Cybersecurity for superannuation funds: Minimizing risk


Monday, August 16, 2021 | By Shaun McKenna, Senior Director

Cybersecurity for superannuation funds: Minimizing risk

The business world is experiencing increasing occurrences of phishing and cyber-attacks. Australian superannuation funds, as particularly vulnerable targets, must prioritize cybersecurity measures and policies to anticipate and prevent potential threats.

Why are superannuation funds so attractive to cybercriminals?

There are a number of reasons super funds are particularly attractive targets for cybercriminals. The first and most obvious reason is that these funds are a lucrative target with some $2.9 trillion in funds under management and, as a result, member accounts are generally larger than individual bank accounts

The second asset that makes these funds attractive is the potential value of the potential sale of personally identifiable information (PII), which can be extremely lucrative on the dark web.

In addition to the actual value of super fund assets, the unique characteristics of this style of funds also make them extremely vulnerable to the threat of a cyberattack. 

  • Superfund members are less likely to monitor their superannuation accounts compared to, for example, a transactional banking account. As a result, members are less likely to notice and report unusual account activity.
  • The superannuation industry is made up of a complex and interconnected ecosystem of vendor and third-party providers. These range from payroll providers, financial planners, custodians and administrators right through to investment managers.  With so many parties, it is harder to minimize a security breach.
  • The superannuation industry, to date, has not enjoyed the same level of investment in cyber risk mitigation as the banking industry.

The most common type of attack

Business email compromise (BEC) is the most common type of cyberattack. In this type of attack, employees are sent an email designed to trick them into clicking links that install malware or revealing sensitive information, allowing attackers to access a fund’s network. Employee device compromise presents a similar risk, in which an employee’s device is lost or stolen after the employee has used the device to access a fund’s systems.

Ransomware attacks are another threat, in which an attacker demands ransom after shutting down critical operations.

The many factors at play make it difficult to determine the cost of any given cyberattack. Each attack carries direct and indirect losses (cost of repairs, investigation, software replacement and client notifications), and of course, there is the incalculable cost of reputational damage.

The risk of a security breach is best mitigated before an attack occurs, so superfunds, their service providers, vendors and other third parties need to take action now. Training and education can help employees recognize phishing emails, and funds should enact policies regarding employees’ use of personal devices for business purposes. In addition, funds should perform due diligence to vet—on an ongoing basis—the cybersecurity measures of all parties whose systems interact with the fund.

As we see cyber-criminals becoming more sophisticated and better organized, SS&C has invested heavily in security measures. Our view is “being prepared is half the victory.”

Download our “Cybersecurity Issues for Superannuation Funds” whitepaper to learn more about how super funds can mitigate the risk of cybersecurity threats.



APAC, Asset Management, Fund Administration, Retirement, Risk Management


Theme picker