The SMSF Association has called on trustees and advisers in the $1 trillion sector to “remain alert and proactive” after major super funds disclosed cyberattacks.
The Insignia Financial-owned MLC Expand platform, along with industry funds AustralianSuper, Australian Retirement Trust, Hostplus and Rest was breached in a co-ordinated cyberattack last week.
In a media statement on Tuesday, SMSF Association chief executive Peter Burgess said they were not aware of any SMSFs being targeted in the attacks.
“Cybersecurity is not just a technology issue – it’s a trustee responsibility,” Burgess said.
“By staying informed and being proactive, SMSF members can play an important part in reducing their exposure to cyber threats.”
AustralianSuper disclosed that $500,000 in total money across five members had been stolen.
Cbus has also disclosed it has reported to APRA an “unusually high” spike in log-in attempts, but this occurred several days after the cyberattack that impacted other super funds and it was not clear if this was related.
“At this stage of our inquiries, there is no evidence that any financial losses have occurred for Cbus members,” the fund said in a statement.
“Out of an abundance of caution, the fund is investigating a small number of accounts that may have been impacted including accounts where multi-factor authentication was triggered in the hours before and after the spike event. These accounts were pro-actively deactivated, and the members are being contacted.”
Super Consumer Australia described the attack as “unsettling” and criticised the Association of Superannuation Funds of Australia for re-buffing calls from the regulator to address the cyber–risk of super funds.
Xavier O’Halloran, CEO of the consumer advocacy group, further criticised the response from the association days later accusing it of having its head in the sand.
“They were aware of the problems,” O’Halloran told Professional Planner on Monday.
“They were aware of the vulnerabilities. They’d had it raised multiple times, and all they’ve done is introduce a communications channel.”
SCA also called on the government to include super funds in the government’s Scams Prevention Framework, which currently targets banks, telecommunications providers and digital platforms who are at risk of fines worth up to $50 million, as well as expedite the creation of mandatory member service standards.
Burgess said the cyber risks faced by SMSFs are different to its APRA-regulated peers given the decentralised nature of the investment vehicle, which would require targeting individual bank accounts.
“To protect retirement savings, SMSF trustees must also take personal responsibility for cyber hygiene and remain vigilant,” Burgess said.
“This includes changing your password regularly, enabling multi-factor authentication on all accounts and learning how to identify and avoid scams.”
Similar recommendations were made last year at the Professional Planner Licensee Summit which heard advice against sharing passwords and using minimal software can help to mitigate cyber risk.
“Cyber is the grudge purchase, right until it blows up in your face,” Vital Business Partners CEO Nathan Jacobsen said at the event.
The advice profession was hit with a major cyber–related scandal just a few years ago, with the Federal Court finding RI Advice breached licensee obligations after client data was stolen from an advice practice in its network and compromised.
