The Australian Prudential and Regulation Authority (APRA) has increased Medibank Private’s capital adequacy requirement by $250 million. The action, announced this morning, is a response to the regulator’s review of last year’s massive cyber attack against the private health insurer.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” said APRA executive board member, Suzanne Smith (pictured above). She added that the October cyber incident was one of the most significant data breaches ever experienced in Australia.
In its media release, the regulator said Medibank “has already addressed the specific control weaknesses which permitted unauthorised access to its systems.” However, the release said the health insurer has further work to do across a number of areas to further strengthen its security environment and data management.
“APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” said Smith. “I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.”
The release said the capital adjustment, effective from July 01, will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. It will remain in place, said the release, until an agreed remediation program of work is completed by Medibank “to APRA’s satisfaction”.
APRA said it will also conduct “a targeted technology review” of Medibank, focusing on governance and risk culture.