APRA intensifies CPS 234 supervision after Medibank breach

Medibank Supervision APRA

APRA has announced it has “intensified its supervision” of Medibank following a devastating ransomware breach and data loss incident last month impacting the health insurer, with the regulator also set to increase compliance checks of information security standard CPS 234 for all regulated entities.

The prudential watchdog has confirmed that it has informed the scope of an external post-breach review of the private health insurer – first announced on 16 November at Medibank’s AGM, and to be conducted by big four auditing firm Deloitte – to ensure that it meets its requirements.

The review will examine the incident, Medibank’s control effectiveness, and its response to the breach, APRA said.

APRA Member Suzanne Smith noted that while Medibank has cooperated effectively with the regulator and its response to the breach to date has been “constructive”, she stressed that APRA will still “consider whether further regulatory action is needed when findings of the report become clear”.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate,” Smith said.

More than 9.7 million current and former customers of the private health insurer were affected by the breach, which, APRA said, had “significantly impacted Medibank customers and raised concerns about the strength of its operational risk controls”.

Medibank chief executive David Koczkar confirmed that the health insurer has been in regular consultation with the regulator since the breach incident – reportedly the result of a ransomware attack launched by a Russia-based cyber-criminal syndicate – was first detected in mid-October.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers.

Koczkar added: “We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.”

In addition to increased supervisory activity targeted at Medibank, APRA announced that it will also intensify its overall supervision of all regulated entities that have failed to meet the requirements of CPS 234 [pdf] – aimed to increase financial services organisations’ resilience against information security incidents – following the Medibank incident as well as other high-profile cyber-breaches of major Australian businesses.

“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience,” Smith said.

“They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?

“Cybersecurity is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community.”