APRA takes action against Medibank Private following review of major cyber incident
The Australian Prudential and Regulation Authority (APRA) announced today that it has taken action against Medibank Private following an APRA review of its major cyber incident in October 2022.
Following APRA’s examination of the matters relating to the incident, APRA will impose an increase in Medibank’s capital adequacy requirement of $250 million, reflecting weaknesses identified in Medibank’s information security environment.
The capital adjustment, effective from 1 July 2023, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction. APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.
The regulator notes that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management.
APRA Member Suzanne Smith said the October 2022 cyber incident affecting Medibank customers was one of the most significant data breaches ever experienced in Australia.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” Ms Smith said.
Where appropriate, APRA will take further action to ensure entities address gaps and weakness in controls.