Superannuation fund providers are approaching the deadline for increased security controls, presenting an opportunity for security provider partners to step in and assist, according to Interactive chief information security officer Fred Thiele.
Thiele said superannuation funds, which are responsible for over $4 trillion, have been subject to a spate of credential stuffing, and last month, chair of the Australian Prudential Regulation Authority (APRA) Margaret Cole sent a letter to super fund providers pushing them to roll out multi-factor authentication (MFA) before the end of August.
In the letter, Cole wrote “APRA expects all trustees - regardless of size - to treat this matter with the urgency and priority it demands, in line with the risks they manage and their duty to protect member interests.”
While MFA is a simple preventative measure against the attack, Thiele said some funds have been reluctant to roll it out.
“Any amount of security that you add to a system reduces the usability of that system, and with super funds, not everybody is technical who uses the portal to login.," he said.
"In essence, what the super funds or anybody else who's using MFA in a business to consumer fashion is trying to do is trade off the usability of that portal versus how many calls are they going to get in their call center because somebody can't log in with MFA."
However, APRA's threat of fines or supervisory interventions could tilt the scales toward more prudence, providing security partners with an opportunity to encourage customers to lift their security posture overall.
Thiele pointed out that once an attack vector is found, such as lacking MFA, that will become the target for a lot of similar attacks, especially in industries where large sums of money is held.
“Bad guys go where the money is and the money is in super funds and banks and insurance companies," he explained to techpartner.news.
"Any way to take advantage or defraud those companies, that's where the target's going to be, and that's probably why we've seen quite a bit of uptick in super funds.
"If you feed the wildlife, then they come back for more."
He added that partners should be working with these customers to identify key risks, particularly around regulatory compliance.
“It comes back to a risk based approach and, especially with the regulations, it's how the customer is interpreting their threat and their risk, and what it is that they need to do to reduce that risk to comply with regulations,” he said.
However, because regulations can be “open to interpretation”, partners should also be specific about what they are delivering, especially if a customer is choosing not to implement a recommended solution.
“If a customer refuses to do those things, then how do you absolve yourself as a service provider from saying, ‘I told them on this date and nobody's listening'? You put it in writing and make sure your customer knows,” he said.
“You deliver what's called a risk letter to a customer and say, ‘We've informed you about this, we had a conversation on this date that said that you're taking this stance, please sign here’, and often that actually gets people to the outcome. They go, ‘oh, well, if you put it that way and I've got to sign my name to something then, then maybe we go and do it’.”
.png&w=100&c=1&s=0)
