Following the recent major cyber incidents
The Australian Prudential and Regulation Authority (APRA) has announced that it will be acting against Medibank Private following a review of a major cyber incident that occurred in October 2022. The action comes after APRA examined the incident and identified weaknesses in Medibank’s information security environment.
As a result, APRA will impose an increase in Medibank’s capital adequacy requirement by $AUD250 million, effective from 1 July 2023. This adjustment will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework and will remain in place until Medibank completes an agreed-upon remediation program to APRA’s satisfaction. Additionally, APRA will conduct a targeted technology review of Medibank, with a specific focus on governance and risk culture.
While Medibank has already addressed the specific control weaknesses that led to the unauthorized access of its systems, APRA notes that there is still work to be done to strengthen its security environment and data management across various areas.
APRA Member Suzanne Smith highlighted that the October 2022 cyber incident was one of the most significant data breaches ever experienced in Australia. The action taken by APRA aims to ensure that Medibank expedites its remediation program and emphasizes APRA’s commitment to addressing weaknesses in cyber security controls.
Smith further stated that APRA expects Medibank to hold appropriate accountability and consequence management, including potential impacts on executive remuneration. She commended Medibank for its open, constructive, and cooperative approach in dealing with APRA, as expected of all regulated entities.
APRA has repeatedly stressed the importance of strengthening cyber security and maintaining vigilance in identifying and addressing cyber exposures since the launch of its 2020-2024 Cyber Security Strategy. Unfortunately, not all entities have heeded these messages, and APRA continues to identify poor cyber security practices and inadequate oversight from boards and management.
APRA remains committed to taking further action, where necessary, to ensure that entities address gaps and weaknesses in their cyber security controls. The authority’s actions against Medibank serve as a strong reminder of the seriousness with which APRA regards entities’ obligations in relation to cyber risk management.