Medibank slapped over hack
APRA has taken action against Medibank Private over a major cyber incident.
Medibank Private faces a significant financial blow as the Australian Prudential Regulation Authority (APRA) imposes a $250 million capital adequacy requirement.
The move comes as a result of a major data breach that occurred last year, prompting concerns about Medibank's governance and risk culture.
Equities analysts at JPMorgan predict that this decision by APRA could heighten the risk of adverse class action rulings against Medibank.
The development has been seen as a negative signal for the company's stock, suggesting an increased likelihood of unfavourable outcomes in the ongoing class action lawsuits related to the cyber breach.
Last October, hackers stole nearly 10 million customer records from Medibank, demanding a ransom payment and later releasing portions of the sensitive information they obtained.
The stolen data included confidential details about the medical conditions and treatment of around 480,000 policyholders.
In response to the breach, Medibank engaged Deloitte to conduct a comprehensive report, and in late April, the company announced plans to implement changes based on the findings.
However, Medibank has chosen not to disclose the report or its recommendations to the public.
The unexpected capital adequacy requirement from APRA caught the market by surprise, but analysts believe that Medibank has enough capital to manage the impact.
Nevertheless, the $250 million set aside will limit the company's ability to allocate funds for other purposes such as investment or capital expenditure.
Medibank's CEO, David Koczkar, says that the insurer remains well capitalised and committed to enhancing its systems and processes to safeguard customer data.
APRA's decision shows the seriousness with which it views entities' cyber risk obligations and the need for robust cybersecurity controls.
Suzanne Smith, an APRA executive, has highlighted the regulator's expectation of appropriate accountability and consequence management, including potential impacts on executive remuneration.
APRA will conduct a targeted technology review of Medibank, focusing on governance and risk culture.
Shares in Medibank fell 3.6 per cent following the news.
APRA's actions indicate a clear message to all entities about the importance of addressing cyber risk and strengthening cybersecurity practices.
It is clear that inadequate oversight and poor cybersecurity practices will not be tolerated, and APRA is prepared to take further action if necessary to ensure entities address any gaps or weaknesses in their controls.