Medibank Private Limited (MPL) Earnings Call Transcript & Summary

[Presentation] Good morning, everyone. My name is Mike Wilkins. And on behalf of the Board of Directors of Medibank, I'd like to welcome you to our 2022 Annual General Meeting. As we begin today, I'd like to invite Wurundjeri Elder, Uncle Dave Wandin, to open today's proceedings with a welcome to country. Thank you for being with us, Uncle Dave.

Good morning. Normally that's done with a little bit of a round of applause. I never know what to do when there's these official things that are going on, and it should not be. People shouldn't be frightened to actually show their emotions, so long as they're shown in a respectful way to what you're about to hear today. My name is Dave Wandin, and I'm an elder of the Wurundjeri Woi Wurrung Tribal Land Council on whose land you are meeting today. It is also shared with the Boonwurrung people, which are our ocean people, our sea country people. We are freshwater people. And of course, you are on the lands that our ancestors never ceded. It is my land today, and it will be my children's land in the future. But we also have to share it with everybody else who calls Melbourne home or it's a place where they work or play. And most welcomes are done in language. Unfortunately, that's not my specialty. But it's really good because I can keep it short without having to translate it. I only know 3 words. To me, they are the most important ones. And that is, [Foreign Language], which simply means welcome to Wurundjeri country. And if you can't remember those 3 words, I hope that you can at least remember [Foreign Language]. To remember that when you go to someone else's house or someone comes to your house, you need to welcome them. You need to lay down a set of rules, some protocols. Today, we call them agendas. Aboriginal people have been doing that as they come to our house, except that our house is not a room. Our house is the sky outside. And it comes down to the walls of our house, which is much larger than Melbourne or you're fenced in 10 square meters or whatever house you might have. And we have been welcoming people into our house for many, many tens of thousands of years, other mobs prior to colonization. Our way of welcoming is no different to the way you welcome people. We had our own rules. We had our own protocols. We had our own punishments if you disobeyed those rules. But just like today, someone else has organized how much food you're going to need, does anybody need accommodation, how much shelter are you going to need, what's the exit strategy, where the toilets are. This is nothing new. Aboriginal people have been managing their country that way for thousands of years, knowing who was on country so that we could make sure that they're looked after. And that's what I'm doing here today. I'm welcoming you into this room on behalf of Medibank. And I would like to thank Medibank for inviting me along to do a welcome to country. First rules are, I must pay my respects to all Aboriginal and Torres Strait Islander peoples that are gathered with us today, to their Elders, both past, present and emerging. And I pay my respects to Bunjil, our creative spirit, who gave us the laws of the land, so that we could look after their country on behalf of his wife, which is, of course, the earth on which we stand. He is the father, the earth is our mother. He gave us many laws on managing country. But he said, if you can't remember first law, then I will take this land away from you because you have not earned the right or the responsibility to care for it correctly. And he said, you must respect your mother. Not only your physical mother that you are born from, who was the first person that when you cry that hugs you, the first person to feed you, she looks after you when you are young and defenseless. And as you grow older, you start to move out in your community, you meet your aunties and your uncles and your grandparents, your cousins and your nephews. But whenever you're in trouble in those formative years, you go back to your mother. Maybe you go to dad as well. But mostly, you're fond of going back to your mom. And of course, that's nothing new. All humans do that. But as we grow older, and part of our cultural responsibility is we have to understand that our physical mother is growing older as well, and we return that favor. We remember when she was there when we were distressed, when we were sad, when we were hungry, when we're cold. Again, nothing new for human life. But if you can remember to do that, there's another half to the equation. And that is you must remember the spirit of your mother. And as I said earlier, the spirit of your mother is the land on which we live and work and play and rely on for all our resources to keep us warm, to keep us fed, to keep us sheltered, to provide clothing and tools and medicine. So they have 2 equations. We still continue to do that today. And our role today is not only to respect Bunjil, but to also show other people who live on our lands the way to care for country. Because if you care for country, you will learn something, you begin to care for your community. And as you heal country, as Aboriginal people have done for tens of thousands of years, when you heal country together by walking country together, we all start to heal ourselves as people together, and we become a much stronger community, which is why Aboriginal people are still here today, the oldest living culture on earth because we remember that the land is not for ours to take. It's not for us to sell or trade. We are given it by our creator, and he can take it away at any time. We are here to help you, not just in today's forum but all across the other work that you may do across country. Everywhere you go, you are in some mobs' country, and they all have these same rules, slight variations. I hope you all have a wonderful meeting today. Unfortunately, I can't stay and listen, I'm not one of the shareholders. I do have other things to do. But remember, respect, making sure that you listen to what is said and this is what I have been taught by my elders and being kicked up by mom, which is your backside when I didn't listen, and I know when I'm doing things wrong. Listen with both ears, see with both eyes, speak with only one mouth. So spend twice as much time listening and looking before we start replying, please. That is the way that we would have conducted ceremony if there were disputes, if there was trade, if we're arranging marriages. We used to have a talking stick with feathers on it and we pass it to the speaker. Today, we call them microphones. So wait your turn. I'm sure you've got a lot to get through today, and I will leave you with that. [Foreign Language] Welcome to Wurundjeri country and thank you.

