The Australian Prudential and Regulation Authority (APRA) has imposed an extra $250m requirement in Medibank’s capital adequacy requirement. Medibank Private, a health insurance provider, suffered a data breach in October 2022 which resulted in the compromise of 9.7 million current and former customers. This was one of the most significant breaches in Australia. The announcement from APRA was made following their examination of the matters relating to in the incident, and the increase was reflecting the weaknesses identified in Medibank’s information security environment. APRA noted that “while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management.” The action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk. And in taking this action, APRA seeks to ensure that Medibank expedites its remediation program.
This segment was created for the It’s 5:05 podcast