APRA took action on Tuesday after reviewing Medibank Private's major cyber incident in October 2022.
After reviewing the incident, APRA will raise Medibank's capital adequacy requirement by $250 million due to information security weaknesses.
Medibank's operational risk charge will be adjusted under the new Private Health Insurance (PHI) Capital Framework on July 1, 2023. It will stay until Medibank completes an APRA-approved remediation programme. APRA will review Medibank's technology, focusing on governance and risk culture.
APRA notes that while Medibank has addressed the specific control weaknesses that allowed unauthorised access to its systems, it still needs to strengthen its security environment and data management in several areas.
APRA Member Suzanne Smith called the October 2022 Medibank cyber incident one of Australia's biggest data breaches.
“APRA wants Medibank to speed up its remediation program,” Ms. Smith said.
This action shows that APRA takes entities' cyber risk obligations seriously and will strongly respond to cyber security control weaknesses.
As mentioned, APRA expects Medibank to ensure accountability and consequence management, including executive remuneration. Medibank has always cooperated with APRA, as expected of all regulated entities.
Since launching the 2020-2024 Cyber Security Strategy, APRA has stressed the importance of increased cyber security and continued vigilance to identify and address cyber exposures. Unfortunately, we continue to identify poor cyber security practises and inadequate oversight from boards and management,” Ms. Smith said.
APRA will enforce control gaps and weaknesses where necessary.
Medibank will have $148 million in unallocated capital after this APRA requirement.
Medibank will not lower its target health insurance required capital ratio.
Medibank CEO David Koczkar said Safeguarding customer data is a responsibility Medibank takes very seriously.
“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further. Our company remains strong and well capitalised” Koczkar added.
The requirement will apply until Medibank meets APRA-agreed remediation milestones. APRA will review Medibank's technology.
“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.” He disclosed.
Medibank will support APRA and collaborate on the remediation programme.
To recall, The Australian Prudential Regulation Authority (APRA) has intensified its supervision of Medibank Private Limited (Medibank) in response to the recent cyber incident, which has significantly impacted Medibank customers and raised concerns about the strength of its operational risk controls.
Medibank advises that the Office of the Australian Information Commission (OAIC) has announced it has commenced an investigation into the personal information handling practices of Medibank in relation to the recent cybercrime. Medibank will continue to cooperate with the OAIC and its investigation.
Before you go..
You can get RedWires AU for free right now. Your donation, no matter how big or small, will help us keep doing honest journalism.
The readers of Redwires AU are the engine that drives our publication. Add your support to the effort to create a sustainable future for journalism that does not make compromises in the AU.
In the world we live in now, accurate and thorough reporting and analysis are becoming more and more important. To stop the spread of false information, it's very important that everyone in Australia has access to good reporting.
The Redwires AU contributes to society by opening up access to information and resources for all people, rather than just a select few.
Our only goal is to educate the general public more thoroughly. If you believe in what we're trying to accomplish here, please consider making a contribution right away to ensure our success in the years to come.
Upgrade your subscription to get the most out of it. Join the growing number of people around the world who believe in the power of independent media.