Regulator sanctions Medibank following data hack review

It will also conduct a technology review focusing on the company's governance and risk culture.

"This action demonstrates how seriously APRA takes entities' obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cybersecurity controls," board member Suzanne Smith said in a statement.

At least 9.7 million Medibank customers had personal information including names, dates of birth, addresses and phone numbers compromised during the October 2022 data breach.

The measures are intended to expedite Medibank's remediation program, with further work needed to ensure the company remains safe from further data breaches.

"APRA expects Medibank to ensure there is appropriate accountability and consequence management, including impacts to executive remuneration where appropriate," Ms Smith said.

"I note that Medibank has consistently dealt with APRA in an open, constructive and cooperative way, consistent with our expectation of all regulated entities."

Medibank chief executive David Koczkar said the company takes safeguarding customer data very seriously and has sufficient capital of $148m to meet the new requirement.

"Medibank has continued to strengthen our systems and processes to provide our customers with the security they expect and deserve," he said in an ASX announcement.

"We will continue to work to enhance our systems and processes even further.

"Our company remains strong and well-capitalised."

The regulator has repeatedly emphasised the need for financial providers to step up their vigilance and cybersecurity defences.

"Unfortunately, not all entities are heeding these messages as we continue to identify poor cybersecurity practices and inadequate oversight from boards and management," Ms Smith said.

The regulator flagged further action to ensure entities address gaps and weakness in controls.

Medibank shares fell 4.5 per cent to $3.42 by 11am on Tuesday.