APRA unveils private health insurance industry priorities for 2023

The Australian Prudential Regulation Authority (APRA) has revealed its plans for the private health insurance (PHI) sector for 2023

In a speech to the Members Health Directors' Professional Development Program in Sydney, APRA executive board member Suzanne Smith outlined the regulator's key priorities for the year ahead.

APRA focuses on private health insurance affordability

Smith said that the PHI industry remains sound, offering policyholders assurances that insurers have the financial capacity to pay their claims. However, many of the PHI industry's long-term structural challenges remain, including the increasing pressure on insurance affordability as healthcare costs continue to outpace wage growth and an ageing population with associated higher claims costs.

Smith said: “Coupled with this is a challenging macroeconomic environment.

“Higher inflation, interest rates, and workforce constraints put pressure on the costs of providing healthcare and on household budgets – pressures which could see those sustainability risks increase once more.”

Considering these challenges, APRA released its annual Policy and Supervision Priority papers outlining its plans for the industries it regulates to bolster their financial resilience and long-term sustainability through embedding the new capital framework.

APRA improves cyber resilience

Medibank's cyber incident made rounds in the news, with the stolen data including hundreds of customers' names, addresses, and birthdates. The data leak even extended to one of its brands. As the medical insurer continues to recover from the cyberattack, the Home Affairs Minister Hon Clare O'Neil warned the Australian healthcare system that it has become cybercriminals' main target.

In response to the incidents, APRA committed to intensifying its supervision of all entities not meeting Information Security Prudential Standard CPS 234.

In her speech, Smith advised the attendees to focus on:

• Identifying exposures to critical service providers and what to do if those providers were significantly compromised;
• Regularly testing systems, including recovery testing, to ensure data can be restored from backups;
• Preparing for cyber incidents by educating the staff about their roles and responsibilities during a crisis, having a well thought-out and practiced playbook, conducting dynamic simulations, and selecting external partners who will help during a crisis; and
• Establishing adequate IT risk governance and IT audit coverage.

“The ability to continue operations in the face of disruptions is critical to maintaining community confidence,” Smith said.

“Considering the high concentration risk among critical service providers in PHI, boards must have strong governance processes in place to adequately monitor outsourced services, seek independent assurance on the effectiveness of key outsourcing controls, and a contingency plan if these arrangements fall over.”

Smith drew attention to the role of the board.

“The important role the board plays in the risk culture of any organisation has been well documented by APRA,” she said.

“In short, a board needs to understand the risk culture in the insurer and the extent to which that risk culture supports the insurer's ability to operate consistently within its risk appetite.”