Cyber Security Policy

Policy owner: PhiSaver Pty Ltd
Effective date: 1 January 2026
Review cycle: Annual or after a material security incident

1. Purpose

PhiSaver is committed to protecting its systems, services and information from unauthorised access, misuse, disruption, loss and disclosure. This policy establishes a baseline approach to cyber security for PhiSaver’s ICT environment and ICT-enabled services.

2. Scope

This policy applies to PhiSaver’s:

  • business systems and endpoints
  • cloud-hosted services and infrastructure
  • software development, deployment and support activities
  • customer-facing applications, APIs and integrations
  • staff, contractors and service providers who access PhiSaver systems or data.

3. Security objectives

PhiSaver seeks to:

  • protect the confidentiality, integrity and availability of information
  • reduce the likelihood and impact of cyber incidents
  • apply security controls proportionate to business risk
  • support contractual, legal and regulatory obligations
  • continuously improve cyber resilience over time.

4. Governance

PhiSaver management is responsible for cyber security oversight. Security responsibilities may be assigned to internal personnel or specialist service providers. Material cyber risks, major incidents and significant exceptions are to be escalated to management.

5. Risk-based approach

PhiSaver applies a practical, risk-based approach to cyber security. Controls are selected based on the sensitivity of the data involved, the criticality of the service, contractual requirements, and the capability of the relevant technology stack. PhiSaver may align its control environment with recognised Australian guidance, including the ACSC Essential Eight, where appropriate to the business.

6. Identity and access management

PhiSaver will:

  • provide access only where there is a legitimate business need
  • use unique user accounts where practical
  • restrict privileged access to authorised personnel
  • review and remove access when no longer required
  • use strong passwords or passphrases and multi-factor authentication where supported and appropriate
  • use role-based or scoped access wherever practical, including read-only access where suitable.

7. Data protection

PhiSaver will:

  • collect, use and retain information only as reasonably required for business, service delivery, support, security or legal purposes
  • separate or minimise identifying metadata where practical
  • protect sensitive data using appropriate technical and organisational controls
  • use encryption in transit and, where feasible and appropriate, at rest
  • document material security limitations, exceptions or compensating controls where a control cannot reasonably be applied
  • dispose of data securely when no longer required, subject to legal, contractual and operational requirements.

8. Secure configuration and asset management

PhiSaver will:

  • maintain an inventory, or equivalent record, of key systems and services where practical
  • disable or restrict unnecessary services, ports and accounts where practical
  • change or remove default credentials before production use where applicable
  • apply secure baseline configurations proportionate to the platform
  • keep supported software in use and avoid unsupported software where reasonably possible.

9. Vulnerability and patch management

PhiSaver will:

  • monitor for relevant vulnerabilities affecting its systems, applications and dependencies
  • apply patches, updates or mitigating controls within a timeframe appropriate to the risk
  • prioritise remediation for internet-exposed, privileged or business-critical systems
  • use long-term support or stable releases where appropriate.

10. Secure development and change management

For software and automation used by PhiSaver, the company will:

  • follow secure-by-design and least-privilege principles
  • avoid storing secrets in source code
  • use code review, testing and controlled deployment practices where practical
  • validate inputs and handle errors safely
  • manage third-party dependencies in a controlled manner, including version pinning or equivalent practices where appropriate
  • separate development, test and production activities to the extent practical for the business.

11. Logging, monitoring and alerting

PhiSaver will maintain logging and monitoring appropriate to the service and risk profile. Logging should, where practical, support detection and investigation of:

  • authentication events
  • administrative actions
  • significant configuration changes
  • service failures and security-relevant anomalies.

Retention periods, log detail and customer access to logs will depend on system design, contract terms and operational constraints.

12. Cloud and hosting security

Where PhiSaver uses cloud or hosted services, it will:

  • use reputable providers appropriate to the service
  • configure environments to limit unnecessary exposure
  • manage administrative access and credentials carefully
  • segregate customer data logically where systems are multi-tenant
  • use backup and recovery arrangements appropriate to business risk.

13. Backup, resilience and recovery

PhiSaver will maintain backup and recovery arrangements appropriate to the systems and services involved. Backup frequency, retention and restoration testing will be proportionate to business risk and service criticality. PhiSaver aims to restore critical services within commercially reasonable timeframes, subject to the nature of the incident.

14. Incident response

PhiSaver will maintain a practical process for responding to cyber incidents. This includes:

  • identifying and reporting suspected incidents
  • assessing severity and business impact
  • containing, investigating and remediating the issue
  • communicating internally and externally where required
  • preserving evidence where appropriate
  • reviewing lessons learned after material incidents.

Where required by law, contract or applicable policy, PhiSaver will notify customers, regulators or affected parties of eligible breaches or material incidents.

15. Personnel security and awareness

PhiSaver expects personnel and contractors to act responsibly when using company systems and information. PhiSaver will provide or require reasonable security awareness, including awareness of phishing, credential protection, safe handling of data, and incident reporting.

16. Supplier and subcontractor security

PhiSaver may rely on third-party products, cloud services and subcontractors. Where proportionate to the engagement, PhiSaver will consider supplier security, reliability and legal compliance when selecting or renewing material suppliers. Suppliers may be required to support contractual cyber, privacy or security obligations.

17. Privacy and legal compliance

PhiSaver will comply with applicable privacy, data protection, cyber and records obligations that apply to its operations or contracts. Where PhiSaver is subject to the Privacy Act 1988 or similar obligations, personal information will be handled in accordance with those requirements, including incident notification obligations where applicable.

18. Physical security and device disposal

PhiSaver will take reasonable steps to protect relevant hardware from theft, tampering or unauthorised access. When hardware, storage media or equipment are retired, returned or replaced, PhiSaver will seek to remove, wipe, destroy or otherwise secure business and customer data appropriate to the device and risk.

19. Exceptions

Any material exception to this policy should be documented, approved by management, and supported by compensating controls or a remediation plan where appropriate.

20. Review

This policy will be reviewed at least annually and after any material technology change, major incident or significant contractual requirement.