Executives could have their compensation slashed after a data breach, Australia’s peak insurance industry regulator has warned in announcing “intensified” scrutiny of Medibank and a crackdown on regulatory compliance as cyber criminals continue to pillory their victims online.
The severity of the breach – which has sent authorities scrambling as Russian cyber criminals publish the personal healthcare data of thousands of Australians – had “raised concerns about the strength of [Medibank’s] operational risk controls,” the Australian Prudential Regulation Authority (APRA) said in announcing that it had rolled up its sleeves to engage directly with the private health insurer and cyber investigators.
Medibank has been “open and cooperative with APRA during this time,” the agency said in revealing that it had been involved in setting the scope of an external review of the company’s risk management – which was announced by Medibank on 16 November and will be completed by Deloitte.
“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear,” APRA Member Suzanne Smith said, noting that the regulator “expects Medibank to undertake any recommended actions.”
This included “appropriate consequence management” – including the potential for “impacts to executive remuneration where appropriate” in the wake of major data breaches that are allowed to happen under their watch.”
Despite their risk management failures, it was recently revealed that Medibank executives were still set to receive around $7.3 million in bonuses – despite revelations that they had decided not to take out cyber insurance to protect the company and its customers’ data against the risk of a cyber security breach.
This failure had left the company fighting to develop and execute an ad hoc response, even as hackers curated the stolen data and published it in small releases sorted by medical condition.
Putting teeth into cyber risk regulations
APRA’s crackdown comes amidst reports that the online blog that the hackers were using had gone dark, having gone offline some time between 21 and 22 November.
Whether that change marks a reprieve for Medibank, or hackers are simply regrouping for a redoubled attack on their victims, remains to be seen.
In the interim, however, APRA’s pronouncement marks an escalation of its expectations that companies and their executives take all appropriate measures to protect their data from compromise.
Those expectations were established with the November 2018 introduction of APRA’s Prudential Standard CPS 234 Information Security, which laid down the regulator’s expectations of insurers, superannuation operators, and other companies in APRA-regulated industries.
The companion Prudential Practice Guide CPG 234, last updated in June 2019, includes guidance for regulated companies – of which Medibank is one – about how to comply with CPS 234 and, more broadly, how to ensure they have appropriate risk management controls in place.
Poor cyber risk controls have increasingly created financial headaches for companies found to be in breach of their prudential obligations, with financial services firm RI Advice fined $750,000 after the Federal Court found the company’s directors had failed to meet their obligations to uphold a “reasonable standard” of cyber security.
As APRA and other government agencies pick up the pieces in the wake of a season of major data breaches led by the Medibank and Optus compromises, executives of companies holding information assets can anticipate continued close scrutiny.
APRA will “intensify its supervision of all entities not meeting [CPS 234],” Smith said, calling the recent attacks “a stark reminder for boards to ensure they can answer fundamental questions” including what data they hold; where it is; how they know it is safe; and whether they need to retain it at all.
“Cyber security is a highly significant risk area for all regulated entities,” she continued, “and we remind banks, insurers and superannuation funds to remain vigilant to protect their beneficiaries and the Australian community.”