Medibank hit with $250m extra capital requirement for data breach

Medibank Private will be required to hold an additional $250 million capital buffer as a consequence of its large-scale data breach last year, the banking regulator said after a review of the incident.

The Australian Prudential and Regulation Authority (APRA) also flagged there should be repercussions to executive pay at the health insurer after it identified weaknesses in Medibank’s information security settings.

Medibank will be required to complete a remediation program to APRA’s satisfaction following a review of its cyber incident.
Medibank will be required to complete a remediation program to APRA’s satisfaction following a review of its cyber incident.Credit: Steven Siewert

“APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate,” APRA member Suzanne Smith said announcing the regulator’s findings on Tuesday.

Smith said the October 2022 cyber incident, which resulted in the compromise of basic account details of 9.7 million current and former Medibank customers, was one of the most significant data breaches ever in Australia.

“In taking this action, APRA seeks to ensure that Medibank expedites its remediation program,” she said.

The extra capital requirement will take effect from July 1, and remains in place until the insurer completes a remediation program to APRA’s satisfaction.

The regulator said while Medibank had addressed the specific control weaknesses that left it vulnerable to hackers, it would conduct a targeted technology review of the insurer focusing on governance and risk culture.

“Medibank still has further work to do across a number of areas to further strengthen its security environment and data management,” the regulator said.


Despite APRA repeatedly stressing the importance of tightened cybersecurity measures and continued vigilance to identify and address potential exposures to hackers, Smith said there were still weaknesses in companies’ control measures.

“Unfortunately, not all entities are heeding these messages as we continue to identify poor cybersecurity practices and inadequate oversight from boards and management,” Smith said.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Business

Source: Thanks