LA Private

Medibank ordered to hold $250m in capital as cyber weaknesses expand

Australia’s largest health insurer, Medibank (ASX:MPL), has been instructed by the prudential regulator to increase its capital adequacy by $250 million and undergo a targeted technology review following the fallout from the country’s largest data breach. The move comes as the insurer faces consumer class action lawsuits stemming from the October 2022 cyber incident that compromised personal information of nearly 10 million customers, including names, dates of birth, addresses, and phone numbers.

The Australian Prudential Regulation Authority (APRA) announced on Tuesday that the capital adjustment would be effective from July 1 and would be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework. The requirement will remain in place until Medibank completes an agreed remediation program to APRA’s satisfaction. APRA will also conduct a targeted technology review, focusing on governance and risk culture within Medibank.

Although Medibank has addressed specific control weaknesses that allowed unauthorised access to its systems, APRA believes that further enhancements are necessary to strengthen the insurer’s security environment and data management. The regulatory action aims to expedite Medibank’s remediation efforts, demonstrating APRA’s strong stance on cyber risk and its commitment to addressing identified weaknesses in cybersecurity controls. APRA expects Medibank to ensure accountability and consequence management, including potential impacts on executive remuneration.

Medibank CEO David Koczkar emphasised the company’s commitment to safeguarding customer data and its ongoing efforts to strengthen systems and processes. Koczkar reassured investors that Medibank remains well-capitalised and will continue supporting customers through the Medibank Cyber Response Support Program, offering mental health and wellbeing support, identity protection, and financial hardship measures.

The fallout from the data breach and subsequent regulatory actions will likely increase Medibank’s regulatory requirement by approximately 19% on the $1.32 billion reported at the end of FY22. With APRA’s new PHI capital framework taking effect from July 1, Medibank’s capital needs will be further elevated.

Medibank’s cyber incident, considered one of the largest in Australian history, has underscored the importance of improving cyber resilience across entities. APRA has repeatedly emphasised the need for heightened cybersecurity and vigilance in identifying and addressing cyber exposures. The regulator has observed inadequate oversight from boards and management in some entities, indicating a need for enhanced cybersecurity practices.

While Medibank faces significant financial implications from the data breach, including potential costs related to customer lawsuits, the company remains committed to strengthening its IT processes and systems. The insurer has received Deloitte’s recommendations from a review of the cyber incident, focusing on enhancing its cybersecurity measures. Medibank has chosen not to publicly release the findings, citing security risks to the company and other Australian businesses.

As Medibank works toward rectifying the weaknesses in its cybersecurity framework, the regulatory actions by APRA underscore the critical importance of addressing cyber risk in the insurance sector and maintaining robust data protection measures.