You worked hard for your superannuation. How safe is it?
In recent months, cybercrises have revealed the fragility of IT systems at Medibank, Optus and other large firms. Their exposures should sound alarms about reliability of IT-dependent companies, including the funds, banks, and agents that manage our superannuation balances.
Cybercrime is looming ever larger as a corporate threat, and it is no longer fanciful to consider a scenario where a criminal hacker sets out to extort investment funds that take clients’ monies and record the liabilities on computers. The hacker could demonstrate its capability by a determined attack that destroys one fund’s systems and data storage.
I wondered how well a super fund would stand up to such an attack. My question became: leaving aside market and investment risks, how resilient are super funds against operational risks, which are losses from failure of internal controls and processes or external events. Specifically: how would a super fund determine my balance if its systems were destroyed?
Newly retired, I had motivation to address this question and posed it to three funds where I have investments. These are large, successful industry and retail funds that should be representative of best-in-class.
My start was to login and check the product disclosure statements. None even contained the phrase ‘operational risk’. Next step was to look for policies, which funds coyly provide under obscure headings such as ‘Disclosures’. These were limited to issues such as privacy and customer security, with nothing on operational risks.
Next step was to use the ‘contact us’ button to ask how I could obtain copies of operational risk management policies covering topics such as internal controls, data protection and records security, asset custody, IT systems and cybersecurity, redemptions during fund wind up, counterparty due diligence and outsourcing.
What I discovered was disappointing. One fund emailed me that policies were confidential; a second advised me verbally that risk policies existed but were scattered across various documents, and a third repeatedly ignored my request.
A final check was regulators’ requirements. APRA has an Information Security Standard and details of a recent cyber security stocktake on its website, but these relate mainly to theft of personal information. Also, the US National Institute of Standards and Technology has a Cybersecurity Framework, but this is a voluntary, high level guide.
Should we care that requests for information on risk management only receive hollow assurances or polite brush offs? Yes, because risk policies do matter. Obviously they comfort investors for whom institutions’ operations are invisible. They also set expectations for staff, and guide self-assessments of risks and controls in each workplace. Good policies are also auditable, so systems’ resilience can be independently validated. This should extend to stress testing through a military-style red team analysis, where defence capability and war plans are assessed by attack from an ‘enemy’, or red team.
Moreover, incorporating checks against operational risks in standard governance channels ensures they are reviewed, breaches reported and appropriate focus brought on defects. Operational risks become actively managed, not glossed over.
Perhaps most importantly, solid risk policies deter hackers. Criminals prefer easy targets and will be warned away by evidence of strong systems, which public policies can signal without giving anything away.
Risk management properly concentrates on credible threats, but this too often translates into belatedly bolting stable doors. Malicious attacks on economically important IT systems are becoming commonplace, and no company or organisation is immune from their worst nightmare. Funds already detail the risks of investment decisions and markets. Comprehensive operational risk management policies should also be displayed prominently on their websites flashing like lighthouses to warn hackers off.
To answer my original question, investors should be concerned that super funds refuse to provide reasonable details of how they ensure the security of deposits. Sadly, investors only defence is the standard finance strategy of crossing their fingers and diversifying holdings across independent funds.