Thank you, Uncle Dave, for that very warm welcome to country, and thank you also for the work that you're doing with Medibank, teaching us to respect country and to respect each other. We're committed to helping advance reconciliation, and we believe it's important to recognize Australia's traditional owners and their continuing connection to country. I respectfully acknowledge the Wurundjeri Woi Wurrung peoples of the Kulin Nation on whose lands we meet this morning, and I pay my respects to elders past, present and emerging. I'd also like to extend that respect to all Aboriginal and Torres Strait Islander peoples joining us today. Today's meeting is our first to be held in a hybrid format. So I'd like to thank all shareholders for joining us today, both those joining us virtually through our live stream and those who are here with us in the auditorium. It's great to be able to meet with our shareholders in person for the first time since COVID began, albeit in undoubtedly challenging circumstances for Medibank and for our customers. I now formally declare the meeting open. Joining me on stage today is the Medibank Board of Directors, and I'd like to introduce them to you. On your far left, my far right is Dr. Tracey Batten, who's Chair of the Board's People and Remuneration Committee; next to Tracey is Peter Everingham, who is standing for election today; sitting next to Peter is Linda Nicholls, who is Chair of the Investment and Capital Committee and who is seeking reelection today; and of course, sitting next to Linda is our Chief Executive Officer, David Koczkar. On your far right, my immediate -- or my far left, is Anna Bligh; and she is sitting next to Gerard Dalbosco, who's Chair of our Audit Committee; sitting next to Gerard is Kathryn Fagg, who is standing for election today; followed by David Fagan, who is Chair of the Risk Management Committee and David is also seeking reelection today. Finally, to your immediate right of me is our Company Secretary, Mei Ramsay. At this stage of the meeting, I'd like to run through some procedural details. For those attending virtually, if you experience any technical difficulties during the meeting, please call the number that is now on screen. A recording will also be available on our website after the meeting. If the AGM needs to be adjourned at any time due to technical or other reasons, we'll provide further instructions and information on our website and the ASX. To provide shareholders the greatest possible opportunity to vote, I now formally open the polls on all resolutions. I also now formally cast all votes for proxies I hold on all resolutions in accordance with the directions provided by shareholders or as set out in the Notice of Meeting. I'll provide more detailed instructions regarding voting and the asking of questions later in the meeting. I'd like to begin my formal comments today by addressing the cyberattack that we and our customers have been facing for a little over a month now. This cybercrime event is unprecedented. It's caused distress and concern for many of our customers, our people and for you, our shareholders, many of whom, like me, I know are also our customers. I unreservedly apologize to every person for the significant impact of this crime. It's a despicable act by the criminal seeking to extort payment based on the privacy concerns of our customers and it must be condemned in the strongest possible terms. Throughout our almost 50-year history, our focus on customers and on improving the health and wellbeing of all Australians has been unwavering. It's the reason we were founded, and it's the reason we exist today. There's no doubt that this crime is having an enormous impact on our customers and on our community. This is a shocking crime, the size and scale of which have never been seen before. But for each one of our customers impacted, we recognize that, that impact is personal and the support that's required for each individual is different. Our utmost priority has been and continues to be supporting our customers. Safeguarding our customers' data is a responsibility that we take very seriously, and we'll continue to support all people who've been impacted by this crime. That's why we've put in place a dedicated Cyber Response Support Program for our customers, and David will speak more to this shortly. From the very beginning, Medibank has committed to being transparent as events unfold and as more is understood. The ever increasing risk of cybercrime is being faced by all organizations around the world large and small. And I want to reassure you that the Board has and will continue to invest in mitigating those risks. Over the past few weeks, I've spoken with many of our major shareholders and advisers and been contacted by a number of customers, and I've been encouraged by the support that they've shown for how we're managing this event and the actions that we're taking. On behalf of the Board and all Medibank people, we thank all of our stakeholders for their continued support during this time. I'd particularly like to thank the Australian government, including the Australian Cyber Security Centre and the Australian Federal Police. We continue to work closely with them as they investigate and respond to this crime and as it progresses. From the outset, Medibank has been committed to doing the right thing by our customers, our people and our community in relation to this cybercrime. This includes our decision not to pay any ransom demand for this data theft. Based on extensive advice from cybercrime experts, we formed the view that there was a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published. In fact, the advice we have had is that to pay a ransom could have had the opposite effect and encourage the criminal to directly extort our customers and put more people in harm's way by making Australia a bigger target. It's for these reasons that we could not pay. This decision is consistent with the position of the Australian government. In addition to our ongoing investigations and engagement with the federal police and the Australian Cyber Security Centre, we've commissioned an external review to be undertaken by Deloitte. This review will ensure that we learn from this cyberattack and continue to strengthen our ability to safeguard our customers. We'll share the key outcomes of the review where appropriate, having regard to the interest of our customers and stakeholders and the ongoing nature of the Australian Federal Police investigation. We're also committed to sharing, where it's safe to do so, what we've learned from our experience so that Australian businesses and the broader community can be better placed to navigate any similar challenges in the future. The cybercrime event has understandably overshadowed many of our key achievements and our performance in the 2022 financial year. It was a challenging year for many Australians with rising costs of living, flooding across much of Eastern Australia and the ongoing impacts of COVID. Amid those challenges, our customers look to us as they prioritized their health and well-being. Notwithstanding the cybercrime attack, we've continued to operate, and we've continued to be there for our customers in order to help them with their health needs. In the 2022 financial year, we increased both Health Insurance operating profit and Medibank Health segment profit. However, volatility in financial markets led to a $24.8 million loss in net investment income. As a result, our net profit after tax of $393.9 million was down 10.7% on the previous year. Now we said at the release of our 2022 financial results that our capital position remains strong and the Board determined that shareholders would receive a fully franked ordinary dividend of $0.073 per share, and that was an increase of 5.5% over the prior year and brought the total full year dividend to $0.134 per share fully franked. And finally, while we had initially forecast the 2023 policyholder growth to be around 2.7%, we've since announced that the uncertain impact of the cybercrime has resulted in our withdrawal of this outlook statement. We'll provide further update on our customer numbers at our February half year results. In closing today, I'd like to take this opportunity to reflect on the important role that Medibank plays in our community. This is an extremely challenging time and we'll continue to be measured on how we respond and how we support our customers. Our CEO, David Koczkar, and his executive team has shown their ongoing focus on our customers, and they're not deviated from this during this time of adversity. I'm grateful to the whole Medibank team for their work and the ongoing support that they show to our customers and to each other every day. Our 2030 vision is to deliver the best health and wellbeing for Australia. By always acting in line with our values, we remain well equipped to achieve that. And finally, we thank you, our shareholders, for your ongoing support of the work that we're doing to deliver Better Health for Better Lives for our customers and our community. Throughout our history, we've responded to every challenge that's been laid before us, and I'm confident that we'll emerge from this cybercrime as an even stronger organization as we continue working to make a difference in the health and wellbeing of our customers, our people and our community. I'd also like to take this opportunity to thank our people for the work that they've done to respond to this crisis and to support our customers. Your focus on our customers is unwavering, and the Board and I thank you for your commitment. I'll now ask David to talk through the event in some more detail as well as speaking to our future direction and also to our outlook. Thank you.

