Australia is beefing up its scrutiny of Medibank and will assess if further regulatory action is necessary, following a data breach that impacted 9.7 million customers. The insurance group also has pledged to share the outcome of an external review into the breach, which is believed to be the work of Russian hackers.
Noting that the breach raised concerns about the robustness of Medibank’s operational risk controls, the Australian Prudential Regulation Authority (APRA) said Monday it had “intensified” its supervision of Medibank. Consulting firm Deloitte had been brought in to examine the security incident as well as Medibank’s response and effectiveness of its controls.
The financial services regulator said it would determine if further regulatory action was necessary when findings of the external review were established.
APRA Member Suzanne Smith said: “APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.”
The government agency added that it would further intensify supervision of all entities that failed to comply with the country’s Information Security Prudential Standard CPS 234, which outlined measures they must take to remain resilient against cybersecurity incidents.
“Recent cyber attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience,” Smith said. “They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And