Medibank required to hold an extra $250m to address cyber weaknesses

Medibank APRA capital requirement data breach cyber

Australia’s prudential regulator APRA has imposed a $250 million increase in Medibank’s capital adequacy requirement to ensure the health insurer deals with weaknesses in its information security environment identified after a high-profile data loss event last October.

The capital adjustment, effective from 1 July 2023, will remain in place until an as-yet-agreed-upon remediation program of work is completed by the health insurer “to APRA’s satisfaction”, the regulator said.

“APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture,” the regulator added in a statement.

In response to APRA’s notice, Medibank said it has sufficient existing capital to meet this adjustment; chief executive David Koczkar added that the company “remains strong and well capitalised”.

Currently, as disclosed in its 2022 Annual Report, the health insurer has an unallocated capital surplus of $148.0 million. As a result, Medibank said that it will not be required to reduce its target health insurance required capital ratio.

The company, Australia’s largest private health insurer, also reported that its business-related capital totalled $983.7 million, equivalent to 13.0 per cent of premium revenue.

The health insurer said will continue to provide its “full support and work collaboratively with APRA including on the remediation program”.

APRA noted that while Medibank has already moved to address “specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management”.

The cyber breach, APRA Member Suzanne Smith acknowledged in a statement, was among the most significant data loss incidents experienced by a major Australian business.

More than 9.7 million current and former customers of the private health insurer were affected by the hack, which saw the loss of sensitive PII, including names, email and home addresses, phone numbers, Medicare numbers, dates of birth, passport numbers and visa details.

Also extruded were personal health claims data for a smaller number of Medibank Group customers (reportedly around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers), including details on medical procedures, service provider names, and locations and codes associated with diagnosis and procedures given.

APRA said that it “expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate”.

“I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities,” Smith said.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program.”

“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.”

Medibank’s Koczkar added that the company has “continued to strengthen our systems and processes” to meet customer expectations.

“We will continue to work to enhance our systems and processes even further.”

APRA has also put other cyber-deficient regulated entities on notice, stating that it “will take further action to ensure entities address gaps and weakness in controls”.