“Securing endpoints and ensuring integrity of credentials is a big challenge not only for the superannuation industry but all financial services providers.”
As overseer of Australia’s Superannuation Transaction Network (STN) – the financial messaging service that underpins data-sharing between employers, superannuation funds, and the Australian Tax Office – the Gateway Network Governance Body (GNGB) is charged with maintaining a critical, but perhaps lesser-known, data exchange artery within the financial services ecosystem.
FST speaks with Michelle Bower, Executive Officer at the GNGB, on her most feared cyber threats, the STN’s security roadmap, and the logistical challenges of managing the government’s early super withdrawal scheme during the height of the Covid crisis.
FST Media: As a foremost thought leader in the FSI security space, what cyber threat keeps you up at night?
Bower: We have seen a lot of activity involving ransomware recently targeting industry and infrastructure providers. This is a good impetus to ensure endpoint security and the basics are done well. As with any risk, however, the identification and communication of threats is key to managing the impact – I have a high degree of confidence in the Superannuation Transaction Network in those areas, but we need to ensure that we keep working together to evolve as the criminals evolve.
FST Media: Take us through the work of the Gateway Network Governance Body and its efforts to uphold the integrity and security of Australia’s Superannuation Transaction Network (STN). What are your key priorities over the next 12 months?
Bower: Cybersecurity is our main focus and we have a long roadmap of activity planned to ensure the security of the STN. This includes:
- Improved threat sharing within the STN and working with industry and government to expand the communication between stakeholders;
- Benchmarking the information security requirements of the network against known threats and improving our defences appropriately;
- Managing regulatory changes with the introduction of SMSF (self-managed superannuation fund) rollover transactions into the network.
We will also be looking at options to leverage the connectivity of the STN to improve the security of the data supply chain into the network. Approximately 700,000 employers send transactions via the network, which presents an enormous opportunity to assist small to medium businesses with cyber awareness and risk management. This is critically important, as we are only as strong as our weakest link.
FST Media: Covid-19 and the subsequent early release of superannuation funds saw an explosion of cyber trickery targeting unsuspecting consumers and employees alike. How do you feel superannuation companies – and financial firms more broadly – can do a better job at protecting both customers and employees from cyber fraud?
Bower: Securing endpoints and ensuring the integrity of credentials is a big challenge not only for the superannuation industry but all financial services providers. Funds that are trusted by their membership base have a very powerful opportunity to raise awareness of the data security issues facing members and help members to take steps to ensure their own data safety.
Security-aware members can contribute to the overall security of the industry. Consider how a tagline in an email or a call centre script can insert security into day-to-day interactions – how can funds identify and then quickly inform their members about such frauds? Information security needs to become a capability all consumers have in their kit bag – just like understanding the benefits of washing our hands or social distancing. This is where we need to get to.
FST Media: Operating in today’s hyper-connected business context with complex digital supply chains, what can FSIs do to optimise capabilities to address security blind spots and vulnerabilities?
Bower: Organisations need to understand their specific risks thoroughly and direct resourcing and/or funding accordingly. The other important consideration is the sourcing model for these capabilities. Unless there is an ability to make a significant ongoing commitment, organisations may be better off sourcing external assistance to manage their security environments.
FST Media: As Australia’s cyber threat environment evolves, how can organisations do a better job at sharing threat intelligence and building collective resilience against bad actors?
Bower: We are getting better at this, led by some industries within Australia as well as overseas that demonstrate the value of collaboration in sharing threat and response information. The evidence shows us that this is a critical part of winning this war. Trust and relationships are the first steps. If you are not doing this, start having conversations with those who are, to learn about what will work for you and add value to your organisation and the broader community. The Joint Cyber Security Centre (JCSC) is a good place to start for organisations looking for general threat information.
FST Media: Regtech developers have promised much in driving improvements to compliance processes, productivity, and even overall safety of FSIs, particularly in the wake of Hayne. How much stock do you take in regtech to support core business objectives, and are you confident these technologies can significantly improve super providers’ existing governance processes?
Bower: Regtech solutions can be an effective component of a governance framework; however, they are only a tool. Effective governance and compliance oversight require an understanding of the material risks and how they are treated. The regulator needs to have confidence in the organisation to make the decisions they would want them to make, whether internally or with third parties. We don’t live in an ideal world, but having that understanding at least directs focus, and requires much more than a tick-the-box approach.
FST Media: Finally, what is the best career advice you’ve received and how have you sought to put this into practice?
Bower: Someone once told me to enter into conversations to understand before seeking to be understood – understanding other perspectives not only keeps it interesting but it has helped me to navigate some difficult stakeholder relationships. ◼