Share this article on:
Financial services watchdog Australian Prudential Regulation Authority (APRA) is calling for the paycheque of Medibank executives to be docked in light of the recent data breach.
The data breach, which occurred last month, saw the records of 9.7 million former and current Medibank customers stolen by Russian hackers. The criminals behind the hack have requested a ransom of AU$15.6 million, which Medibank has refused to pay. Five waves of stolen data have been released to date.
APRA has said that the data breach had it questioning “the strength of [Medibank’s] operational risk control” and that it would be ramping up its oversight of the health insurer.
In addition, APRA executive board member Suzanne Smith has called for Medibank to financially penalise its executives.
“[APRA] expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts on executive remuneration when appropriate.”
Medibank CEO David Koczkar was paid a total of roughly $5.4 million ($3.76 million plus a pay increase of $1.64 million) at the company’s annual general meeting that occurred this month. Meanwhile, another 1,500 Medibank customer records were released last week.
Smith has said that while Medibank has cooperated with APRA following the breach, the watchdog has announced an external review conducted by Deloitte to dive deeper into the incident and the response from Medibank.
“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear.
Smith also said that incidents like these, while detrimental to the security of Australian citizens, are a loud wake-up call for companies who need to review their cyber security practices.
“Recent cyber attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience. They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?
“Cyber security is a highly significant risk area for all regulated entities, and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community.”