SYDNEY (Reuters) – Australia’s banking regulator told insurer Medibank (MPL.AX) on Tuesday it would have to set aside A$250 million ($167 million) in extra capital, citing weaknesses identified in its information security after a major hacking breach.
Shares of the country’s biggest health insurer fell as much as 4.6% to mark their worst intraday drop since late October last year. They were last trading at their lowest level since May 3.
Medibank last year disclosed that a hacker stole the personal information of 9.7 million current and former customers and released the data on the dark web in one of Australia’s biggest data thefts.
At least three separate class action suits have been filed against the company in Australian courts on behalf of affected customers.
The Australian Prudential and Regulation Authority (APRA) said the capital adjustment would be effective from July 1 and remain in place until an agreed remediation programme is completed by Medibank to the regulator’s satisfaction.
“In taking this action, APRA seeks to ensure that Medibank expedites its remediation programme,” said Suzanne Smith, an APRA executive board member.
In a statement, Medibank said it had sufficient existing funds to meet the capital adjustment and would continue to work with APRA on remediation measures.
Citigroup analyst Nigel Pittaway said Medibank had enough funds to “relatively easily deal” with the impost.
“We already expected capital returns would be unlikely in this environment given the focus after the cyberattack,” he said. “APRA’s imposition of an increase in Medibank’s capital adequacy requirement … confirms that, aside from its ordinary dividend, Medibank will be unable to return capital to shareholders in the near term.”
Although Medibank has already addressed the specific control weaknesses that permitted unauthorised access to its systems, it still has more work to do across a number of areas to boost its security environment and data management, APRA said.
The regulator’s action is likely to “raise concerns about further potential cyberattack related impacts” on Medibank, Pittaway said.
APRA will also conduct a targeted technology review of Medibank, with a focus on governance and risk culture.
Australia has seen a rise in cyber intrusions since late last year, prompting the government in February to reform security rules and set up an agency to oversee government investment and help coordinate responses to hacker attacks.
The federal government last week named a senior air force commander as its first cybersecurity boss.
Image by: REUTERS/David Gray/File Photo