)
The Australian Prudential Regulation Authority (APRA) is taking a hard stance on cyber security controls following a review of the hack that affected private health insurer Medibank (ASX: MPL) and almost 10 million of its customers last year.
In a move aimed at expediting Medibank's remediation program and to ensure accountability, the regulator will impose an increase in Medibank’s capital adequacy requirement of $250 million - a figure representing close to a quarter of the group's health insurance-related capital of more than $1 billion at the end of 2022.
APRA explains the $250 million increase reflects the weaknesses identified in Medibank’s information security environment.
The hike in this capital risk buffer contrasts with Medibank's expectations announced in February to reduce its target health insurance required capital ratio by one or two percentage points down to 10-12 per cent.
In addition to the $1 billion-plus in health insurance-related capital by the end of 2022, Medibank also had non-fund required capital of $205.6 million and an unallocated capital surplus of $198.1 million.
The new capital adjustment will be in effect from 1 July, applying to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework and remaining in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.
The regulator will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.
APRA notes that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management.
APRA member Suzanne Smith said the October 2022 cyber incident affecting Medibank customers was one of the most significant data breaches ever experienced in Australia.
"In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” Smith said.
"This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.
"As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate."
She noted that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with the regulator's expectation of all regulated entities.
"Since launching the 2020-2024 Cyber Security Strategy APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures," Smith said.
"Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management."
MPL shares were down 3.49 per cent at midday at $3.455, although they are still up substantially on their $2.91 level at the start of 2023.
Get our daily business news
Sign up to our free email news updates.
)
)
)
)
)
