Prudential regulator 'intensifies' supervision of Medibank in response to cyber-attack

Latest News

The Australian Prudential Regulation Authority (APRA) says it has intensified its supervision of Medibank Private in response to the recent cyber-attack.

The attack has seen hackers release online the confidential information of some Medibank customers and led the federal government to create a task force and seek parliamentary support for higher penalties for data breaches.

APRA Member Suzanne Smith confirmed that APRA has informed the scope of the external review announced by Medibank on 16 November to ensure that it will meet APRA’s requirements. This review, to be conducted by Deloitte, will examine the incident itself, control effectiveness and the response of Medibank.

Ms Smith said: “While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.

APRA said it will also intensify its supervision of all entities not meeting the Information Security Prudential Standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.

“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience. They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?

“Cyber security is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community,” added Ms Smith.

Medibank CEO David Koczkar said, “Since we detected this cybercrime we have been in regular consultation with APRA.

“Given the nature of this event, we believed it was important to have an external review which we announced at our Annual General Meeting on 16 November 2022. As part of our engagement, Medibank consulted with APRA on the scope of the external review we commissioned Deloitte to undertake.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future.

“Our absolute focus is to continue to support and protect our customers through this time.

“Safeguarding our customers’ data is a responsibility we take very seriously, and we will continue to support all people who have been impacted by this crime," he said.