Medibank Private has been forced to set aside a whopping $250 million after the Australian Prudential and Regulation Authority (APRA) conducted a review of the health insurer's major 2022 cyber incident.
On 27 June, Australia's prudential supervisor APRA announced it has taken action against health insurer Medibank and that it would impose an increase in Medibank's capital adequacy requirement to the sum of $250 million.
This essentially means Medibank has been ordered to hold an additional $250m as insurance against issues related to its 2022 data breach.
APRA, which is responsible for ensuring stability and competitiveness in Australia's financial system, said the colossal amount reflects "weaknesses" identified in Medibank's information security environment.
In the case of Medibank, APRA's imposed capital adjustment took effect from 1 July and will remain in place "until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction".
The decision comes after APRA conducted an examination of matters relating to Medibank's October 2022 cyber incident, which saw the personal data of 9.7 million current and former customers exposed to hackers.
"In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” said APRA member Suzanne Smith.
"This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls."
In an announcement to the Australian Stock Exchange, Medibank suggested it had sufficient existing capital to meet APRA's capital adequacy requirement.
"The Australian Prudential Regulation Authority (APRA) has advised Medibank that it will apply an additional capital adequacy requirement of $250 million from 1 July 2023 following APRA’s review of Medibank's cybercrime event," said Medibank.
"Medibank has sufficient existing capital to meet this adjustment."
The extra capital requirement represents more than half of Medibank's unallocated capital held before the APRA action, but it doesn't end there.
APRA to review Medibank's risk culture
Following its initial incident review, APRA will also conduct a "targeted technology review" of Medibank with a particular focus on the insurer's governance and risk culture.
Furthermore, the regulator noted while Medibank had addressed the specific "control weaknesses" which enabled attackers to access its systems, the insurer still has "further work to do" across a number of areas to further bolster its security environment and data management.
"APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate," said Smith.
"I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities."
Medibank CEO David Koczkar responded to APRA's announcement by emphasising its commitment to protecting customer data.
"Safeguarding customer data is a responsibility Medibank takes very seriously,” said Koczkar.
“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve.
"We will continue to work to enhance our systems and processes even further.”
Medibank facing four lawsuits
Nearly a year on from the initial hack, Medibank is still dealing with four class action lawsuits from both customers and shareholders – one of which was announced by the insurer just last week.
On 29 June, Medibank said it was facing a shareholder class action which involved allegations of "misleading or deceptive conduct" and that Medibank had breached certain continuous disclosure obligations by not disclosing to the market information relating to "alleged deficiencies" in its cyber security systems.
"Medibank intends to defend the proceedings," said Medibank.
Furthermore, law firm Maurice Blackburn has filed a long-standing complaint to the Office of the Australian Information Commissioner (OIAC), alleging Medibank failed in its duties to take steps to protect the privacy of its customers' sensitive health information from unauthorised access.
While an outcome is still pending, the OIAC has the power to order Medibank to pay compensation to affected customers.
