APRA pressures Medibank on cyber enhancements post-breach

The action by APRA, announced Tuesday, follows a cyber incident last year in which 9.7 million past and present Medibank customers had their data stolen by a hacker. The data exposed included first and last names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and some claims data.

The incident was one of the most significant data breaches ever experienced in Australia, said APRA, the country’s prudential regulator of the financial services industry.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls,” said APRA Member Suzanne Smith in the regulator’s press release.

The capital adjustment will take effect July 1 and remain in place until Medibank’s remediation work to strengthen its security environment and data management is completed to APRA’s satisfaction. The insurer’s technology will also be reviewed for governance and risk culture.

Medibank must also consider disciplining executives as part of its remediation.

“APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” said Smith. “I note that Medibank has consistently dealt with APRA in an open, constructive, and cooperative way, consistent with our expectation of all regulated entities.”

Company response: Medibank said in a news release it has sufficient existing capital to meet APRA’s added requirement.

“Safeguarding customer data is a responsibility Medibank takes very seriously,” said Chief Executive David Koczkar in the release. “Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.”