sufficiently protect their members.
“The attention and spotlight and reputational damage that this is going to cause, and the customer service failures that flowed from people trying to contact their fund to find out if their money is secure is bound to send a clear message that the funds need to be properly investing in their cyber security, scam prevention, [and] fraud prevention measures.”
O’Halloran said despite the financial impact being low relative to the entire super system, it will “undoubtedly” be the catalyst that encourages the industry to take collective action.
