SYDNEY (Reuters) -Australia's banking regulator told insurer Medibank on Tuesday it would have to set aside A$250 million ($167 million) in extra capital, citing weaknesses identified in its information security after a network intrusion.
The Australian Prudential and Regulation Authority (APRA) said the capital adjustment will be effective from July 1 and remain in place until an agreed remediation programme is completed by Medibank to the regulator's satisfaction.
"In taking this action, APRA seeks to ensure that Medibank expedites its remediation programme," member Suzanne Smith said.
In a statement, Medibank said it had sufficient existing capital to meet the capital adjustment and would continue to work together with APRA on remediation measures.
Medibank last year disclosed that a hacker stole the personal information of 9.7 million current and former customers and released the data on the dark web in one of Australia's biggest data breaches.
At least three separate class action suits have been filed in Australian courts on behalf of affected customers against the company over the network intrusion.
Although Medibank has already addressed the specific control weaknesses that permitted unauthorised access to its systems, it still has more work to do across a number of areas to boost its security environment and data management, APRA said.
The regulator will also conduct a targeted technology review of Medibank, with a focus on governance and risk culture.
Australia has seen a rise in cyber intrusions since late last year, prompting the government in February to reform security rules and set up an agency to oversee government investment and help coordinate responses to hacker attacks.
The federal government last week named a senior air force commander as its first cybersecurity boss.
($1 = 1.4981 Australian dollars)
(Reporting by Renju Jose in Sydney; Editing by Chris Reese and Lincoln Feast)