APRA intensified its supervision over Medibank after the Cyber Attack

The Australian Prudential Regulation Authority (APRA) has intensified its supervision of Medibank Private Limited (Medibank) in response to the recent cyber incident, which has significantly impacted Medibank customers and raised concerns about the strength of its operational risk controls. 

APRA has been working alongside Medibank and other government agencies in response to the cyber incident reported last month. Medibank has been open and cooperative with APRA during this time.

APRA Member Suzanne Smith confirmed that APRA has informed the scope of the external review announced by Medibank on 16 November to ensure that it will meet APRA’s requirements.  This review, to be conducted by Deloitte, will examine the incident itself, control effectiveness and the response of Medibank. 

Ms Smith said: “While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear. 

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.  In addition, APRA will intensify its supervision of all entities not meeting the Information Security Prudential Standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.

“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience. They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it? 

“Cyber security is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community,” Ms Smith said.

Medibank acknowledges the Australian Prudential Regulation Authority’s (APRA) statement today regarding the recent Medibank cybercrime.

Medibank CEO David Koczkar said: “Since we detected this cybercrime we have been in regular consultation with APRA.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future.

“Our absolute focus is to continue to support and protect our customers through this time. Safeguarding our customers’ data is a responsibility we take very seriously, and we will continue to support all people who have been impacted by this crime”, Mr Koczkar said.