Thanks, Mike, and good morning to everyone joining us in the room here today and on the webcast. I'll begin by acknowledging the traditional owners and custodians of country throughout Australia and their connections to land, sea and community. I join you today from Narrm, the home of the Wurundjeri Woi Wurrung peoples, and I pay my respects to their elders past, present and emerging, and I extend my respect to all elders on the lands on which we work and live. This morning, I will start by addressing the cybercrime event we and our customers have faced over the past month. I will then recap on our FY '23 outlook and our focus for the year ahead. Before I talk through the cybercrime in more detail, I want to again apologize unreservedly to all our customers who have been the victims of this terrible crime. What has happened is deeply distressing. The weaponizing of the private data of many Australians, our customers, is malicious. We are steadfast in our resolve to not reward this criminal behavior, nor to strengthen a business model that is based on extortion. This is a watershed moment for our community, a harsh reminder of the new frontier in cybercrime that we all face. I'm devastated for our customers. And I assure you, our absolute focus is to continue to support and protect our customers through this time. And like Mike, I too am a Medibank customer. Since the very first day our systems detected the unauthorized activity, we have continued to work very closely with the Australian government, including the Australian Cyber Security Centre and the Australian Federal Police who are investigating this cybercrime. Last week, the AFP announced that Operation Guardian, a joint initiative with state and territory police, would be extended to protect Medibank customers. AFP investigators under Operation Guardian are scouring the Internet and dark web to identify people who are accessing this personal information and trying to profit from it. The AFP is also working with international agencies to disrupt the infrastructure of the criminal. I would like to take this opportunity to reiterate Mike's thanks to the Australian government. We are grateful for the support we and our customers have received from the government and its agencies as this crime has unfolded. Whilst nothing is certain, the criminal may continue to release files on the dark web. We share the Prime Minister's and the AFP's call to all media and social media platforms to protect the community by not posting or publishing this information. And while we understand the public interest, reporting details of this crime only feeds the criminal's need for notoriety. There is no doubt that rejecting the ransom demand was the right thing to do. While we unreservedly apologize for the impact of the release of the data, we cannot, as a community, pay criminals who are likely to continue to extort us all, particularly when there is no guarantee that the criminal would ever delete the data. As I've said before, you cannot trust a criminal. For our customers, we know that this doesn't make up for the fact that your data has been stolen. We take our responsibility seriously and have an unwavering focus on supporting our customers who have been impacted. From the very beginning, we have committed to sharing updates on this unfolding situation with transparency and timeliness to all our stakeholders. We have been focused on both communicating potential impacts to our customers and providing with guidance and support. I can confirm that in the last 5 weeks, we have regularly written or spoken with our customers and former customers to update them on the unfolding cybercrime. Last week, we began communicating with customers, whose personal information we believe was stolen, to advise them of the specific data that relates to them. And we've continued to e-mail new groups of customers each day. Our customers can also contact us to understand what data has been accessed. We've extended call center hours, and we've increased our customer support team by more than 300 people. Importantly, today, we'll begin communicating with around 480,000 customers whose health data we believe has been stolen. We commenced this as soon as this data was verified by our team. Providing personalized updates to our customers is an incredibly complex process and it's important to get it right. This ongoing work continues and requires our people to analyze millions of records across numerous applications and match customer data from multiple sources. And for our customers whose health data has been published on the dark web, we've prioritized those communications, advising them as quickly as we can that their health data has been published within 48 hours of this data appearing. Right through this cybercrime, we've also proactively contacted our customers who we know are uniquely vulnerable to provide them with additional support and care. And 3 weeks ago, Medibank established a Cyber Response Support Program. This has been set up to provide customers with mental health and wellbeing support, identity protection, security and financial hardship measures. We will continue to work around the clock to provide customers with details of their data we believe has been stolen and provide advice on what customers should do and how we can support them. Our focus on supporting our customers has been and will continue to be our absolute priority. Since we became aware of the cyberattack, we have worked to strengthen the integrity of our systems. We have applied additional security measures across our network, including specialized tools to assist with our investigation and enable ongoing real-time monitoring for any further suspicious activity. And I can confirm that no further suspicious activity inside our systems has been detected since the 12th of October. As Mike has announced, the external review to be conducted by Deloitte, in addition to our ongoing investigation, will help us further strengthen our ability to safeguard our customers. And I want to assure you that we will continue to be vigilant and take the necessary steps to protect our operations and our customers' data. Mike has already provided an overview of our FY '22 financial results. However, I wanted to take the opportunity to acknowledge the strength of our result in what was another tough year for our customers and the Australian community. The rising cost of living has presented a challenge for many households and yet a record number of Australians continue to take out private health insurance, putting their health and wellbeing first. Consumers no longer see health spending as discretionary and are actually spending more on their health than before the pandemic. Our research tells us more people are valuing what private health insurance has to offer, including greater choice and access, especially given the increased awareness of the sustained pressures in the public health system which we know will take some time to address. More than 14 million Australians now have private health cover, and Medibank is proud to play our part in supporting and strengthening the health system. As we have done for almost 50 years, we will be there to support our customers with their needs in health. In FY '22, we continued to grow by focusing on delivering leading customer experiences, differentiating our insurance business and expanding in health. And this has included a strong increase in our customers' adoption of our new health offerings, notably our prevention programs and new care models. As I've said before, we will remain disciplined in how we grow and run our business. In late October, we provided a trading update for the first quarter of FY '23 and updated our FY '23 outlook. Our outlook for FY '23 has not changed since this update. As confirmed by Mike, given the uncertain impact of the cyber event, we have withdrawn our FY '23 outlook for resident policyholder growth and we'll provide a further update at the half year FY '23 results in February. As at 12 November '22, net resident policyholder numbers were in line with those at the end of the first quarter, with a growth of approximately 14,500 policyholders since the end of June '22. For the first quarter of this financial year, we've also seen continued growth in our nonresident business with approximately 14% customer growth since the end of June '22. This means we now have the same number of customers in our nonresident portfolio as we did prepandemic. Our outlook for underlying net claims expense per resident policy unit is unchanged at 2.3% for the full year. And PHI management expenses productivity initiatives remain in line with the FY '23 outlook, and our expectation for inflation remains unchanged. Importantly, our business remains strongly capitalized. And at 30 September '22, our health insurance capital ratio was 13.4% and unallocated capital was approximately $150 million. APRA has released the final private health insurance capital standards, which are effective from 1 July 2023. And we continue to expect the implementation of these standards will not negatively impact our capital position. Supported by our strong capital position, we remain focused on pursuing multiple avenues of growth for our business, including targeted organic and inorganic growth for Medibank Health and Health Insurance and delivering synergies across our businesses. Based on our current actions in response to the cybercrime event, we currently estimate $25 million to $35 million of pretax nonrecurring costs will impact earnings in the first half of 2023. These nonrecurring costs do not include further potential customer and other remediation, regulatory or litigation-related costs. There is no doubt that the cybercrime has been deliberate, designed to extort money by targeting our customers, particularly some of the most vulnerable people in the community. We know that cybercrime is an ever-present and growing threat. As a society, we must stand together to defend against the increasing risks faced by everyone in our community. We will do everything we can to ensure that we all learn from this and share the insights so that we can better protect all Australians. We have an incredible and passionate team of people who are exceptional at listening to our customers, understanding their needs and providing products and services to support them. And I want to thank each and every one of them for the support they are showing our customers and each other every day. All of us at Medibank face an incredible challenge at present as we work to protect our customers. I'm confident our team can get through this challenge and return to our focus on realizing our 2030 vision by creating access, choice and control for our customers. And together, we will learn, share and grow from this event, and I remain confident that by focusing on our customers, we will continue to prosper. Thank you. I will now hand back to Mike to conduct the formal business of the meeting.

