The Australian Prudential Regulation Authority (APRA) has warned insurers and banks it will take further action to ensure gaps and weakness in cyber controls are addressed. 

The prudential regulator warned about the importance of cyber security as it lifted Medibank Private’s capital adequacy requirement by $250 million after reviewing a major breach in October.  

APRA expects Medibank to ensure there is “appropriate accountability and consequence management,” including impacts to executive remuneration where appropriate. 

“We continue to identify poor cyber security practices and inadequate oversight from boards and management,” APRA Member Suzanne Smith said. “APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures.” 

While Medibank has addressed the weaknesses which permitted unauthorised access to its systems, APRA says it still has further work to do to further strengthen its security environment and data management.  

APRA will also conduct a targeted technology review and the tougher capital impost will remain in place until an agreed remediation program of work is completed. 

The personal data of millions of Medibank customers was stolen by cybercriminals in one of the most significant data breaches ever experienced in Australia.