Medibank’s executive bonuses targeted under potential regulatory action after Russian cyber attack

Australia’s biggest health insurer could be forced to rein in more than $7.5m of executive bonuses under potential action being considered by the financial services regulator.

Jared Lynch

@jaredm_lynch

3 min read

9:46AMNovember 28, 2022.

Updated 5:04PMNovember 28, 2022

The Australian Business Network

Medibank could be forced to slash executive bonuses under potential regulatory action from the financial services watchdog after a cyber attack exposed the health records and other sensitive data of almost 10 million customers.

The Australian Prudential Regulation Authority said on Monday that it has “intensified its supervision of Medibank” in the wake of the nation’s biggest cyber assault.

APRA member Suzanne Smith said the regulator was considering taking further regulatory action against the health insurer and expected to take “appropriate consequence management”, highlighting the company’s executive remuneration.

Ms Smith’s comments come less than two weeks after Medibank chairman Mike Wilkins said executives – including chief executive David Koczkar – will keep this year’s bonuses, totalling more than $7.5m. He said the board would not consider adjusting remuneration until next year after it completes an external review of the attack.

This is despite cyber criminals, which the Australian Federal Police have identified as being located in Russia, publishing five tranches of customer data on the dark web under labels, including abortion, drug and alcohol abuse.

“While APRA notes Medibank’s constructive response to date, APRA will consider whether further regulatory action is needed when findings of the report become clear,” Ms Smith said.

“APRA expects Medibank to undertake any recommended remediation actions and ensure there is appropriate consequence management, including impacts to executive remuneration where appropriate.”

Mr Koczkar – who acknowledged Ms Smith’s comments – received $1.1m in bonuses last financial year, bringing his total remuneration to $2.59m. He also received $2.33m – or 150 per cent of his fixed salary – in shares under the company’s long-term incentive plan.

Medibank boss David Koczkar. Picture: Nicki Connolly/NCA NewsWire

Mr Wilkins told shareholders at the health insurer’s annual meeting earlier this month that it “aims to reward executives fairly for delivering the company’s strategy in a manner that meets community and customer expectations and delivers sustainable shareholder returns”.

Despite the criticism, shareholders overwhelmingly supported Medibank’s remuneration report earlier this month and Mr Koczkar’s performance rights, voting 94 and 97.8 per cent in favour respectively. It comes as several companies, including oil giant Santos and vitamins maker Blackmores, have received first strikes against their executive remuneration packages this AGM season.

Ms Smith said APRA has informed the scope of the external review announced by Medibank on November 16 – the same day Mr Wilkins said executives would keep this year’s bonuses – to ensure that it will meet the regulator’s requirements.

Medibank could also be forced to reconsider the customer data it holds. The insurer has said repeatedly it is legally required to retain customer data for seven years for adults and up to 25 years for children.

“This review, to be conducted by Deloitte, will examine the incident itself, control effectiveness and the response of Medibank,” Ms Smith said.

“In addition, APRA will intensify its supervision of all entities not meeting the Information Security Prudential Standard CPS 234 as a result of the extensive independent review underway, and other supervisory activities.

“Recent cyber-attacks reinforce the need for ongoing vigilance and focus by boards on operational resilience. They are a stark reminder for boards to ensure they can answer these fundamental questions: Do you know what data you are holding? Do you know where it is? How do you know it is safe? And do you need to retain it?

“Cyber security is a highly significant risk area for all regulated entities and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community.”

The Australian Federal Police have launched a separate investigation.

Ms Smith said Medibank had been “cooperative with APRA” so far. The health insurance’s response to the cyber attack and steadfast refusal to pay the hackers a $15m ransom has garnered praise from the federal government and agencies.

This is unlike the Albanese’s government’s response to a hack on Optus weeks earlier, with government ministers slamming the telco for being uncooperative.

Mr Koczkar said on Monday: “Since we detected this cybercrime we have been in regular consultation with APRA”.

“We will share the key outcomes and consequences of the review, where appropriate, having regard to the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation.

“We are also committed to sharing what we have learnt from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in future.”

In regard to retaining customer data, Mr Koczkar said it was a “responsibility we take very seriously, and we will continue to support all people who have been impacted by this crime”.

Mr Koczkar said Medibank would continue to work with APRA, the AFP and other government agencies including the Australian Cyber Security Centre in a “transparent and cooperative way”.

“Our dedicated Cyber Response Support Program is providing customers with mental health and wellbeing support, identity protection services and financial hardship measures.

“We are grateful for the support we and our customers have received from the government and its agencies as this crime has unfolded.”

Medibank shares closed up 1.1 per cent on Monday at $2.89.