- Superannuation Security
- Cyber Threat Intelligence
- Financial Crime Prevention
Australia's $4.3 trillion superannuation sector faces mounting cyber threats. Industry funds must urgently improve real-time intelligence sharing to protect member savings from sophisticated scammers and hackers.
The Urgent Need for Enhanced Cybersecurity in Superannuation
Australia's superannuation industry manages a staggering four point three trillion dollars in retirement savings, yet the sector's approach to cybersecurity and scam prevention has proven inadequate in the face of increasingly sophisticated criminal operations. Whilst industry leaders are making appropriate commitments to strengthening cyber defences and creating more robust protective systems, the true measure of success will be demonstrated through concrete actions rather than public statements. The sector must now execute a comprehensive and unified strategy for sharing detailed real-time intelligence and data among funds, ensuring that each organisation remains alert to emerging cyber-hacking and scam risks that threaten member savings.
The implementation of this intelligence-sharing framework must proceed at an accelerated pace to adequately protect members and safeguard their retirement savings. Equally critical is the requirement that any data shared among funds remains secure, reliable and actionable. The overarching objective is to prevent and halt the type of coordinated criminal activity that possesses the potential to paralyse an entire financial sector. The stakes could not be higher, as demonstrated by the more than two billion dollars reported lost to scams throughout 2024 alone, alongside the reputational damage and operational disruption that accompanies successful cyber attacks.
Wake-Up Call for the Superannuation Sector
The superannuation industry received an unmistakable warning in April when retirees suffered significant losses at the hands of criminals, exposing the vulnerabilities present within the nation's retirement savings infrastructure. The incident made abundantly clear that the sector had been falling well short of best practice standards for remaining alert, prepared and responsive to active cyber threats. The potential for far greater damage existed, and only fortuitous circumstances prevented a more catastrophic outcome.
The incident raises a fundamental question about industry preparedness. How is it possible that a sector overseeing trillions of dollars in retirement savings required a major security incident to awaken its leadership to these risks? The warning signs had been present for years. In 2022, hackers stole Medibank credentials from a third-party employee's personal device through malware, demonstrating the vulnerability of even well-established organisations. That same year, Optus suffered a high-profile data breach that exposed the personal details of more than nine million Australians. The following year, intellectual property group IPH discovered unauthorised access to portions of its technology environment.
More recently, Qantas has been dealing with the fallout from a customer data breach affecting millions of customers. The publication of Qantas customer information formed part of a ransom demand from the cybercriminal group Scattered Lapsus Dollar Hunters, which targeted approximately forty global businesses utilising Salesforce, including major corporations such as Toyota, Disney and McDonald's. Internationally, the London-based retail giant Marks and Spencer experienced a massive cyberattack involving ransomware deployment that forced the shutdown of its online store for more than six weeks. These incidents collectively demonstrate that cyber threats are neither hypothetical nor distant concerns but rather present and ongoing dangers.
The Superannuation Sector as a Prime Target
Gary Gill, head of investigations at Kroll Australia, characterises the superannuation sector as representing a substantial honeypot to cybercriminals who continuously search for vulnerable points to exploit. The criminals have clearly identified that substantial wealth is concentrated within the system and are working intensively to access it. Gill emphasises that the superannuation industry cannot afford complacency or assume that existing measures are sufficient. Funds must also substantially increase awareness among their members regarding potential threats and protective measures.
These observations carry particular weight given the current threat landscape. Microsoft's national security officer, Mark Anderson, notes that the risks facing organisations are evolving rapidly, particularly with the rise in criminals gaining access to employee or customer credentials through sophisticated means. Anderson highlights that attackers are increasingly signing in rather than breaking in, utilising password spray attacks or leveraging credentials stolen from other sources and purchased on the dark web. Microsoft processes more than one hundred trillion security signals daily across its customers, partners and platforms, providing the company with comprehensive insights into emerging cyber risks and threats on a global scale.
