Shelley Banton, head of technical at ASF Audits, said cyber resilience is most effective as a shared responsibility between all parties.
“In the wake of recent cyber attacks on APRA-regulated funds, it would be naïve to assume that cyber criminals would ignore SMSFs with $1 trillion in total assets,” Banton said.
“Key statistics from the National Anti-Scam Centre show over $134 million in losses between 1 January and 30 June 2024. Most importantly, people aged 55 and over accounted for 47.6 per cent of those losses.”
With 38 per cent of all SMSF members in retirement as of June 2024, SMSFs remain vulnerable to hackers who would readily take advantage of the technologically challenged in this cohort.
“As a result, SMSFs remain high on the ATOs and ASICs watchlist to ensure they stay protected,” Banton said.
Although there are no regulations around security in the Superannuation Industry (Supervision) Act, the operating standards under s52 of the act charge trustees to perform their “duties and exercise powers in the best financial interests of the beneficiaries”.
“The rules also say trustees should use a level of care, skill and diligence that a careful and responsible trustee would use for fund investments,” Banton said.
“Where trustees are not employing security measures to their fullest extent, are they acting in the best interests of the members? Could this open the door to potential litigation in line with s55 SIS if the fund incurred a financial loss and there was a dispute, divorce or disagreement?”
The recommendation from the Australian Cyber Security Centre is that trustees use multi-factor authentication and suggests that using more factors, not just the standard two, distinguishes legitimate users from hackers.
Banton said there are two components to SMSFs being cyber resilient: direct and indirect risk management.
“Trustees have direct control over investment accounts they have access to, such as bank and brokerage accounts. Enabling MFA will ensure maximum security and be the first line of defence against hackers.”
“In a B2B context, partnering with SMSF professionals who use best-practice control technologies when storing member information is the second.”
Furthermore, she said, as some high-risk investments are more prone to fraud than others, trustees must set in place sophisticated security measures to ensure the recoverability and safety of their members’ retirement savings.
“A sock drawer no longer cuts it. Cryptocurrency and digital assets attract criminal activity because they are not classified as financial products. SMSFs can be exploited through illegal operations resulting in phishing scams, theft and collapsed crypto trading platforms,” she added.
“The best practice is for an SMSF to use a crypto exchange with an AFSL licence, which complies with AUSTRAC-regulated AML/CTF legislation and has a sound reputation.”
Additionally, the security of other investments, such as overseas assets, unlisted entities and property, also comes with its share of problems.
“An unsolicited offer of an investment with high returns, encouraging early withdrawals and requesting high-level personal details are red flags,” Banton added.
“While SMSF financial losses are bad enough, identity theft is often a worse outcome, with members experiencing personal financial ruin, credit issues and emotional distress.”
There are a number of steps SMSF trustees could take to protect their funds, including avoiding clicking on account sign-in hyperlinks received from SMS or emails and never sharing MFA codes or approving unknown sign-in attempts.
Banton suggested that trustees also regularly update their computer software and research websites before making any online payments, as well as reviewing email addresses, bank statements and recipients of money beforehand.
“There is no doubt that consistent vigilance is essential to protect SMSFs from cyberattacks and to maintain the integrity of the SMSF industry through strict security measures such as MFA, not sock drawers.”
