AustralianSuper is on the hunt for a new chief information security officer to replace Mick Dunne who will leave for an external role after five years with the fund.
The CISO oversees the Melbourne-headquartered fund’s “enterprise-wide information and cyber security management program,” and reports to CTO Mike Backeberg.
The posting for a replacement CISO added that the successful candidate oversees both “corporate and member security”, including compliance and risk management.
Dunne’s replacement will also “lead the development and execution of a short-, medium and long-term strategy for information and cyber security at AustralianSuper globally.”
AustralianSuper shared details about its cyber security strategy at its annual members’ meeting in November [pdf].
The fund said that its defences included scanning the threat landscape for vulnerabilities such as “website and portal weaknesses” and safeguarding against phishing attacks by providing “increased call security and training to staff”.
“We also invest in financial crime technology and… teams dedicated to… quickly detect when activity might be unauthorised… to defend against both human criminals and the use of automation,” the company’s presentation added.
Dunne told members that “we’ve adopted international best practice, which gives us guidance around how we design our security framework and our controls.
“We operate a strong assurance program, which includes our internal audit program, external audit, independent assurance and testing of our systems.”
Dunne also listed investments in identity protection, when a member asked “why member-facing multifactor authentication” was not required to log into AustralianSuper’s website or app.
He said that MFA had been rolled out for high-risk activities like “changing your password or even establishing an account in the first place,” and AustralianSuper’s “security roadmap” included “extending the use of multifactor authentication in the future.”
“We aim to balance member convenience and security.”
The app is also compatible with iOS and Android Touch or Face ID, he added.
“Depending on the mobile device that you use, you can use things like biometrics for logon.”
As part of its security strategy, the fund also encourages regulators to reconsider record-keeping obligations that put its members at risk of data theft, such as excessive customer data retention requirements.
In a submission [pdf] to a review of the anti-money laundering regime, the fund questioned reporting entities’ obligation to “keep customer identification procedure records… for seven years after they stop providing all designated services to the customer.”
“The Privacy Act review report… noted the privacy and cyber security risks of entities holding significant volumes of personal information,” it said.
Before AustralianSuper, Dunne worked at NBN Co for six years; holding titles such as general manager of security governance, planning and performance and general manager of security policy and compliance.
Before that, he was an associate director at KPMG Australia.
Dunne has held other senior IT and security positions at the Attorney General’s Department and Royal Australian Navy.