The Australian Prudential Regulation Authority (APRA) has intensified its supervision of Medibank Private Limited (Medibank) in response to the recent successful cyberattack that significantly impacted the bank's customers.
APRA Member Suzanne Smith confirmed that the regulator, which has been working with Medibank and government agencies in response to the cyberattack, has outlined the scope of the external review announced on November 16 to ensure that it will meet the regulator's requirements. The review, conducted by Deloitte, will examine the cyber incident, control effectiveness, and Medibank's response.
“While APRA notes Medibank's constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear,” Smith said. “APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.”
Last month, private health insurer Medibank announced that it was hit by a cyberattack, with the stolen data including hundreds of customers' names, addresses, and birthdates.
With the incident shaking up Australian companies, APRA decided to intensify its supervision of its entities failing to meet the Information Security Prudential Standard CPS 234 and other supervisory activities.
Smith said: “Recent cyberattacks reinforce the need for ongoing vigilance and focus by boards on operational resilience. They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?
“Cyber security is a highly significant risk area for all regulated entities, and we remind banks, insurers, and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community.”