Medibank executives could lose their expected bonuses after the company’s security measures left their 10 million customers exposed to Russian hackers, who have released personal details on the dark web to try and blackmail money out of the company.

Two weeks ago, The Australian reminded us: “Medibank chairman Mike Wilkins said executives (including chief executive David Koczkar) will keep their bonuses this year, totaling more than $7.5 million. He said the Board wouldn’t consider adjusting remuneration until next year, after it completes an external review of the attack.”

In some quarters (the rarefied atmosphere in the big end of town company headquarters), this decision by Mr Wilkins, (who’s been a first rate CEO of companies such as IAG and has been generally known as a very smart fair business leader) looks understandable.

However, in the real world where consumers have had their lives put on the lawn by Russian hackers, where the customers have had a lot of inconvenience and even personal/financial losses, and shareholders have been smashed, his decision looks insensitive and dumb!

I’m not alone in questioning this decision, with the Australian Prudential Regulatory Authority (APRA) raising concerns about the bonus payouts. As The Australian’s Jared Lynch put it: “Medibank could be forced to slash executive bonuses under potential regulatory action from the financial services watchdog, after a cyber-attack exposed the health records and other sensitive data of almost 10 million customers.”

Why is APRA getting involved? Well, as its website explains: “APRA licenses banking, insurance and superannuation businesses to operate and supervises them to ensure that under all reasonable circumstances, the financial promises made to their beneficiaries (i.e. depositors, policyholders and superannuation fund members) are kept. The rules and requirements for starting a prudentially regulated entity in Australia differ depending on the type of business that is being established.”

And Medibank tell us that it “…is a leading private health insurer, providing health insurance through our Medibank and ahm brands, as well as a range of health services across Australia.”

So, Medibank is in the insurance game and is also a listed company on the stock exchange. Therefore ASIC would have influence over the company as well.

Given that shareholders (which would include members of super funds, as Medibank was seen as a good investment, with a reliable dividend) saw a 20% slump in their companies’ share price, it would seem right that some people have to pay.

MPL

The Australian sets its sights on Medibank’s CEO David Koczkar, “who received $1.1m in bonuses last financial year, bringing his total remuneration to $2.59 million. He also received $2.33 million (or 150% of his fixed salary) in shares under the company’s long-term incentive plan.”

I know that many chairs and CEOs rarely think about their customers and shareholders, who are their owners, but given the magnitude of this screw up, maybe the bonuses should (at a minimum) be withheld until we see the consequences of the company’s inquiry into the matter.

But given the costs of all of this to the company’s future profits, the lower stock price and dividends that shareholders will cop and the pain, as well as the inconvenience put on Medibank’s customers, the bonuses should be used to help compensate those affected.

Note, the Federal Government forcefully uses taxes to encourage people to take out private health insurance, so Medibank should be listening to Government concerns.

Listed companies are experts on self-rewarding but untrained at self-punishing. And remember this: the super fund members who are affected, are forced  by the  Government to be in super, so APRA (as a related body to the Government) should play hardball with companies that make money-losing mistakes.