Thanks, David. We've now reached the formal business of our meeting. Given today's meeting is both in-person and virtual, I'll first run through the meeting procedures. As this is a shareholder meeting, only shareholders, their attorneys, proxies and corporate representatives may vote and ask questions. I'll now go through the voting procedures. Those of you present in person who are entitled to vote have been provided with a handheld device to cast your vote. Instructions for how to vote using the device are on the screen behind me. Your smart card should already be in the device and a list of resolutions should appear on your screen. Use the scroll wheel to highlight the resolution you wish to vote on, then press the green square. The selected resolution will then appear on your screen. Press the green square again and you'll see the voting options. To vote for the resolution, press 1. To vote against, press 2. Or if you wish to abstain from voting, press 3. Once you've selected your voting option, you can move to the next resolution by pressing the green square or return to the full list of resolutions by pressing the red triangle. If you need any assistance, please raise your device and a Lumi representative will be there to assist you. Now for those attending virtually. If you're eligible to vote, a voting icon will appear on your screen's navigation bar. Once you click on this icon, you'll see the resolutions on your screen. To cast your vote, select one of the options: for, against or abstain for each resolution. Your selection will be highlighted and the vote is automatically recorded, but you have the ability to change your vote at any time until I declare voting closed. There are 8 items of business before the company's meeting this morning, and these are set out in the Notice of Meeting. Items 2 to 8 are to be voted on and to be determined by a poll. As I indicated earlier, the polls are open. Medibank's share registry, Computershare, has given me a report of the proxy voting instructions received for items 2 to 8. As advised in the Notice of Meeting, open proxy votes held by me as Chair of the meeting have been cast in favor of each resolution. And results of the proxies received on items 2 to 8 are now displayed on the screen behind me. The poll will close shortly before the end of this meeting, and I'll give you advanced notice ahead of closing the voting. Later in the meeting, eligible persons attending in-person and virtually will be given the opportunity to ask questions. [Operator Instructions] I'll endeavor to address as many questions and comments as possible during the course of this meeting, and I'll either answer or pass the question to the person most appropriate to answer. In the interest of time, we may need to summarize questions that are particularly lengthy or moderate questions to avoid repetition. [Operator Instructions] If you have any question about the virtual meeting technology, please contact the help line that's now displayed on your screen. For those attending in-person today, if you have any personal matters to discuss about your health insurance, please visit the information booth in the foyer. And for those attending virtually, please call 1 (300) 369-968 today until 6 p.m. Melbourne time. That, I think, completes the voting instruction and there will be an examination on all that detail shortly during the meeting. Now let's move to the items of business. We'll present all items of business and then provide an opportunity for questions after all items of business have been introduced. The first item of business today is the financial statements and reports. This item isn't subject to a vote and therefore, doesn't require you to cast a vote. The Medibank financial statements for the year ended 30 June 2022, the directors' report and the auditors' report were released to the ASX and published in the Annual Report and on the company's website. We'll take questions on this item following the introduction of all items of business. In addition, the company's auditor, PricewaterhouseCoopers, is represented today in the auditorium by Colin Heath and Marcus Laithwaite, who are available to answer questions about the audit of the accounts. We'll now move to items 2 and 3, which is the election of 2 of our Directors, Peter Everingham, and Kathryn Fagg. Peter and Kathryn were both appointed as Directors on the 31st of March of this year. They won't be providing a formal address to the meeting today, but they are available for questions during the discussion period later in the meeting. Each of Peter's and Kathryn's biographies is contained in the Notice of Meeting. Your Board, with each Director standing for election abstaining, recommends unanimously that you vote for the election of each Director. Now moving to our fourth and fifth items of business, the reelection of David Fagan and Linda Bardo Nicholls. Each of their biographies is contained in the Notice of Meeting. Similarly, David and Linda won't be providing a formal address to the meeting but will be available for questions later in the meeting. Your Board, with each Director standing for reelection abstaining, recommends unanimously that you vote for the reelection of each Director. Coming now to item 6. And this item relates to the remuneration report, which is put to the meeting in accordance with the Corporations Act. The resolution is to adopt the remuneration report for the year ended 30 June 2022. Medibank aims to reward executives fairly for delivering the company's strategy in a manner that meets community and customer expectations and delivers sustainable shareholder returns. The remuneration report provides extensive disclosure of director and executive remuneration and is set out on Pages 51 to 72 of the Annual Report. Under the Corporations Act, this vote is advisory only. However, as Directors, we give serious consideration to the voting results and comments made upon this item when we review the company's remuneration policies. The Board recommends that you vote to adopt the remuneration report. Now turning to item 7. The resolution is to approve the grant of performance rights to David Koczkar, our Chief Executive Officer, to be issued under Medibank's 2023 long-term incentive plan. Medibank's long-term incentive plan is detailed in the remuneration report. It's designed to align the interest of the Chief Executive with the interest of shareholders and to this end, to put a significant portion of his remuneration at risk. The rights to be granted are detailed in the Notice of Meeting, along with the vesting conditions. It's important to understand that the performance rights only vest in shares for the CEO on the achievement of performance hurdles, which are aligned to shareholder interests. If the performance hurdles aren't achieved, then the Chief Executive Officer will receive no shares. If the performance hurdles are met, then the rights will convert to shares, which David will receive. The outcome of the performance rights will be detailed in the remuneration report following the conclusion of the performance period on the 30th of June 2025. Your Board, other than David Koczkar, recommends that you vote in favor of this resolution. We now turn to item 8, the final item of business. The resolution is to adopt amendments to Medibank's constitution. The proposed amendments are outlined in the Notice of Meeting. And here with me today is the amended constitution, which I have signed for identification purposes. I now formally table this amended constitution at the meeting. Medibank's constitution has only been amended once since it was adopted in 2014. Since 2014, there have been a number of developments in the law, the ASX Listing Rules and corporate governance practices. And the proposed amendments seek to align Medibank's constitution with those practices. An amendment to Medibank's constitution requires a special resolution of shareholders. To be carried, a special resolution must achieve 75% or more of the votes cast for the resolution. Your Board unanimously recommends that you vote for this resolution.

