Super funds seek to coordinate sector's cyber threat response

The Association of Superannuation Funds of Australia (ASFA) has applied to the Australian Competition and Consumer Commission (ACCC) for authorisation to operate a dedicated threat intelligence sharing platform, in the wake of last year's cyber attacks targeting the sector.

Lodged on March 27 this year, ASFA is asking the regulator for permission for its members to share a defined set of threat intelligence with each other.

This includes threat trends and themes, tactics, techniques and procedures, bypassed security controls, threat actors under active tracking, and technical indicators including blocked threats and active incidents.

ASFA said information that could potentially affect competition between its members will not be shared.

Pricing, sales volumes, profit margins, commercial strategy, and investment information would be explicitly excluded, with participants required to adhere to a strict protocol designed to prevent competitive intelligence leaking into the intelligence-sharing process.

A five-year authorisation is sought from ACCC to operate a platform called the Superannuation Cyber and Financial Crime Exchange, or SuperFCX.

This forms the centrepiece of a broader four-pillar coordination framework ASFA calls SC3, the Superannuation Cyber and Financial Crime Coordination framework, which the association developed last year.

ASFA also proposes a superannuation sector incident response playbook on how to coordinate and communicate during significant cyber incidents, developed by two dedicated cross-sector working groups.

Superannuation sector response exercises to practice coordination under realistic scenarios, forums and specialist working groups that bring together expertise from across the sector are also proposed by ASFA.

Without ACCC clearance, rival superannuation funds sharing operational security intelligence would risk breaching the Competition and Consumer Act. 

Submissions on ASFA's application with the ACCC close on April 27.

April 2025 cyberattacks catalyst for cooperation

ASFA's application for threat intelligence sharing between members comes after a coordinated credential-stuffing campaign that struck the sector in late March and early April 2025.

This saw attacks on AustralianSuper, REST, Hostplus, Insignia, and the Australian Retirement Trust.

Some $750,000 was lost from 10 AustralianSuper accounts.

ASFA said that during the incident, suspicious activity was reported by one fund to the government; other funds were not alerted however.

Such a communication failure is the structural problem that SC3 aims to fix.

ASFA chief executive Mary Delahunty made the same point at the Banking, Financial Services and Insurance (BFSI) Innovation and IT Summit in Sydney this week.

"We didn’t have a trusted channel for communications teams across funds to coordinate so information about the incident was delivered inconsistently, at times emerging through media reporting in a way that heightened member concern, rather than providing reassurance," Delahunty said.

"Superannuation took a reputational hit."

The sector manages $4.5 trillion for 18 million Australians, and ASFA surveyed its members and got the clear message that it can be better prepared to respond to cyber attacks through improved coordination.

Delahunty also referred to the recent announcement by artificial intelligence (AI) company Anthropic, which deemed its latest large language model Claude Mythos too dangerous to release to the public, as it could be misused for cybercrime.

"I’m sure you, like me, have been devouring any coverage you can on this, on [Project] Glasswing, including recent reports that United States Treasury Secretary Scott Bessent gathered financial sector leaders together to deliver a stark message about the potential dangers of AI models deployed internally posing a serious risk to sensitive customer data – we must hear that warning here as well," Delahunty said.

One parallel to SuperFCX is the Australian Financial Crimes Exchange or AFCX.

This was set up in 2016 by ANZ, Commonwealth Bank, NAB and Westpac, in partnership with the Australian government as an independent, not-for-profit intelligence sharing platform with real-time alerts across competing institutions.