Medibank will undergo a "targeted technology review" by financial regulator APRA and must also hold more capital while it remediates weak controls that contributed to last year's hack and data breach.
The Australian Prudential Regulatory Authority (APRA) said it had decided to impose a $250 million increase in the insurer’s capital adequacy requirement, following a review of the cyber incident.
Forcing additional capital to be held is a common short-term penalty, often imposed in the wake of an incident or string of incidents.
APRA said the increase would "remain in place until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction" with respect to its information security controls.
While the specific vulnerability that led to last year’s data breach has been addressed, APRA said, the insurer “still has further work to do across a number of areas to further strengthen its security environment and data management.”
The authority also wants Medibank to expedite its remediation program.
In addition, APRA said it will separately "conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture".
The timeline for this additional review is not clear.
Medibank said in a financial filing that it “has sufficient capital to meet this adjustment”.
“Medibank will continue to provide its full support and work collaboratively with APRA, including on the remediation program,” the insurer said.
The data breach affected a total 9.7 million customers, and in February, Medibank revealed it had expected the direct costs of the breach to reach $40 million.
