When multiple Australian superannuation funds were hit by coordinated cyber breaches in March 2025, many in the industry responded with surface-level fixes. Member logins were reset, portals were temporarily taken offline, and public statements were issued to downplay impact.

But from where I sit, as someone who’s spent over two decades working across cyber operations including APRA regulated institutions, the breaches signalled something much deeper than a few compromised accounts. What we witnessed wasn’t just a technical failure. It was a failure of strategic thinking.

Let’s be clear. These weren’t highly sophisticated, state-sponsored attacks. This was credential stuffing, one of the oldest tricks in the book. It relies on one basic truth: most people reuse passwords. If threat actors can access one database of breached credentials, they’ll test those same logins across other systems. And in this case, they found enough vulnerabilities in Australia’s superannuation authentication infrastructure to successfully gain access, siphon funds, and trigger a wave of disruption across the sector. More concerning is the highly regulated and convoluted processes that should have checks and balances didn’t seem to work if you have an SMSF, you will understand just how hard it is to move funds from the retail institutions. It seemed much easier for the attackers to move money from these super funds than it is for the average Australian who has genuine legal rights to do so.

Outside of the obvious and concerning issue of the process of moving funds through these checks and balances, what concerns me most is that this was preventable. Multi-factor authentication could have blocked the majority of these access attempts. Real-time behavioural analytics might have flagged unusual access patterns before money was moved. But beyond the technical measures, what’s missing is a mindset of resilience — a proactive approach that treats cybersecurity not as a compliance burden, but as core infrastructure for trust.

Too many funds still treat cybersecurity as a backend IT function. And too many boards still see it as a cost centre, not a risk multiplier. That kind of thinking doesn’t hold up anymore. Superannuation funds manage nearly $3.5 trillion in retirement savings. That makes them not just financial institutions, but critical to the economic wellbeing of the nation. The consequences of failure are not just financial. They are societal.

The fallout from these breaches was predictable. Members were left in the dark. Communications were vague and delayed. Portals were shut down without clear timelines or support. And in at least one case, funds were withdrawn directly from member accounts. As outlined earlier, that’s not just a systems issue. It’s a trust crisis.

And trust, once lost, is often impossible to fully restore.

In cybersecurity, we talk a lot about financial losses, data exposure, operational downtime. But the most expensive cost is rarely captured on a balance sheet. It’s reputational.

When a breach occurs, especially in a sector like superannuation, it does more than expose data. It shakes the psychological contract between the member and the fund. The belief that “my money is safe here” becomes unstable. And no amount of carefully worded emails or PR-managed statements can fully un-ring that bell.

We often treat trust like it’s elastic, as though it can stretch and bounce back after a breach. But in reality, trust behaves more like glass. It can crack quietly, with hairline fractures that don’t show up until something more significant causes a shatter. And when it breaks, the fallout can be existential.

For funds that are responsible for securing the futures of millions of Australians, that should be an unacceptable risk. If a member starts to question whether their retirement savings are vulnerable, or whether their most personal information could be exposed without warning, they don’t just lose faith in a system. They begin to withdraw emotionally and financially from it.

That’s why cybersecurity must be seen not only as a technical safeguard but as a trust mechanism. A form of continued assurance that must be continually maintained, stress-tested, and earned. Not just in moments of crisis, but every day through transparent communication, strong governance, and member-first thinking.

I’ve always said, your breach response is a test of your maturity. It shows whether your cyber strategy is truly embedded in your organisational culture, or whether you’re just hoping for the best while keeping your fingers crossed. That is ‘if’ you know you have been breached in the first place.

The truth is, we’re now in an era where cybersecurity has to be treated as business as usual, not just business critical. It needs to be governed at the board level, built into digital strategy, and funded like the operational risk it truly is. That includes end-to-end visibility over your attack surface, real-time monitoring, continuous testing, and sector-wide collaboration on intelligence and response.

Because this won’t be the last breach. And if the sector doesn’t evolve, the next one will be worse.

What I’d like to see now is leadership. Not just technical fixes, but a fundamental rethink of how we approach resilience. This includes cross-fund collaboration, mandatory security baselines, more aggressive posture testing, and clear escalation paths when something goes wrong. It also means giving members the transparency they deserve, not post-incident, but continuously. Moreso, accountability must be clear, and consequences must be commensurate… No more plausible deniability.

The superannuation sector has an opportunity here. Not just to clean up after a breach, but to step into a leadership role for the financial industry at large.

Because trust, once shaken, is hard to rebuild. And in a sector where the product is not just money, but peace of mind over a lifetime, nothing is more dangerous than the slow erosion of that trust through silence, confusion, or inaction.