The Australian Prudential and Regulation Authority (APRA) announced today that it has taken action against Medibank Private (MPL) following a review of its major cyber incident in October 2022.
The nation’s financial safety regulator reported that it would impose an increase in Medibank’s capital adequacy requirement by $250 million.
Capital adequacy is a key measure used to determine the minimum amount of capital that financial institutions, such as banks and insurance companies, must maintain. It is important to ensure financial stability and the ability to absorb potential losses to protect depositors, policyholders, and the overall financial system.
APRA is responsible for ensuring that our financial system is stable, competitive and efficient.
The regulator highlighted weaknesses in Medibank’s information security environment and has enforced the capital adjustment from July 1.
APRA member Suzanne Smith said the October 2022 cyber incident was one of the most significant data breaches ever experienced in Australia.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” she said.
“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.”
While Medibank announced that it already addressed specific control weaknesses, the regulator stressed that further work is required to strengthen its security environment and data management.
“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.
The capital adjustment will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.
APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.
Medibank also released a statement today claiming it holds sufficient existing capital to meet this adjustment.
MPL CEO David Koczkar expressed that safeguarding customer data was a responsibility it takes “very” seriously.
“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve,” he said.
“We will continue to work to enhance our systems and processes even further.
“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”
Since APRA launched the 2020-2024 Cyber Security Strategy, it has repeatedly stressed the importance of an uplift in cybersecurity and continued vigilance to identify and address cyber exposures.
However, it reported that not all entities were getting the message, as the regulator continues to identify poor cybersecurity practices and inadequate oversight from boards and company management across Australia.