A new fight? - APRA imposes first capital requirements for a cyber attack

In a first, APRA has imposed an increase in Medibank Private’s capital adequacy requirement of $250 million following a major cyber-attack in connection with “weaknesses identified in Medibank’s information security environment”. In this briefing, we give an overview of APRA’s response to the cyber-attack, what it signifies for the Australian prudential landscape and what prudential organisations should do now.

Round one 

Medibank Private, a large health insurer, was the victim of a sophisticated cyber-attack in October 2022. The threat actor accessed customers’ personal data, and up to 9.7M records, with the insurer stating that health claims for about 160,000 Medibank customers, 300,000 AHM customers (a related entity) and 20,000 international customers were accessed. The information exposed includes service provider names and codes associated with diagnosis and procedures, and was released by the threat actor following Medibank’s refusal to pay a US$10M(AU$15M) ransom. 

The attack set off a wave of media, political, regulatory and legal considerations for the health insurer.  Four representative actions have now been filed against Medibank in relation to the incident, all of which are entirely unrelated to APRA’s actions. They are:

• a consumer class action commenced in the Federal Court by Baker & McKenzie on 6 February 2023, funded by Omni Bridgeway;

• a second consumer class action commenced in the Federal Court by Slater & Gordon on 4 May 2023; 

• a shareholder class action commenced in the Victorian Supreme Court by Quinn Emanuel on 28 March 2023 relating to a lack of compliance with CPS 234 over a three-year period and a contravention of continuous disclosure obligations; and

• a representative complaint with the Office of the Australian Information Commissioner (OAIC) by Maurice Blackburn.

The way in which the shareholder class action has been pleaded is noteworthy. CPS 234 provides that the board of an APRA regulated entity must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets.^[1]  To our knowledge, this is the first shareholder class action based on an alleged breach of a prudential standard.

Round two 

APRA’s capital adjustment will be applied to Medibank’s operational risk charge under the new Private Health Insurance Capital (PHIC) framework. It will remain in place “until an agreed remediation program of work is completed by Medibank to APRA’s satisfaction”.  In addition, the prudential regulator will conduct a review of Medibank from a technology perspective – focusing specifically on governance and risk culture in that division. 

APRA has stated that it has taken the action to ensure that Medibank expedites the remediation program, as it considers that Medibank has work to do across a number of areas to further strengthen its security environment and data management. APRA Member Suzanne Smith, while noting Medibank’s “open, constructive and co-operative” approach to it (which is wording directly taken from the forthcoming Financial Accountability Regime (FAR)), stated that:

The PHIC framework, which comes into effect on 1 July 2023, requires private health insurers to maintain an appropriate level of financial resilience, for the protection of policy holders. It aligns life insurers with general insurers, and rests on Prudential Standard HPS 110 Capital Adequacy. APRA states in HPS110:

In essence, the capital the life insurer is required to hold needs to mitigate against unanticipated losses from life insurer’s activities / if they actually occur, ensure that the life insurer can meet their insurance obligations to policyholders. The level of capital they need to hold is different from insurer to insurer, and depends on a range of financial and non-financial factors e.g. asset concentration risk, which might be higher if the insurer was more heavily exposed to a discrete sector of the market.

Life insurers must have in place an Internal Capital Adequacy Assessment Process (ICAAP) that considers each fund of the insurer, as well as the entity as a whole, and provide an ICAAP report to APRA annually. APRA can impose capital requirements relatively easily based on ICAAP information, or otherwise. It has exceptional powers to do so. From the perspective of guiding the regulated population to its desired outcomes, it can be a far more “efficient” way, compared to proceedings or fines given the impacts of higher regulatory capital requirements below. 

Round 3 

Ask any prudential CFO to rank what keeps them up at night, and they will likely put capital charges over regulatory fines, and mandated remediation programs. The reason is that: 

1.  they have to find the capital, whether using their own or others – which can be expensive;
2. when there is too much capital in reserve, the affordability of insurance policies can be affected; and
3. large pools of capital raise bigger economic questions about “lazy capital” that may be better used to boost productivity.  The premiums collected can’t be used to invest in interest generating assets, which impacts the balance sheet of the whole organisation.  

APRA knows this of course.  

In its covering note for HPS 110 in September 2022, it stated that: “The new standards are not expected to provide a basis for increasing premiums…The industry is therefore well-positioned to absorb the increase in minimum capital requirements.” 

Final round 

Medibank has said it has sufficient existing capital to meet the APRA-imposed increase in its capital adequacy requirement. Moreover, it assured it would continue to provide its full support and work collaboratively with APRA including on the remediation program, which APRA has commended it on. It is not alone in being financially impacted by a threat actor – Latitude (which is not prudentially regulated) made an after-tax provision of $46 million in connection with its cyber attack incident. 

Prudential entities need to review the governance and risk culture in their technology divisions now in order to avoid both cyber-attacks, and APRA’s attentions, if there is one and later it identifies there are control weaknesses in the entity’s security environment and data management.  Internal audit is a good start, or external parties where they have a good understanding of the law. 

They also need to undertake FAR “reasonable steps” reviews around the FAR accountability statements they’re building for their CIOs, CTOs and CEOs to protect them. The increasing prevalence of cyber-attacks, together with APRA’s hawkish response to Medibank Private, necessitates this as a mitigant to future actions. APRA has specifically stated that, where appropriate, it will take further action to ensure entities address gaps and weakness in controls relating to IT and cyber practices. The Medibank action may be the start of a new normal.

There is a bigger fight upcoming too – the FAR, which places personal liability on directors / executives to take ‘reasonable steps’ to comply with broad conduct obligations e.g. ‘skill’ and ‘integrity’ in connection with their areas of bespoke responsibility.  It is to be operated by both APRA, from a prudential perspective, and ASIC, from a conduct perspective. When cyber-attacks happen in future, and damage a prudential entity, APRA (and ASIC) won’t just be looking at the organisation but also the individuals. The first personal fine has been handed down in the UK in April 2023 to a CIO (in connection with a failed IT migration), and APRA / ASIC won’t have missed it.

Clyde & Co has a preeminent position in the market in cyber response and financial services regulation.  We are advising many organisations in relation to these issues – please get in contact with your usual Clyde & Co adviser (or any of us) if you’d like to know more. 
 

[1] Paragraph 13, CPS 234 Information Security. It is also worth noting that a final version of CPS 230 (Operational Risk Management) together with draft supporting guidance are set to be released by APRA in mid-2023. CPS 230 will introduce new requirements with respect to the role of the Board and senior management, with a view to strengthening regulated entities’ operational resiliency and risk management. The framing of the shareholder action as a breach of continuous disclosure contraventions insofar as a prudential standard has been breached is something that financial institutions should monitor carefully. The approach taken post Medibank signals that the non-compliance with prudential standards presents both regulatory and, potentially now, third party claims risks.  

[2] Paragraph 27, HPS110.