Learning from the Australian Financial Crimes Exchange
The Association of Superannuation Funds of Australia has appropriately identified the need for a more robust intelligence-sharing platform and is examining the operation of the Australian Financial Crimes Exchange and its secure portal as a potential model. Industry participants consulted indicate that the exchange is broadly functioning effectively in its current form. Established in 2016, the major banks now derive combined annual benefits estimated at approximately fifty million dollars from their participation in the exchange, though the precise breakdown between prevented financial losses and recovered funds remains unclear.
Whilst the exchange facilitates real-time information sharing on highly actionable scam intelligence, participating institutions take varied approaches to data when the intelligence is less immediately obvious or actionable. A senior banker, speaking on condition of anonymity, identifies that the greatest risk almost invariably involves a human element in the process, whether through non-compliance with established policy or honest mistakes made by staff members. Financial institutions also recognise that the increasing prevalence of real-time payment systems will make stopping fund transfers or retrieving money from hackers and scammers progressively more difficult.
In a submission filed ahead of the federal government advancing the new Scams Prevention Framework, Commonwealth Bank disclosed making more than five thousand nine hundred entries to the intelligence loop from April 2024 onwards. More than half of these entries related to content from Meta's platforms, with additional entries including scam phone numbers and web addresses requiring blocking or removal. The exchange's establishment costs were primarily funded by the major banks, with subscription fees charged to other members proportionate to their size and anticipated data requirements.
Expanding Membership and Government Involvement
Whilst telecommunications provider Optus maintains membership in the exchange, its competitors TPG and Telstra should give serious consideration to full membership. TPG currently participates in the data loop but has not become a fully-fledged member of the exchange, a distinction that may limit the effectiveness of information sharing. The federal government joined the exchange in June of last year, with the Australian Taxation Office becoming the first government agency to achieve full membership the following month.
The Scams Prevention Framework, which legislates stricter obligations on entities to prevent and stop scams and permits fines reaching fifty million dollars, received legislative approval in February. However, critical details regarding its implementation continue to be finalised. On these matters, industry and government must unite in coordinated efforts to make Australia as impenetrable as possible to cybercriminal operations. The government has already taken several significant steps, including establishing the National Anti-Scam Centre and increasing funding for the Australian Financial Complaints Authority, which has assumed responsibility for scam complaints. Social media corporations and telecommunications companies have been mandated to become members of the dispute resolution body and have become subject to a levy.
The Escalating Challenge and Path Forward
Despite government and industry efforts, the scale of the challenge remains substantial. Just over two billion dollars was reported lost to scams in 2024, and whilst this figure represents a decline of almost twenty-six per cent from the previous year, it remains extraordinarily high. Recent data from the Australian Signals Directorate's cybersecurity centre showed responses to one thousand two hundred incidents in 2024-25, representing an eleven per cent increase over the previous year and including two attacks classified as extensive compromises of either an unnamed federal government agency or critical infrastructure.
These figures should galvanise the superannuation sector into decisive action. Intelligence sharing represents a vital component of defending member retirement savings and should form a key element of broader defence strategies by individual funds and the sector collectively. The continual advancement of artificial intelligence applications simultaneously bolsters the tools available to cybercriminals, enabling the generation of convincing photographs, videos and content. David Higgins, technology chief at security and fraud prevention firm Eftsure, notes that criminals are leveraging artificial intelligence for increasingly polished approaches to their activities and constantly evolving their methods. People may remain unaware of more sophisticated scams emerging today and tomorrow, creating an unfair advantage for criminals. Just when individuals believe they understand necessary protective measures, new threats emerge.
Microsoft's Anderson characterises the relationship between government and businesses in Australia regarding cyber threats as highly collegiate, reflecting genuine trust between parties. He observes that company boards throughout Australia are demonstrating increased alertness to these threats, noting that if any positive outcomes emerged from the significant security breaches experienced in recent years, they brought these issues to board-level attention. The responsibility now rests with the superannuation sector to determine the optimal approach to intelligence sharing for member protection. This determination must emerge through informed debate and collaborative problem-solving rather than internal disputes and competitive point-scoring. The protection of member savings demands nothing less than unified, decisive action.