Medibank executives should have their pay docked over their recent cyber breach, the financial services watchdog has warned.
In a statement the Australian Prudential Regulation Authority said they had “intensified” their supervision of Medibank in the wake of last month’s cyber attack, in which suspected Russian-based hackers stole 9.7 million current and former customer records.
On Monday, APRA said the breach had “raised concerns about the strength of its (Medibank’s) operational risk control.”
Australia’s financial services watchdog has suggested Medibank should dock the pay of its executives over its recent cyber breach. Picture: Muhammad FAROOQ / AFP
APRA member Suzanne Smith went further, saying that the regulator “expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts on executive remuneration when appropriate.”
Ms Smith said the cyber attacks, which have so far seen medical information relating to HIV, abortions, drug and alcohol abuse and mental illness released onto the dark web, were a salient reminder for boards to focus on their operational resilience.
“They are a stark reminder for boards to ensure they can answer these fundamental questions – do you know what data you are holding? Do you know where it is? How do you know it is safe?” she said.
Earlier this month, it was announced Deloitte would conduct an external review of Medibank.
Criminals have released details relating to HIV, abortions and drug addiction onto the dark web after breaching Medibank’s cyber defences.
“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clearer,” Ms Smith said.
The comments come as Medibank chief executive David Koczkar received $3.76 million and a $1.64 million pay increase at Medibank’s annual general meeting earlier this month, according to reports.
The health insurer has been praised for its decision not to pay hackers $15 million ransom demand.
Earlier this month, Australian Federal Police Commissioner Reece Kershaw said authorities believed a “group of a loosely affiliated cyber criminals” based in Russia were responsible for the attack.
“We believe we know which individuals are responsible, but I will not be naming them,” the Commissioner said, adding that the AFP would be holding talks with Russian law enforcement.