Cyber Incident Victim: Perpetual

On or around June 1, 2023, Perpetual experienced a significant IT security incident. The incident was publicly confirmed by the company on June 21, 2023. The event was described as a "tech outage" resulting from this cybersecurity incident. The root cause was a compromise of one of Perpetual's third-party unit registry systems. This compromise directly impacted clients' access to the main investor login portal, known as myPerpetual. In response to discovering the incident, Perpetual took the containment action of disconnecting from the affected third-party systems to move to a more secure environment. The company stated it began working with the registry provider to rebuild the compromised system.

The scope of the impact was significant but contained within specific divisions and products. The outage was confirmed to be limited to the company's Asset Management and Wealth Management divisions. Specifically affected were the Investment Funds, the WealthFocus product, and select other products distributed within Australia. The incident did not impact Perpetual's listed products, institutional mandates, Pendal, Perpetual Corporate Trust, Perpetual Wrap clients, or any of its international asset management businesses. The company reaffirmed that all client investments and its own core systems remained unaffected and secure throughout the event. The outage impacted approximately 45,000 clients.

The primary consequence for clients was a prolonged loss of access to the myPerpetual portal and its full functionality. As of October 30, 2023, myPerpetual was accessible but with limited functionality. Most notably, the portal did not support online transactions. Full access to the system remained impacted by the IT security incident months after its initial occurrence. The company was actively working on restoring full functionality and was communicating directly with clients as access was gradually extended. The inability to process online transactions forced the implementation of manual, offline processes for client requests.

The incident had a direct and ongoing effect on client servicing and operations. With online transacting disabled, Perpetual instituted an interim process for accepting transaction requests. Clients could submit transactions via post, email, or BPAY. All transactions received during the outage were queued for processing and were to be processed with the unit price for the effective date of receipt. Clients could still access some information about their accounts through the limited myPerpetual portal, but for additional information, they were instructed to contact Perpetual Client Services by phone. The outage also affected all statement generation, preventing the issuance of transaction confirmations, annual statements, tax statements, Centrelink schedules, and distribution statements. Clients requiring a statement were advised to contact Client Services to raise a request, with the fulfillment of those requests deferred until normal operations were restored. The availability of end-of-year statements within myPerpetual for investors and advisers led to the planned closure of the separate myStatements portal in the coming weeks. Conversely, access to Dealer Group Adviser Fee reports, including historical reports, was restored and available within myPerpetual.

Updating account details was also hampered by the extended outage. Individual or joint account holders could contact Client Services by phone to update details, while other entities were required to complete and submit paper forms. A critical note was that any detail changes would not be reflected on accounts until services were fully restored. The company provided specific email and postal addresses for submitting these forms. Perpetual confirmed that its core systems were eventually restored and that the processing of client transactions, including the payment of withdrawals, had recommenced as of June 21, 2023. The company continued to calculate unit prices and provide them to the market throughout the event, directing clients to their platform providers for details on holdings, valuations, and trade status. For enquiries, the company provided distinct contact information for its Asset Management products and services and its Wealth Management, Financial Advice, and Personal Trustee Services.