Strengthening Australia’s cyber security regulations and incentives

AIST Submission to Department of Home Affairs

Superannuation trustee directors are acutely aware of the need to appropriately manage cyber security risks within their respective funds. Trustee directors are required, by law, to act in the best financial interest of members. Safeguarding super fund assets from a cyber security incident is consistent with this duty. Similarly, ensuring that a fund’s systems and processes are properly instituted to appropriately respond, manage, and report on cyber security incidents is further consistent with this duty. There is also further obligation for a trustee to act with care, skill and diligence in the operation of a superannuation fund, and part of meeting this is ensuring cyber risk is managed appropriately.

In recognition of this important area of risk, trustee directors who participate in AIST’s Advanced Trustee Director Course are required to undertake a risk module that involves a cyber security component. This module involves a simulation exercise where directors are required to respond to a cyber-attack within a superannuation fund. Exercises such as this ensure that trustee directors are made aware of the impact a cyber-attack may have on a fund and equip them with the practical knowledge and skills to respond to a cyber incident. AIST would welcome collaboration with Home Affairs on this training material to ensure that future directors are supported in their cyber security skills.

Superannuation funds are also required to comply with several prudential standards relevant to cyber security. These regulatory standards include CPS 321 - Outsourcing, CPS 232 – Business Continuity, CPS 234 – Information Security and SPS 220 – Risk Management. Collectively these prudential standards provide a comprehensive framework on how superannuation funds respond to both physical and cyber based security threats.

Download the full submission.