Following Medibank Private’s report of a cyber-attack resulting in a data breach, APRA has reminded entities regulated by it that they must ensure that information security controls are in place and operating to safeguard the entity, along with the requirements and obligations of Prudential Standard CPS234 Information Security.
UPDATE 26 October 2022: Medibank has announced that its investigation has now established that the criminal had access to:
“All ahm customers’ personal data and significant amounts of health claims data
All international student customers’ personal data and significant amounts of health claims data
All Medibank customers’ personal data and significant amounts of health claims data.”
The key requirements of Prudential Standard 234 are that an APRA-regulated entity (including private health insurers) must:
- clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- notify APRA of material information security incidents.
The Medibank incident and resulting impacts are still under investigation, however, Medibank notified the ASXÂ on 20 October 2022 that it has been contacted by a criminal claiming to have stolen 200GB of data.
APRA has urged entities employing online application and policy transaction processes to strengthen verification controls and increase vigilance on avenues of potential fraud, including the use of credit card information.
Entities should also appropriately communicate with their customers to raise awareness and direct customers to reputable sources such as ACSC, Moneysmart and the Office of the Australian Information Commissioner, which outline additional steps customers can take to limit the risk of fraud.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.