Medibank Private’s woes continue from its data breach. APRA takes action against it requiring increase in its capital adequacy of $250 million

June 27, 2023 |

The consequences of a major data breach are rarely minor or quickly resolved. The cost of remediation is almost always significant. Litigation is a common offshoot. Medibank is facing a significant class action suit. Finally there are usually more than one regulator which can take action. In this case the Australian Prudential Authority has taken action against APRA forcing Medibank to increase its capital adequacy requirement to $250 million.

The APRA statement provides:

The Australian Prudential and Regulation Authority (APRA) announced today that it has taken action against Medibank Private following an APRA review of its major cyber incident in October 2022.   

Following APRA’s examination of the matters relating to the incident, APRA will impose an increase in Medibank’s capital adequacy requirement of $250 million, reflecting weaknesses identified in Medibank’s information security environment. 

The capital adjustment, effective from 1 July 2023, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction. APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.  

APRA notes that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management. 

APRA Member Suzanne Smith said the October 2022 cyber incident affecting Medibank customers was one of the most significant data breaches ever experienced in Australia.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” Ms Smith said. 

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.

“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities. 

“Since launching the 2020-2024 Cyber Security Strategy1 APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures.  Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management,” Ms Smith said. 

Where appropriate, APRA will take further action to ensure entities address gaps and weakness in controls.

The reputational damage is considerable and the publicity embarrassing. This unwelcome development is reported by the Australian at Medibank slugged with $250m penalty for ‘cyber weaknesses’.

It provides:

Australia’s largest health insurer Medibank has been ordered to hold an additional $250m in capital and to undergo a targeted technology review focused on its governance and risk culture, as fallout from the nation’s largest data breach widens.

The financial industry’s prudential regulator on Tuesday announced it would impose an increase in Medibank’s capital adequacy requirement of $250m, reflecting “weaknesses” identified in the health insurer’s information security environment.

The capital adjustment, effective from July 1, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework and will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.

APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.

The insurer is already facing consumer class action lawsuits over the October 2022 data breach in which nearly 10 million customers had personal information including names, dates of birth, addresses and phone numbers compromised.

“While Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management,” APRA said in a statement on Tuesday.

It is believed ASIC’s action will increase Medibank’s regulatory requirement by 19 per cent on the $1.32bn at end of FY22. APRA’s new private health insurance capital framework also comes into force from July 1, increasing Medibank’s capital needs further.

“Safeguarding customer data is a responsibility Medibank takes very seriously,” Medibank CEO David Koczkar said on Tuesday.

“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.

“Our company remains strong and well capitalised.

“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection and financial hardship measures.”

APRA member Suzanne Smith said the October 2022 cyber incident was one of the largest in Australian history.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.

“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.”

Ms Smith said that since launching its 2020-2024 Cyber Security Strategy, the regulator had repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures.

“Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”

In October last year Russian hackers accessed the health records and other personal information from almost 10 million current and former Medibank customers. After the company refused to pay a $15m ransom, it published customer claim data for sensitive conditions – including abortions, drug and alcohol abuse and mental health disorders – on the dark web.

Late last year APRA said it would “intensify its supervision of all entities not meeting the information security prudential standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.”

Introduced in 2019, CPS 234 was designed as a measure to boost cyber resilience and require banks, insurance firms and superannuation funds to maintain cyber capabilities, conduct regular testing and notify the regulator if incidents occur.

Medibank told investors in April that it had been provided with Deloitte’s findings from a review into the cybercrime incident, but said it would not be detailing the filings or releasing the report.

“Deloitte has made recommendations to enhance Medibank’s IT processes and systems,” a spokeswoman said at the time.

“We don’t think it is in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses.”

Analysts have estimated the clean-up bill – which includes customer lawsuits – could cost Medibank as much as $150m.

Leave a Reply





Verified by MonsterInsights