APRA action under new Private Health Insurance Capital Framework in relation to cyber incident

The Australian Prudential and Regulation Authority (APRA) has announced that it has taken action against Medibank Private following an APRA review of its major cyber incident in October 2022. Background here and here.

APRA has imposed an increase in Medibank’s capital adequacy requirement of $250 million, effective from 1 July 2023.

It will be applied to Medibank’s operational risk charge under the new Private Health Insurance (PHI) Capital Framework.

It will remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction.

Medibank Private says it has sufficient existing capital to meet this adjustment.

APRA will also conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.

APRA says that while Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management.

The OAIC’s investigation into Medibank’s data breach is ongoing.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.