Effective from 1 July 2023, this capital adjustment will be applied to Medibank's operational risk charge under the new Private Health Insurance (PHI) Capital Framework. It will remain in place until Medibank completes an agreed-upon remediation program, satisfying APRA's requirements.
Additionally, APRA has announced it will conduct a targeted technology review of Medibank, with a specific focus on governance and risk culture.
Suzanne Smith, APRA Member, emphasized the significance of the October 2022 cyber incident, stating that it was one of the most significant data breaches ever experienced in Australia. She also highlighted that this action by APRA demonstrates their commitment to holding entities accountable for their cyber risk obligations and their determination to address identified weaknesses in cyber security controls.
"APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate," Smith added. She noted that Medibank has consistently maintained an open, constructive, and cooperative relationship with the regulator, aligning with APRA's expectations of all regulated entities.
APRA's ongoing Cyber Security Strategy for 2020-2024 emphasizes the importance of enhancing cyber security across entities and maintaining continuous vigilance to identify and address cyber exposures. Unfortunately, APRA continues to identify poor cyber security practices and inadequate oversight from boards and management in various entities.
In conclusion, the actions taken by APRA against Medibank for the cyber incident highlight the regulator's dedication to ensuring the integrity and security of Australia's financial systems. This serves as a reminder to all entities to prioritize cyber security and promptly address any identified weaknesses.
