Financial watchdog puts Medibank management on notice

The financial services watchdog has put Medibank Private’s management on notice, flagging it would take further action against the health insurer’s executives if the company’s risk management is found to be inadequate.

The Australian Prudential Regulation Authority (APRA) on Monday said it had intensified its supervision of Medibank in response to the recent cyberattack that exposed its entire customer database. APRA member Suzanne Smith said the regulator had provided its input into the external review announced by Medibank on 16 November to ensure that it will meet APRA’s requirements.

Sensitive Medibank customer data has been leaking onto the dark web.Credit:Getty Images / Louise Kennerley

The external review, to be carried out by Deloitte, will examine the cyberattack, the effectiveness of Medibank’s controls, and its response to the incident.

“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear,” Smith said.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.”

The prudential regulator’s sentiment echoes that of proxy advisors who have warned that Medibank’s management’s must be held accountable if the Deloitte review deems its handling of the cyberattack to be inadequate.

Before Medibank’s AGM this month, CGI Glass Lewis flagged that board renewal and executive scalps might be needed over the coming year and raised the spectre of executive pay “clawbacks” to account for any executive shortcomings that had allowed the attack to be so damaging.

“It may be the case that in due course, the board and executive team will require renewal to a) bolster its skills and knowledge of cybersecurity and b) show accountability for the loss of privacy to its customers and the loss of value to Medibank shareholders,” CGI said.

Medibank chief executive David Koczkar said the health insurer has been in regular consultation with APRA since the cyber incident. This included consulting on the scope of the external review by Deloitte.

“The review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers,” he said.

“We are grateful for the support we and our customers have received from the government and its agencies as this crime has unfolded.”

The hackers accessed the customer data of close to 10 million current and former medibank customers last month. This included sensitive information on close to 500,000 policyholders, including medical treatment.

The hackers have drip-fed sensitive health information about Medibank customers on the dark web in an attempt to pressure the company into paying a $US10 million ($15 million) ransom, which the insurer has refused to pay.

The dark web forum hosting the hacker’s blog – which they have used to release customer data – was offline for most of last week before surfacing again over the weekend. There has been no further updates, or release of sensitive customer data for more than a week.

Federal Police commissioner Reece Kershaw this month named Russia as the home of the Medibank hackers as experts warned Australians to expect a wave of financially motivated cybercrime from the country.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Business

From our partners

Source: Read Full Article