But it is very much a ‘do as I say, not as I do’ mantra, which smacks of virtue signalling.

Last week’s cyber attack – which seemingly plundered hundreds of thousands of dollars from Australian retirement savings – has exposed how much of a mess their own houses are.

And it’s not like they didn’t have fair warning.

Both the corporate and financial regulators told superannuation trustees, who are mainly union or employee group appointees, that they needed to strengthen their online security.

Those warnings, however, not only fell on deaf ears but were roundly criticised.

The Association of Superannuation Funds of Australia chief executive Mary Delahunty accused the financial watchdog of raising unnecessary alarm, saying super funds were “some of the safest places in the country to have your money”.

Try telling that to a 74-year-old Queensland woman who had $406,000 fraudulently wiped from her AustralianSuper account after scammers helped themselves to her retirement savings.

Or what about the three other AustralianSuper members who lost $500,000 during last week’s cyber attack. AustraliaSuper says that money has since been remediated but the risk remains.

More troubling the Australian Federal Police said four days after the attack they hadn’t received a report of a crime.

AustralianSuper said it was engaging with the Australian Signals Directorate, the National Office of Cyber Security, APRA, ASIC, the Office of the Australian Information Commissioner, the Department of Treasury and Finance and the Department of Home Affairs on a co-ordinated response.

What does that mean? Not much. A Home Affairs spokeswoman said: “Investigations are a matter for law enforcement”.

After all, the AFP successfully tracked down the Russian hacker who infiltrated Medibank in late 2022 and leaked millions of Australian health records onto the dark web. And if there is a chance Russian criminals that have struck again – please, call the coppers.

Indeed, they’re still trying to bang down the door. Cbus revealed on Monday that it has been hit with an “unusually high spike in log-in attempts” following the hack.

Thankfully, AustraliaSuper said on Tuesday it had reported the attack to AFP.

While the AFP might not have the same success in bringing a hacker to justice from a non-extradition treaty country like Russia, it’s good to know where the bad guys are, and more importantly how they staged an attack to avoid a repeat.

In fact, it’s good governance.

And it was in the name of good governance that AustralianSuper cited as the reason why it sold down its $580m stake in WiseTech when its share price had hit a trough, following a spate of sensational allegations against its billionaire founder Richard White and his return to power as the company’s executive chairman.

“We believe good governance is essential to delivering the value we identify in a company,” said Shaun Manuell, AustralianSuper head of domestic equities.

“We needed to see a sensible transition plan that got the balance right between governance and managing the founder’s role over time in order to continue to remain a shareholder.”

WiseTech shares are now trading at $76.50 – down 12.84 per cent in the past month and 42.1 per cent in the past six months. But analysts remain bullish on the stock with Garry Sherriff from RBC Capital markets having a $110 price target on the stock.

That’s a fair chunk of change left on the table for AustralianSuper members after the fund sold its holding.

But as Australians head to the polls – a prime time to get on a soap box and thump your chest to the populace – political leaders have been largely muted in their response to the cyber attack. Anthony Albanese said hacks happen “all the time”.

Please, imagine if this was a bank. Would a Prime Minister effectively argue that there is no reason to call the police because hold-ups happen all the time? It’s bizarre, particularly after then Home Affairs Minister Clare O’Neil berated Optus during its cyber attack in late 2022.

“Responsibility for the security breach rests with Optus, and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” O’Neil said.

Super funds are classed as critical infrastructure, so why not the same level of accountability? Hackers could also inflict serious damage, given super funds – as cyber security expert Anne-Louise Brown said – own and operate critical infrastructure via their investments.

But there have been crickets from Canberra.

The attack has exposed the risks of the super funds low-fee business model that is looking cheap and nasty rather than delivering value.

Super funds are in desperate need of an overhaul after they have outsourced everything to the point it is almost like flying a plane with wings attached with paperclips.

This is no exaggeration.

ASIC revealed last week, industry funds were the worst offenders in delaying payouts after it examined two years’ worth of claims.

Another ASIC review found that “trustees did not have sufficient oversight of their external administrators’ anti-scam and anti-fraud practices”.

“For example, in our engagement with trustees, they frequently referred in general terms to their administrators’ systems and processes, but sometimes lacked knowledge about key details. One of the trustees we engaged with was unable to identify whether its administrator undertook basic interventions, such as engaging with members over scams.”

And, “Trustees in our review also lacked many of the foundational anti-scam practices that ASIC identified in relation to banks”.

Why? “Trustees generally reported that they had not seen many, if any, instances of scams impacting their members. Several trustees told us that this was the reason for their limited focus on scams.”

As ASIC chairman Joe Longo said, super funds are a “poster child for what can and does go wrong when governance fails”. Time for a shake up.

Originally published as Super funds’ virtue signalling laid bare in cyber attack