The Australian Prudential Regulation Authority (APRA) is intensifying its supervision of Medibank Private, and is widening its investigations into financial services security more broadly.
The move comes in the wake of the Medibank data breach, which APRA said in a statement “raised concerns about the strength of [Medibank’s] operational risk controls”.
APRA said it has been working with Medibank and other government agencies since the breach emerged, and praised the company for being “open and cooperative”.
A member of the authority, Suzanne Smith, said APRA has also "informed the scope” of an external review being conducted by Deloitte, which is also carrying out similar work around the Optus data breach.
“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear”, Smith said.
“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.”
More broadly, APRA indicated it will “intensify its supervision of all entities not meeting the information security prudential standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.”
CPS 234 was introduced in 2019 to shore up cyber resilience and requires banks, insurers and superannuation funds to maintain security capabilities, conduct regular tests and notify the regulator if incidents occur.
It has previously targeted compliance rates for the standard.
Smith said boards need to know they can answer “fundamental questions”, including: “Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?”
The Medibank and Optus data breaches have prompted the government to introduce laws to increase the fines the Office of the Australian Information Commissioner can levy against companies that are breached.
