The Australian Prudential and Regulation Authority (APRA) also flagged there should be repercussions to executive pay at the health insurer after it identified weaknesses in Medibank’s information security settings.
Medibank will be required to complete a remediation program to APRA’s satisfaction following a review of last year’s data breach.Steven Siewert
“APRA expects Medibank to ensure there is appropriate accountability and consequence management,including impacts to executive remuneration where appropriate,” APRA member Suzanne Smith said announcing the regulator’s findings on Tuesday.
Smith said the October 2022 cyber incident,which resulted in the compromise of basic account details of,was one of the most significant data breaches ever in Australia.
“In taking this action,APRA seeks to ensure that Medibank expedites its remediation program,” she said.
The extra capital requirement will take effect from July 1,and will remain in place until the insurer completes a remediation program to APRA’s satisfaction.
Medibank was the biggest large-cap decliner on the ASX after its shares sank 3.9 per cent to $3.44 at the close on Tuesday.
The regulator said that while Medibank had addressed the specific control weaknesses that left it vulnerable to hackers,it would conduct a targeted technology review of the insurer focusing on governance and risk culture.
“Medibank still has further work to do across a number of areas to further strengthen its security environment and data management,” the regulator said.
In a note on Tuesday,Citigroup managing director of insurance and diversified financials research Nigel Pittaway said the capital requirement suggested that aside from its ordinary dividend,Medibank would be unable to return capital to shareholders in the near term.
“APRA’s action may have caught the market a little by surprise,and it is also likely to raise concerns about further potential cyberattack related impacts,” Pittaway wrote. “There is also the risk of higher costs as it implements APRA’s required system changes.”
However,Pittaway also said Medibank had the capital to enable it to relatively easily deal with the action.
Despite APRA repeatedly stressing the importance of tightened cybersecurity measures and continued vigilance to identify and address potential exposures to hackers,Smith said there were still weaknesses in companies’ control measures.
The AFP has told Russian authorities who it believes engineered last year's massive data breach but has had no response.
“Unfortunately,not all entities are heeding these messages,as we continue to identify poor cybersecurity practices and inadequate oversight from boards and management,” Smith said.
The Business Briefing newsletter delivers major stories,exclusive coverage and expert opinion..