We've now introduced all items of business and we're ready to respond to questions. We'll first begin with questions from the auditorium. [Operator Instructions] So I now invite people to ask questions, and we will start with microphone 2.

Chairman, may I introduce Peter Aird of the Australian Shareholders Association.

I'm a volunteer with the Australian Shareholders Association. Today, we have proxies from 448 shareholders, representing over 2.6 million shares. We appreciate that Medibank has taken cybersecurity seriously as shown in your use of both internal and external reviews of your systems and the details provided in your sustainability report. However, this clearly was insufficient. Two questions. When do you expect to determine the accountability for Medibank's failure to keep customer data secret? And given the statistics that show up to 25% of customers severed ties with businesses after a cyber breach, what plans do you have to retain your customers' confidence?

Thanks for your question, Mr. Aird, and we appreciate the engagement with the Australian Shareholders Association. In terms of the entire circumstances surrounding this event, they will be the subject of the investigation that we have put in place. And as both David and I have mentioned, we are regularly communicating with our customers on this. But until the results of that investigation are concluded, I think it's difficult to answer your first question. In terms of your second question, we continue to communicate with our customers. We continue to be there for our customers on a day in, day out basis. And as David has mentioned, we have over the course of the period since the 1st of July, grown our customer numbers and they've held constant over the course of the last month to 6 weeks. So we will continue to communicate with our customers. We'll continue to do the best we can for them every day. And obviously, as customers contact us with any concerns, we'll seek to address those concerns as well. We have a question on microphone 3.

Chair, I have a question from Johnny Wei, who is a shareholder.

I am a shareholder, and I'm rather disappointed that Medicare -- Medibank did not take security as serious as it should. And I guess my question is for the Audit Committee, whether IT security and security culture within the organization is part of your audit. And if not, whether it will be in the future. And I also have a question for the executive, who is responsible for IT security. And well, not a question for him, but with -- well, I guess, it's for him, whether all the recommendation of IT security has been forwarded to the Audit Committee and whether the matters have been appropriately addressed according to them. And if it has, then obviously, it's not enough and whether the remuneration for the executive has been adjusted accordingly. Thank you.

