Security in SMSFs comes in all shapes and sizes. Tech-savvy trustees will have multi-factor authentication (MFA) enabled for all their investments, while others will happily rely on a sock drawer to store passwords.
In the wake of recent cyberattacks on Australian Prudential Regulation Authority-regulated funds, it would be naïve to assume cybercriminals would ignore the SMSF sector with $1 trillion in total assets.
Key statistics from the National Anti-Scam Centre show over $134 million in losses between 1 January and 30 June 2024. Most importantly, people aged 55 and over accounted for 47.6 per cent of those losses.
With 38 per cent of all SMSF members in retirement as of June 2024, these funds remain vulnerable to hackers who would readily take advantage of the technologically challenged in this cohort.
As a result, SMSFs remain high on the ATO’s and Australian Securities and Investments Commission’s (ASIC) watchlist to ensure they stay protected.
SIS obligations
While Superannuation Industry (Supervision) (SIS) rules are silent on security technology, the operating standards under section 52 of the SIS Act charge trustees to perform their “duties and exercise powers in the best financial interests of the beneficiaries”.
The provisions also say trustees should use a level of care, skill and diligence that a careful and responsible trustee would use for fund investments.
Where trustees are not employing security measures to their fullest extent, are they acting in the best interests of the members?
Could this open the door to potential litigation in line with section 55 of the SIS Act if the fund incurred a financial loss and there was a dispute, divorce or disagreement?
SMSF security
The Australian Cyber Security Centre recommends using MFA because it defends against the majority of password-related cyberattacks.
MFA requires a combination of two or more factors to access an account, such as a personal identification number, facial recognition or an authenticator app.
Using more factors distinguishes legitimate users from hackers, making it harder for them to impersonate good actors or employ brute-force methods.
Are SMSFs cyber-resilient?
There are two components to SMSFs being cyber-resilient: direct and indirect risk management.
Trustees have direct control over investment accounts they have access to, such as bank and brokerage accounts. Enabling MFA will ensure maximum security and be the first line of defence against hackers.
In a business-to-business context, partnering with SMSF professionals who use best-practice control technologies when storing member information is the second.
By way of example, ASF Audits employs critical measures, such as firewalls, malware filters and MFA, to log in. Other protocols include penetration testing, automated security monitoring and alerts as standard practices, with all client data and files securely stored on Amazon AWS infrastructure and encrypted with AES-256 protocol.
SMSF investments
As some high-risk investments are more prone to fraud than others, trustees must set in place sophisticated security measures to ensure the recoverability and safety of their members’ retirement savings. A sock drawer no longer cuts it.
Cryptocurrency and digital assets attract criminal activity because they are not classified as financial products. SMSFs can be exploited through illegal operations resulting in phishing scams, theft and collapsed crypto trading platforms.
The best practice is for an SMSF to use a crypto-exchange with an Australian financial services licence, which complies with Austrac-regulated anti-money laundering/counter-terrorism financing legislation and has a sound reputation.
Security of other investments, such as overseas assets, unlisted entities and property, also comes with its share of problems.
Unsolicited offers of investments with high returns, encouraging early withdrawals and requesting high-level personal details are red flags.
While SMSF financial losses are bad enough, identity theft is often a worse outcome, with members experiencing personal financial ruin, credit issues and emotional distress.
ASIC activity
ASIC has wound up 95 companies that may have been involved in facilitating scam activities and warns all consumers to remain vigilant.
These organisations were associated with websites and apps to trick consumers into investing in phony foreign exchanges, digital assets or commodities trading.
Unfortunately, ASIC has said these scams are like hydras; when one is shut down, two more take its place.
Security tips
The following security measures are crucial to protect SMSFs:
- Avoid clicking on account sign-in hyperlinks received via SMS or emails.
- Do not share MFA codes or approve unknown sign-in attempts.
- Use MFA whenever possible.
- Select strong passwords.
- Regularly update computer software.
- Research websites before making any online payments.
- Review email addresses, bank statements and recipients of money beforehand.
Conclusion
Cyber-resilience is most effective as a shared responsibility between all parties.
SMSF professionals should educate their trustee clients on adopting robust security measures to safeguard fund investments and personal data. Partnering with SMSF experts who use best-practice control technologies is the other step.
There is no doubt consistent vigilance is essential to protect SMSFs from cyberattacks and to maintain the integrity of the industry through strict security measures such as MFA, not sock drawers.
Shelley Banton is head of technical at ASF Audits.
