Case study: APRA regulatory action against Medibank

On 27 June 2023, the Australian Prudential and Regulation Authority (APRA) announced it would impose on Medibank Private (Medibank) a capital adequacy requirement of $250 million.

This follows APRA's review of the cyber security incident that Medibank faced in October 2022, with the increased capital adequacy requirement reflecting weaknesses identified in Medibank's information security environment by APRA.

Background

In October 2022, 9.7 million past and present Medibank customer records were stolen from Medibank systems and subsequently leaked on the dark web by cybercriminals after Medibank refused to pay the criminals' ransom demands. The records contained sensitive customer information, including customers' medical conditions and treatment.

Capital adjustment

The increased capital adequacy requirement became effective from 1 July 2023 and will remain in place until APRA is satisfied with an agreed remediation program of work completed by Medibank. The capital adjustment is applied to Medibank's operational risk charge under the Private Health Insurance (PHI) Capital Framework.

Key takeaways

The action taken by APRA against Medibank is a reminder to all APRA regulated companies of the strict stance the authority has towards cyber security data breaches.

Where companies have inadequate controls and risk management systems, specifically regarding preventing unauthorised access to private consumer data, it is crucial that businesses take action to strengthen their security environment and data management prior to any potential cyber exposures. APRA Member Suzanne Smith stated: “This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls¹."

Return to Privacy: Mid-year review 2023

¹ Australian Prudential and Regulation Authority, Media Release: APRA takes action against Medibank Private in relation to cyber incident, 27 June 2023.