Phishing and cyber-attacks are increasingly common in the business world. Funds are particularly vulnerable and need to prioritize cybersecurity policies to get in front of any potential threats. Australian Superannuation funds make especially attractive targets for cybercriminals because of the value that can be obtained. There’s the obvious value of the actual fund assets, but the sale of personally identifiable information (PII) can be just as lucrative on the dark web.
The most common type of attack is business email compromise (BEC), where employees are duped into divulging sensitive information or clicking links that unleash malware, giving attackers access to a fund’s network. Employee device compromise can happen when a device is lost or stolen, particularly when that device is a personal device that an employee uses to access a fund’s systems. Ransomware attacks are another threat. A ransomware attacker shuts down critical operations in demand for payment.
It’s incredibly difficult to assess the cost of any given cyber attack because there are so many factors at play. If thieves succeed in accessing fund accounts or if a ransom is paid, there is obviously direct financial loss. But any attack carries indirect losses such as the cost of repairs, investigation, hardware and software replacement, and client notifications. There may also be regulatory fines and legal fees, as well as incalculable reputational damage.
Funds—as well as their service providers, vendors and other third parties—must take action to minimize the risk of a security breachbeforean attack occurs. Employees should be trained and educated to recognize phishing emails, and funds should have policies surrounding the use of personal devices for business purposes. It is very important that funds perform due diligence to continually vet the cybersecurity measures of all parties whose systems interact with the fund. SS&C has invested heavily in security measures. We also partner with an industry-leading provider of email protection solutions to flag and block suspicious emails.