Mr. Wei, thank you. I think there's 3 questions in there, but I'll attempt to address all 3 of those. Firstly, we have always taken and we continue to take our IT security very, very seriously. It's something that is a continuous spend for Medibank, and we believe that our processes were robust, although clearly not robust enough in this circumstance. And we will seek to learn from that once we have completed this review. In terms of the audit executive and the IT matters that may have been raised, I have no reason to believe and no one has raised with me nor with the Chair of the Audit Committee any matters that have not been coming forth from our audit function or from the executive team in terms of security concerns or issues. So where they have been raised, we have addressed them and sought to deal with them. Your third question related to remuneration, and that's something that we will take on board for the 2023 year once we have got the full results of the investigation that we've announced today and that will take some time to complete. But your Board is very well aware of the need to make sure that there is an alignment between remuneration and outcomes on all matters. I think we have another question now.

Chair, I have a question from Ian Hamilton, who's a shareholder.

In terms of sustainability and staff efficiency, you have a branch network and a number of staff living in different locations. If you're able to plot all this on a map, could you pair them up so that the staff work in a job that's closest to where they live to cut down their travel time and time on the road and just to save their time and to make the world a more sustainable place so they wouldn't be driving or taking public transport to get there? When I attempted to find out about this, I looked at the phone book and you only have a one-line entry that just says Medibank. You don't have individual branches, opening hours or phone numbers listed. In fact, very small businesses have a larger advertising presence in the phone book. Are you aware of that? And that's a form of advertising. And in terms of advertising, to wit, as you have for Medibank Private on the TV, one shows a woman in Gaelic battle dress hacking into other people in Gaelic battle dress in the form of a battle and then the word Medibank Private comes up at the end. Another one shows a woman performing some form of slow motion martial arts. And then the same thing happens, Medibank Private comes up at the end. It doesn't seem to make sense. And in terms of an ad being effective, if someone watching it that doesn't have private health insurance has to form in their own mind something that says I don't have private health insurance, I need private health insurance, Medibank Private would be a good company to do private health insurance with. I don't think that ad does that. Do you think it's money well spent? A better ad would be someone opening their mail and getting a horrified look on their face and another person saying to him, "What's wrong?" And he said, "I've just received a bill for a simple procedure I had in a private hospital, and I'm not sure I can afford to pay it." And the person looks at him and says, "It wouldn't happen to me, I'm with Medibank Private." And if that's true, well, that would be a better ad.

Thank you, Mr. Hamilton. Again, there's a few points in there, but I'll attempt to address all of those. Thanks for your interest in our sustainable footprint. And I do take your point on that. And you did give me some education this morning. I wasn't aware that we just had one entry in the phone book. However, I think that our branch network is reasonably well signposted around the country. In terms of your question about sustainability, Medibank's long had a flexible working philosophy, including a lot of people who are in our call centers. They are being able to work from home as opposed to needing to come into a central location. That was in place long before COVID hit. However, we accelerated it during COVID. And I've got to say, even those people who are coming into our offices or more, our branches, are usually locals. And in fact, as part of the work that the Board of Directors does, we regularly visit different -- or our branches. I certainly went to the branch at Warringah Mall in Sydney not so long ago and spoke to the people there, all of whom lived locally. And 2 of them told me that they actually walk to work, and they found that, that was something that was very worthwhile for them. In terms of our ads, I think that advertising has been very effective. However, we take your comments on board with that. And I'm sure that those executives who are responsible for our promotion will certainly give great credence to the suggestion that you've made around -- or what you feel may be a more effective advertising campaign. So thank you for your interest in all of those. We have a question from microphone 1.

Chairman, may I introduce John Johnston, shareholder.

Mike, we have met before in the '90s when you were at Tyndall.

That's dating both of us.

That's right. I think so. We look older. My question is a simple one. I'd like to know is there any member of the Board of Directors who has extensive information technology experience or expertise? Thank you.

Thanks, Mr. Johnston. We have shown in our profiles the experience that each of the Directors have. We've also included an overall skills matrix in our Directors' report, which sets out those skills, and technology is one of those skills. Part of the reason for asking Peter Everingham to join our Board was to bring his considerable digital experience to bear, given the nature that -- of where we see that going and the way in which we want to continue to digitally serve our customers. Does anyone -- is anyone an IT professional? No, they are not. But a number of us have considerable experience across business, and IT is part of that. Thank you. We have a question from microphone 2.

Thank you. Chairman, may I introduce Carol Jean, who's a shareholder.

I just have a question regarding your communication strategy with your members regarding the cybersecurity incident. The last e-mail I received from you was the 27th of October, which is about 2.5 weeks ago. I understand that you need to prioritize contacting people whose individual data may have been compromised. To me, having the last general communication with you being the 27th of October seems a little long. I shouldn't have to gain information from the media or from going to your website. So I'd just like a response to that, please.

Thank you. We've attempted to prioritize our communications with those people who have been more directly affected by this, but there has been regular communication across the board with this. And as David said during his presentation, there will be further communication to all 9.7 million current and affected and previous customers who may have been affected. I apologize if you feel that you've not been communicated with sufficiently. However, as I said, we are prioritizing those people that we know have been affected by this event. David, I don't know whether you want to add anything further about our comms?

No. I think it's about -- we have started to provide personalized updates to all 9.7 million current and former customers. We are -- that is in progress. So you should expect an update in the next few days if you haven't already. As Mike said, we're prioritizing people who -- whose data has been released on the dark web, and we have been prioritizing communications with them. I would also just reassure you, if you would like to speak to one of our people outside, there are options available to support you through our Cyber Response hardship package, which we have communicated to all of our customers that's available for them.

