The Australian Prudential Regulation Authority (APRA) has intensified its supervision of Medibank Private Limited (Medibank) in response to the recent cyber incident, which has significantly impacted Medibank customers and raised concerns about the strength of its operational risk controls.
APRA has been working alongside Medibank and other government agencies in response to the cyber incident reported last month. Medibank has been open and cooperative with APRA during this time.
APRA Member Suzanne Smith confirmed that APRA has informed the scope of the external review announced by Medibank on 16 November to ensure that it will meet APRA’s requirements. This review, to be conducted by Deloitte, will examine the incident itself, control effectiveness and the response of Medibank.
Ms Smith said: “While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear.
“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate,” Ms Smith said.
In addition, APRA will intensify its supervision of all entities not meeting the Information Security Prudential Standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.
“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience. They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?
“Cyber security is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community,” Ms Smith said.