On 13 October 2022, Medibank reported a cyber-attack resulting in a data breach. The incident and resulting impacts are still under investigation, however as per its ASX releases of last week, it is anticipated that some personal identification information of Medibank customers has been compromised.
Concern around identification and transaction fraud remains high given the nature of the potential information that has been breached. Entities employing online application and policy transaction processes are urged to strengthen verification controls and increase vigilance on avenues of potential fraud, including the use of credit card information.
This incident follows quickly in the wake of the Optus incident and the regulated community must ensure that information security controls are in place and operating to safeguard the entity, along with the requirements and obligations of Prudential Standard CPS234 Information Security. The key requirements of this Prudential Standard are that an APRA-regulated entity must:
- clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- notify APRA of material information security incidents.
These circumstances serve as a reminder that cyber activity continues to escalate. Regulated entities are urged to review incident response plans and to ensure the regular testing of these plans. Senior Management and Board must be in a position to respond and mitigate harm.
Entities should also appropriately communicate with their customers to raise awareness and direct customers to reputable sources such as ACSC, Moneysmart and the Office of the Australian Information Commissioner, which outline additional steps customer can take to limit the risk of fraud.
APRA is working alongside other government agencies and regulatory peers in response to this incident.
Of related interest, APRA has issued a discussion paper and is currently consulting on ways to strengthen the management of operational risk in financial services. Further detail can be found here.
If you have any queries, please contact your APRA supervisory team.