While we seem to have a hiatus of questions in the room here, perhaps we can go to some of the online questions. So can we move firstly to those who are online and who have written questions that have been submitted in advance of this and during the meeting. We will come back to those in the room at the conclusion of this. So online questions, please.

Chair, we have a question from shareholder, Mr. James Thorpe who asks, "Why does Medibank have targets for gender rather than employing the best person for the job?"

Mr. Thorpe, thank you for your question. I don't think that, that's mutually exclusive. We think that having gender targets and a gender balance in our operations is a good thing for the organization. However, we always err on the side of -- well, not err, we always look for the best person for the job. Medibank has said that we are seeking to have a ratio of 40-40-20, that is 40% males, 40% females and 20% either male or female in terms of all of our senior management and Board positions, and we're currently achieving that. Can we have the next question, please?

Chair, a representative of [ Inastellen Enterprises Pty Ltd ] asks, "Will the Board be nominating itself for a Nobel Prize?"

No, but thank you for your support of us. Can we move to the next question, please?

Shareholder Margaret Wong asks, "When are shareholders/customers going to be informed of what personal information was collected by hackers? The current general e-mails and press releases so far seemed pretty lackluster."

Well, thank you, Ms. Wong. I think that we really addressed that question in terms of the last speaker in the room here. We continue to prioritize those customers that we know have been affected by this. However, as David said, over the coming days, we will be communicating with all 9.7 million current and former customers. That matter of priority, we felt, was the right thing to do because it is those customers who are most vulnerable and most at risk at this stage. We'll have the next question, please.

Chair, a representative from Soma Pty Ltd asks, "Has the question of potential cybercrime ever been discussed at Board level prior to the recent attack?"

Thank you for that question. I think like all Boards, cyber has been top of mind in terms of risks for Medibank as well as for most other places that I'm involved and I'm pretty sure for all corporates. Certainly, we have regular discussions around that. We undertake reviews and we undertake role plays in terms of what might happen in the event of a cybercrime. That playbook that we put in place was actually deployed during the cybercrime, and I believe has served us well, although I preferred not to have the situation arise. Can we have the next question, please?

Chair, shareholder David Kim Fa Kong Fong Lin asks, "Will there be continuous testing of the company's infrastructure? And will there be a voice security code implemented when members call Medibank?"

There is already a continuous testing of the company's infrastructure. We've beefed that up even more, as David said during his presentation. However, there is regular reviews, not only by our own people, but by third parties in terms of our infrastructure. In terms of voice security code, we already ask security questions to our customers to make sure that it's you when you call into our customer service centers. So I don't know that we would be looking to implement anything more than that, but I'm happy to take it on board and discuss it with David and the team. Can we have the next question, please?

Chair, Mr. Tapezei Ashetu Bizumei asks, "Can you explain to us the effect of the cybercrime to Medibank customers and shareholders? As a shareholder, I have lost significant amount in [ $10,000 ]."

Thank you. Well, I think all the shareholders share the same pain, certainly I do, in terms of the loss of short-term value in terms of our share holdings. This cybercrime is a malicious crime against our customers and against Medibank. It's an attempt to use fear and intimidation as an extortion technique. And it's something that your Board determined it was not appropriate for us to get into. In fact, had we actually paid a ransom, we think that would have been counterproductive. It would have put the Australian community more at risk because Australia would be seen as a lighter touch and a place where you could go to continue to ply that insidious trade. We hope that Medibank's share price recovers from this. We are attempting to maintain the communications with our customers. And as I said earlier, we're prioritizing those customers who've been affected most by this event, but we will be communicating with all customers. We might take one more question from online, and then we'll come back to -- oh, sorry, we'll then move to audio questions, and then we'll come back to the room here in Melbourne.

Chair, we have a question from Dr. K. Linda Greenfield in 2 parts. She asks, "How did the criminals obtain access to Medibank systems in the first instance? And we have now heard that extra security protections are in place, but why weren't these in place previously?"

Dr. Greenfield, thank you. We believe, and we've said publicly, that the insertion into our systems was via compromised credentials from someone who had high-level system access, but we're still running that to ground and it's certainly subject to an ongoing investigation from the Australian Federal Police. David mentioned that we put additional security protections in place, they're like belt and braces and another belt, I guess, to make sure that our systems were secure and there was no further nefarious activity inside our systems. We believe that our protections were sufficient at the time, but that will -- whether that's true or not, will actually be subject to the investigation that we've announced we've commissioned Deloitte to undertake this morning. Perhaps we could now move to see whether there's any audio questions. Operator, are there any questions from people on the phone?

There are no audio questions, Chair.

Thank you. We might come back then to the room in Melbourne to see whether there's any further questions. And Mr. Aird, I think I saw that you had a question previously.

Yes, thank you, Mr. Chairman. Just in the context of the recent breach, noting Medibank's business model now has significant numbers of staff working remotely, what changes is Medibank making to its staff IT access processes?

Well, we think our access processes have been quite robust in terms of that. Certainly, we've had multifactor authentication as a standard across our systems for some time. And I can attest to that given that I forgot my password once and needed to go through quite a rigmarole to be able to get back into the system including two-factor authentication. So we think that our staff still need to go through those protocols to be able to access our systems. It doesn't look like there are any other immediate questions in the room here. Oh, there is, I beg your pardon, somebody coming also to microphone 2.

Chair, may I introduce Linda Watson, who is a shareholder.

So I'm standing up here as both a shareholder but I am also actually a victim of the data breach. So I have a few things to say. So one is I applaud the transparency and the updates that have been given and not paying the criminals.

Thank you.

