APRA takes action against Medibank in response to cyber incident

Latest News

The Australian Prudential and Regulation Authority (APRA) has announced that it has taken action against Medibank Private after reviewing the major cyber incident last year.

The prudential regulatory said it will impose an increase in the company's capital adequacy requirement of $250 million. It said this reflected weaknesses identified in Medibank’s information security environment.

The capital adjustment, effective from 1 July 2023, will be applied to Medibank’s operational risk charge under the new Private Health Insurance Capital Framework.

APRA said the adjustment will remain in place until an agreed remediation program of work is completed by Medibank to the regulator's satisfaction.

APRA said will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” said APRA Member Suzanne Smith.

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.

“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate. I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.

“Since launching the 2020-2024 Cyber Security Strategy APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures. Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management,” added Ms Smith.