Super sector pressed to strengthen cyber defences

Credential stuffing attacks have heightened cyber risks in the super sector, prompting regulators to demand stronger identity protections to safeguard members’ retirement savings. 

Following a series of credential stuffing attacks in April – a method in which cyber attackers use compromised user credentials to breach the system – regulators have warned that funds must urgently lift their security standards to protect members’ savings.

Since then, the Australian Prudential Regulation Authority (APRA) has directed super funds to address longstanding weaknesses in information security and authentication controls.

According to Ashley Diffey, vice-president, Australia and New Zealand at Ping Identity, these attacks have demonstrated the scale of the sector’s challenge as digital engagement rises.

“Rapid growth of member engagement has caught parts of the sector off-guard, or at least without the capacity to enable secure self-service of the influx of requests,” Diffey said.

He noted that an ageing population is drawing down funds, while Tax Office campaigns have encouraged younger Australians to check their super more frequently.

Further complicating the task for super funds has been digital transformation. With an estimated $4.3 trillion under management, funds are still in the process of modernising systems, all while the threat of cyber attacks has increased.

“It’s not just member experience that is driving transformation; cyber security is also an important consideration and investment driver,” Diffey said. “After the credential stuffing attacks, the focus on security has become even more urgent.”

Diffey pointed towards banks, the focus of cyber regulation for some time, and how they have been forced to adopt unparalleled protections.

“Who does identity security right today? I am quick to cite the banks,” Diffey said.

“They’ve got the nation’s wealth in their hands, they’ve got the ability to invest, they’ve got good teams and experts inside their business, and they engage the right people to come in and advise and help them build, architect and deliver really meaningful outcomes.”

He added that APRA’s close oversight has compelled banks to implement solutions that are “quite literally world-class” and said that an equivalent uplift in superannuation is both achievable and necessary, particularly as stolen credentials remain a favoured attack method.

According to Diffey, the best practice for super funds would involve the adoption of verifiable credentials, such as Apple’s ID in Wallet, combined with attribute-based access controls to govern what members can once logged in.

“Rather than requiring users to have a separate identity for every service they use or organisation with which they engage, they can use one credential to access everything,” he said.

Adoption of verifiable credentials would also reduce the need for funds to collect and store identity data, thereby limiting their exposure to breaches.

Identity and access management platforms, Diffey said, can provide the connective thread for authentication across the member journey with minimal friction but maximum security.

“These platforms can also help implement attribute-based access controls, monitoring how members interact with digital services and issuing additional challenges when anomalous behaviour is detected,” he added.

Diffey stressed that super funds have had a “serious scare” and are “under regulatory guidance to act”.

“An identity and access management platform is a key foundational element of the response,” Diffey said.