However -- and also the fact that you're actually doing an outside review, however, what I don't like is that when I was communicated with that my personal data had been accessed, it looked like all the other updates at the beginning. So I actually didn't look at that information until later, and it was sent quite late on Friday. So I've spent the weekend where possible contacting certain organizations to try and beef up my own security. Having said that, the things that were accessed, because it wasn't one or two pieces but multiple pieces of information, they are the types of things that I used to identify me in security questions. So what I would say to you is in the review, what are you looking at to remove the data from the dark web as well as sourcing the particular criminals? And also, what are you looking to do to not hold my information any longer than is absolutely necessary?

Thank you for your question, and thank you for your comments on our communication. We'll take that one on board. I'm sorry that the communication appeared to be all of the others, and we will take that one on board and seek to -- that -- what you've raised with us will be something that we can improve on as we're communicating with others who have been affected here. In terms of attempting to remove data from the dark web, I don't think that's something that Medibank can do. However, we are speaking regularly with the Australian Cyber Security Centre and with the Australian Federal Police, who David mentioned have been involved with Operation Guardian here, and I know that they are monitoring the dark web and seeking to remove that data where and if they can. But I don't think that I can give you any guarantees on that. In terms of holding information, we try not to hold information for any longer than we need to. But in terms of the various commonwealth and state legislation that we are managed under at the moment, we have to maintain certain data for 7 years for adults or in terms of minors, until they turn 25. If that changes, then our data retention policy will also change. We do try to deal with the privacy of individuals as best we can. And we have an extensive privacy policy, which is available on our website for those who are interested in looking to it. It doesn't appear to be any further questions here immediately. We might go again to those questions that have come through online.

Chair, we have 2 questions from shareholders, Mario Distella and Angela Distella. "What processes have been put in place to ensure that all employees of Medibank are thoroughly checked, that they are not linked to cybercriminals? And are there any plans to extend private hospital cover in emergency departments of all hospitals, including private hospitals?"

Well, thank you for both of those questions. And I'm not sure that I know the answer to either of them, but perhaps David, I can ask you. I do know that we thoroughly vet all of our employees. But I don't know that we've had a specific question around linkage to cybercriminals. I don't know whether you've got a comment on that one.

No, I think it's the same. We do vet all our employees and make sure before they're employed, they have a thorough police check as part of their onboarding. So that's -- that would assume that, that would cover that as well.

Yes. And while you're going, you might actually address the next one because I literally don't know the answer to that about extending private hospital cover and emergency departments to all hospitals, including private hospitals.

Yes. So in terms of -- we do have some of our covers cover some of our members in -- some coverage in private hospital departments, but that's something we continue to understand from our customers what they would like to see, and we'll continue to review that.

Thanks, David. Can we have the next question, please?

Chair, we have a question from shareholder, Mr. Stephen Joseph Smith, who asks, "Did the cybercriminals get access to the share registry records in addition to the customer policyholder records?"

Mr. Smith, our shareholder record -- share registry records are maintained by our share register, Computershare, which is on a totally different system to that, that Medibank maintains for its customers. So no, we do not believe that the cybercriminals gained any access to our share registry records.

Chair, the next question comes from shareholder Kim Mye Young, who asks, "With the increase in cybercrimes, would the Board consider having future directors with knowledge of IT technology?"

Well, we are continuing to look at the skills that we need to have around our Board table. And obviously, with the current situation, but also just with the importance of technology more generally, we will use that as one of the filters. As I mentioned, our decision to ask Peter Everingham to join our Board was driven by his extensive knowledge of digital technology and the importance that, that technology is playing in our future. And we continue to assess the Board skills that we need to have around our table.

Chair, we have 2 questions from shareholder Mi Ling Sang. The first question, "The security questions asked by Medibank staff, the customer identity verification and the very information that was hacked and linked, will Medibank be reviewing the identity verification process?"

Thank you for that. We will continue to review our processes on this front. David, I don't know whether you want to comment on what we might have done in the immediate short term.

Yes. So I think it's a very important point. We already have reviewed the identity verification process we put in place given this incident. And so we will do everything we can to ensure privacy is maintained.

Chair, sorry, the second question. "Will Medibank provide Equifax credit monitoring services to all impacted customers?"

Well, Ms. Sang, we have said that as part of our comprehensive Cyber Response Support Program that we are offering specialist identity protection advice and resources through IDCARE's purpose-built Medibank page. However, for those customers who do feel that they are particularly compromised, we are offering free identity monitoring services. But it's really for those customers that have been compromised by the event. I suggest that if you are concerned that you contact us to have that discussion.

Chair, the next question comes from Ms. Katelyn Anna Singleton, shareholder. "You've stated that your customer data systems were accessed using compromised credentials, have your investigations yet ascertained how this compromise occurred?"

Ms. Singleton, that's not a question that I can answer at the moment given that this is a matter that's subject to an ongoing criminal investigation by the Australian Federal Police. As I said, we believe our systems were accessed using compromised credentials. But until the AFP investigation is complete, I don't think that, that's something that I can further comment on.

Chair, I can confirm we have no further questions.

No further questions there. Are there any audio questions?

No audio questions.

No audio questions? Last call, are there any further questions in the auditorium in Melbourne? It doesn't appear so. It looks like we've now reached the end of the formal business of the meeting. Voting will shortly close, so I'll ask all shareholders and proxies to please finalize your votes. I once again display the results of the proxies received on items 2 to 8. Once the voting has been finalized and the final reports been issued, we'll release these outcomes to the ASX and we'll publish them on Medibank's website, where you'll be able to access them later this afternoon. [Voting]

I now close the polls. On behalf of the board, I thank all of you for your attendance today and for your support of Medibank. With the business of this meeting being complete, I now declare the meeting closed. For those shareholders who are joining us in Melbourne, I invite you to join your Directors for refreshments in the foyer outside. And for those who have attended online today, I thank you again for your attendance, and wish you all a good day. Thank you.