Cyber insurance too expensive for Medibank
Medibank's value plummeted $1.75 billion when it returned to trading after a massive data breach. Photo: TND
Medibank insists cyber insurance wouldn’t have helped it avoid a huge financial hit from the company’s major data breach.
Australia’s biggest health insurer is looking at a $35 million pre-tax hit to its earnings for the first half of the financial year before any fines or extra compensation it might have to pay.
The company’s share market value plummeted about $1.75 billion on Wednesday in its first day of trading since revealing its customer database was hacked.
The share plunge happened on the same day Medibank disclosed the hackers had access to details for all four million of the health insurer’s customers and an unknown number of former customers.
Chief financial officer Mark Rogers said the company hadn’t taken out cyber insurance because it was too expensive.
“Costs went up significantly over the last couple of years (in terms of) how much cover you can actually get in terms of the total amount of exposure plus (our) actual ability to make a claim,” he said in an investor briefing.
“Notwithstanding the fact we didn’t have cyber insurance, I wouldn’t have expected based on the policies we saw over the last couple of years that the majority of costs … would have even been covered.”
Deputy Prime Minister Richard Marles said he hoped the incident would force other companies to treat the threat of hacking more seriously.
“We’re working closely with Medibank to do everything we can to minimise the impact of it, but really this is a wake-up call for corporate Australia and for everyone who holds data,” he told Seven’s Sunrise program.
“We need to be making sure our systems are as robust as possible and it’s also important for individuals in terms of the way we protect our own data.”
The government has introduced new legislation to parliament to dramatically increase penalties for companies that don’t properly protect sensitive data.
Fines will rise to the greatest of $50 million, 30 per cent of the company’s turnover in the relevant period or three times the value of any benefit gained from the stolen data.
Existing penalties are capped at $2.2 million.