The prudential regulator and federal government are surely wondering the same thing following the outage which was caused, if you can believe it, by tech giant Google accidentally deleting UniSuper’s entire subscription on its cloud service.

To be clear, the $125bn UniSuper invests on behalf of its members was not at risk, just the member data, including balances.

Not only were UniSuper’s more than 600,000 members not able to access their accounts, for 10 days they were also unable to switch their investments or make withdrawal requests. The system was back up and running on May 13.

Good thing the outage didn’t occur during a financial crash. Just a few years ago, in March 2020, funds were swamped by members wanting to switch to cash as markets suffered double digit losses over a matter of days.

It’s all about cost

Super funds have been on a multi-year mission to bring down costs by moving investment teams in-house while outsourcing IT infrastructure.

But the temporary crippling of one of Australia’s mega funds raises questions around the industry’s increasing reliance on external services, according to Monash University professor of cybersecurity Nigel Phair.

“You’ve got these big top-tier multinationals. You’ve got Amazon, Microsoft and, in this case, Google. People go to them because they think they’re buying scale, size, professionalism and security,” Phair tells The Weekend Australian.

“The reality is (Google) deleted – twice – the information of a very, very large corporate. If it wasn’t for UniSuper having a third backup with another provider, I don’t know what they’d do.”

In erasing the subscription, Google knocked out the fail-safe UniSuper had put in place to protect against an outage. The fund had duplicated its data in two different geographies but this was rendered useless when the tech giant hit the delete button.

Luckily, a third backstop in place with an additional service provider prevented the data being lost for good. This allowed the system to be restored – though it took more than a week to get everything back online.

All of the major funds have outsourced at least some of their IT operations to these big cloud providers. The problem is, once you’ve done that, it’s near impossible to go back.

“Once that genie’s out of the bottle, the effort required to then go back and build storage infrastructure, and everything around that is too great. Once you’ve outsourced, that’s it, you’re never going to insource,” Phair says.

UniSuper is now conducting a full review of the incident. Other funds are surely also looking at their risk processes and service agreements with cloud providers.

While APRA has been publicly quiet on the issue, saying only that it was “monitoring the situation” through the outage, there’s no doubt the regulator will be turning the screws on funds to up their risk processes.

A new prudential standard coming into effect next year will boost their efforts, with banks, insurers and super funds from mid-2025 required to enhance third-party risk management to guard against what UniSuper has just been through.

“In an environment where one crashed server or ransomware attack can leave potentially millions of Australians without access to funds, the ability to mitigate operational risks is essential for financial stability and community wellbeing,” APRA member Therese McCarthy Hockey said last year of the new standard.

“Information security has too often been seen by boards as a technology risk and not an overall business risk. Rather than leaving cyber resilience to the IT and cybersecurity departments, boards need to become much more tech savvy and alert to how the threats have changed.”

All-hazards approach

Cybersecurity, that is, protecting against malicious attacks, is critical for these big money machines, but an “all-hazards approach” would serve them better, Phair says.

“We talk about someone hacking into data and why you’ve got to have backups and it all has to be encrypted. So we’ve got all these controls. But there’s lots of scenarios that are non-malicious. We genuinely need organisations not to just think about the Russians and Chinese or North Korean hackers, but also about an all-hazards approach.”

The government is acutely aware of the reliance big super has on external providers and looks to be taking a ‘no excuses’ line in its messaging following UniSuper’s outage.

“The Government has made it clear to super funds that they need to lift customer service standards. It may be appropriate to use external services, but members and the government will hold trustees responsible for how they serve their members,” Assistant Treasurer Stephen Jones told The Weekend Australian.

“Funds cannot outsource the responsibility to uphold service standards.”

The government, for its part, is focused on tackling scams at the banks, telcos and social media platforms, leaving the heavy lifting on risk management in the super sector to the regulator.

But targeting scams at the banks and telcos will see scammers move down the chain, heaping even greater pressure on super funds, Mr Jones confirmed this week.

“What we know through the intel we have on criminal behaviour, and the way fraud behaviour works, is once you lock down one sector, it’ll move to another,” Jones said.

“(This is) signalling to the funds industry: don’t wait for the government to update your processes and securities. Once we square this off (with banks, telcos and social media), we will absolutely look to other risk areas within the economy that we need to uplift standards.”

More related stories

Wealth

Free doctor consults are the latest in health insurance evolution

Private health cover is changing, with fresh benefits for members to ease the strain on GPs and hospital emergency departments.

Read more

Wealth

10 side hustle ideas to help you cover soaring living expenses

Cash is harder to keep as everyday costs bite into bank balances, but some income on the side offers relief. Consider these ideas.

Read more