APRA warns on cyber security as Medibank capital requirement raised
The prudential regulator has warned about the importance of cyber security, lifting Medibank Private’s capital adequacy requirement by $250 million after reviewing a major breach in October.
Australian Prudential Regulation Authority (APRA) Member Suzanne Smith says the action “seeks to ensure that Medibank expedites” its remediation and demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk.
“APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures,” Ms Smith said. “Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”
APRA says it will take further action to ensure entities address gaps and weakness in controls.
APRA expects Medibank to ensure there is “appropriate accountability and consequence management,” Ms Smith says, including impacts to executive remuneration where appropriate.
The action reflects “weaknesses identified in Medibank’s information security environment,” APRA says.
The personal data of millions of Medibank customers was stolen by cybercriminals, costing the insurer an estimated $35 million in one of the most significant data breaches ever experienced in Australia.
Almost 10 million customer records were stolen, including sensitive medical condition information. Some data was published as the criminals tried to extort a ransom payment.
While Medibank has addressed the weaknesses which permitted unauthorised access to its systems, APRA says it still has further work to do to further strengthen its security environment and data management.
APRA will also conduct a targeted technology review and the tougher capital impost will remain in place until an agreed remediation program of work is completed.
In a statement to the Australian Securities Exchange today, Medibank said it has sufficient existing capital to meet the adjustment and will remain well capitalised, with unallocated capital of $148 million.
CEO David Koczkar said safeguarding customer data was taken “very seriously”, and Medibank has strengthened systems and processes “to provide our customers with the security they expect and deserve”.