Medibank will have a $250 million increase in its capital adequacy requirement after the Australian Prudential Regulation Authority (APRA) took action over the October 2022 data breach.
APRA announced on Tuesday that following a review of the “cyber incident”, it will impose an increase in Medibank’s capital adequacy requirement of $250 million, which it said reflected “weaknesses identified in Medibank’s information security environment”.
APRA member Suzanne Smith said the cyber attack affecting Medibank customers was one of the most significant data breaches ever experienced in Australia.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” Ms Smith said.
“This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.”
The capital adjustment, which will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework, will take effect from 1 July 2023 and will stay in place until Medibank completes an agreed remediation program to APRA’s satisfaction.
APRA said it would also conduct a targeted technology review of Medibank, focusing on governance and risk culture.
The prudential regulator added that Medibank has addressed the specific control weaknesses that permitted unauthorised access to its systems, however, it still has work to do across a number of areas to further strengthen its security environment and data management.
“As noted previously, APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.
“I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities.
“Since launching the 2020-2024 Cyber Security Strategy, APRA has repeatedly stressed the importance of an uplift in cyber security and continued vigilance to identify and address cyber exposures. Unfortunately, not all entities are heeding these messages as we continue to identify poor cyber security practices and inadequate oversight from boards and management.”
Medibank’s share price closed 3.91 per cent down on Tuesday at $3.44.
Medibank responds
In a filing to the ASX, Medibank said it has sufficient existing capital to meet the APRA-imposed increase in its capital adequacy requirement.
After application of this requirement, Medibank said it will remain well capitalised with unallocated capital remaining at 30 June 2022 levels, which was $148 million. As a result of this, Medibank added that it will not currently reduce its target health insurance required capital ratio.
“Safeguarding customer data is a responsibility Medibank takes very seriously," said Medibank chief executive officer David Koczkar.
“Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve. We will continue to work to enhance our systems and processes even further.
“Our company remains strong and well capitalised,” he assured.
Moreover, the private health insurance provider assured it would continue to provide its full support and work collaboratively with APRA including on the remediation program.
“We continue to support our customers through the Medibank Cyber Response Support Program, which includes mental health and wellbeing support, identity protection, and financial hardship measures.”
Cyber incidents on the rise
Medibank is not the only organisation to be adversely impacted by a cyber incident, with the high-profile Optus hack and the Latitude breach both occurring in the last 12 months.
In May, Latitude warned its half-year and full-year profits are expected to fall substantially in the wake of the cyber attack, in which almost 8 million drivers’ licence numbers and 14 million records were stolen.
Latitude indicated its cash net profit after tax (NPAT) for the half year to 30 June is expected to sit in the range of $5–10 million, down from $93 million in the same period a year earlier.
After undertaking an extensive review, the company also indicated it would make a provision for costs associated with the cyber attack.
“While the range of potential outcomes is large and there are many unknowns, the board anticipates it will recognise approximately $53 million after tax in 1H23, which includes both costs incurred and a provision of $46 million after tax,” it said.
