The private health insurer will have to hold an extra $250m in regulatory capital and undergo a technology review.
The Australian Prudential Regulation Authority has served up a multi-million-dollar punishment to Medibank over its massive data breach late last year – and announced the health insurer will have to undergo a technology review.
The APRA action means Medibank will have to hold an extra $250 million in regulatory capital, which APRA says reflects weaknesses identified in Medibank’s information security environment.
APRA member Suzanne Smith said the October 2022 cyber incident affecting Medibank customers was one of the most significant data breaches ever experienced in Australia.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” Ms Smith said.
“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.”
The capital adjustment, effective from 1 July, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework.
It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction. APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture, it said in a statement.
APRA noted that while Medibank had already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management.
“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.
“I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.”
She said that since launching the 2020-2024 Cyber Security Strategy, APRA had repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures.
“Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management,” Ms Smith said.
Where appropriate, APRA would take further action to ensure entities address gaps and weakness in controls, she said.
In a statement issued after the APRA announcement, Medibank said it had sufficient existing capital to meet this adjustment.
The company said it would continue to provide its full support and work collaboratively with APRA including on the remediation program.
Medibank CEO David Koczkar said “safeguarding customer data is a responsibility Medibank takes very seriously”.
“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further,” he said.
“Our company remains strong and well capitalised. We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”
