The financial regulator has raised alarm bells about the cyber resilience of private health insurance (PHI) firms, flagging the industry's reliance on outsourcing as cause for concern.
The Australian Prudential Regulatory Authority (APRA) claimed there were “notable gaps” in the compliance of PHI firms that meet its new information security benchmark CPS 234.
These gaps relate to security implementation and testing that will ensure PHIs are complying with the standard.
The regulator flagged the industry’s reliance on outsourced security service providers for managing and supporting critical business systems, including their core policy management system.
In its annual report, it said: “APRA’s expectation is that entities adopt sound prudential practices in managing these outsourcing arrangements and demonstrate the ability to understand and manage the associated risks.”
The report, which follows an APRA investigation into the security health of PHIs in October 2019, also highlighted some firms’ “ambitious plans” to transition to cloud-hosted solutions.
The regulator said it now intends to analyse the data gleaned from the investigation and feed it back to the industry for “benchmarking and self-assessment”.
As part of the CPS-234 Information Security standard, all APRA-regulated entities will be required to notify the watchdog in under 72 hours if they become aware of an information security incident.
After launching standard on 1 July last year, APRA received 36 incident in the first four months alone.
The majority of these were data breaches involving the disclosure of personal information as a result of simple human error.
The rest involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud, the report stated.
Although the compliance requirement is applicable only for authorised deposit-taking institutions (ADIs), such as banks, general insurers, life companies or PHIs, from 1 July 2020, it will also impact their third-party suppliers, including vendors and channel partners.
