Resilience under fire: five cyber risk considerations for superannuation boards after the industry-wide breach

The superannuation industry, entrusted with safeguarding the retirement futures of millions of Australians, operates on a foundation of fiduciary duty, and of trust and security. When a major cyber event impacts the sector – especially one that affects multiple funds simultaneously, as we saw on Friday – it sends shockwaves through its members, regulators, and stakeholders alike. In such moments, the spotlight turns to Boards and Executives to respond with speed, integrity, and a clear-eyed view of their obligations to members as they navigate the risks now redefined by the breach.

There are key considerations for Boards and Executives navigating the aftermath of a widespread cyber incident, including lessons learned, immediate actions, and longer-term risk and governance implications.

A trustee of a superannuation fund will of course also need to carefully consider its regulatory compliance position in the context of cyber risk and security. This will include an assessment of its compliance with its Australian Financial Services Licence and Registrable Superannuation Entity licence conditions but also, as noted above, its general law and fiduciary obligations, as we are seeing in ASIC's ongoing scrutiny of AFS licensees' cybersecurity systems in its recent action against FIIG Securities.

1. A systemic shock requiring action: not just a technology problem

An industry-wide cyber event is not a one-off IT failure; it's a systemic crisis that tests the resilience of the entire superannuation ecosystem – administrators, custodians, insurers, regulators, and digital platforms. These incidents often exploit common vulnerabilities: third-party dependencies, outdated authentication protocols, weaknesses in risk management, and fragmented data governance.

In response, to the extent not already actioned, Boards must elevate cyber risk from a technical issue to a strategic risk. This shift requires meaningful engagement beyond metrics and dashboards – understanding not just what happened, but why it was possible in the first place.

Board action: Initiate a post-incident review (even if their funds have not been directly impacted by the breach) that considers systemic vulnerabilities, interdependencies across the superannuation value chain, and blind spots in current risk management frameworks.

2. Rebuilding trust: the reputational and regulatory lens

Member trust is fragile, particularly when member funds, sensitive personal and financial information is compromised. Even if a superannuation trustee has not itself breached any particular requirements or directly experienced a cyber-attack, association with the industry-wide event can raise questions about preparedness and transparency. The industry is built on trust, as we saw in the banking sector, and public sentiment can have far reaching impacts.

Regulators – particularly APRA, ASIC, and the OAIC – often intensify scrutiny following such events. The Cyber Security Strategy 2023 – 2030 and CPS 230 reforms, along with APRA's existing CPS 234 requirements have already signalled a tightening of expectations around operational risk and cyber security.

Board action: Review crisis communication protocols. Was the response timely, empathetic, and clear? Was the regulator notified appropriately? Consider appointing a cyber incident response committee at the Board level to ensure coordinated oversight.

3. Member-centric risk management

Super funds are custodians of members’ lifelong savings and identity data. The member experience during and after a cyber incident – ranging from communication clarity to fraud response and access to support – can significantly influence long-term loyalty.

Cyber risk management must be deeply embedded into the member value proposition. This includes secure identity verification processes, fraud detection, multi-factor authentication, and the ethical use of data.

Executive priority: Map the member journey during a cyber incident and invest in proactive support mechanisms. Consider appointing a Chief Member Risk Officer or expanding their mandate to explicitly include member data risk and cyber trust. Review the organisation's approach to Cyber Risk in the context of the Risk Management Framework.

4. Cyber hygiene and third-party risk management

Many superannuation funds rely on third-party administrators, cloud platforms, and software vendors to process contributions, manage accounts, and interact with members. These dependencies increase operational efficiency but also expose funds to risks beyond their direct control.

After an industry breach, there is often a realisation that vendor management practices were too transactional, with limited visibility into subcontractors’ controls or cyber maturity.

Executive priority: Reassess third-party due diligence. Evaluate the potential risk of a cyber event or security failure, which may result in data breaches, financial loss, and clients being unable to access their accounts. This involves identifying vendors with sensitive data, reviewing their security frameworks (eg. ISO 27001, NIST, Essential 8 etc.), and ensuring contracts include cyber liability, incident notification obligations, and audit rights.

5. Board readiness and scenario testing

While many Boards receive regular cyber risk updates, these are often backward-looking and compliance-driven. In the wake of a major breach, Boards should consider whether they are truly prepared to govern through a cyber crisis.

Tabletop exercises, incident simulations, and red team scenarios tailored to the superannuation context can reveal gaps in decision-making, escalation paths, and board engagement.

Board action: Commission a cyber resilience review, including realistic simulation exercises involving directors and senior executives to identify structural or cultural considerations that may come into play in an cyber event or attack, and build "lessons learnt" scenarios to make responses smoother in a real incident. These exercises should test not only the technical response but also legal, reputational, and financial implications.