Cybersecurity & Data Privacy

Cybersecurity Governance​

Information Security is a cornerstone of CIMB's risk management, as well as fraud and crime prevention programmes. CIMB has continuously improved efforts on assessment, monitoring, and strengthening of cybersecurity protection and access controls. Cybersecurity is a key component of technological risk, which is managed under the Enterprise-wide Risk Management Framework.

CIMB's cybersecurity processes, technology, and manpower are benchmarked against the best in the industry. We adhere to Financial Services Industry Best Security Standards, as well as local regulatory and procedural requirements. This also extends to the suite of policies that articulate our approach to security, including the Group Technology Risk Management Framework, and the Group IT Security Policy, developed and certified in alignment with the US National Institute of Standards and Technology Cybersecurity Framework (NIST) and ISO27001. ​

​

We are members of the Bank Negara Malaysia Financial Threat Intelligence Platform (FIN-TIP), BNM Cyber Working Group (CWG) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber-intelligence sharing community focused on financial services.​

Board Responsibility

Mr Chu Hong Keong, an Independent Director,  provides oversight on CIMB’s cybersecurity strategy as a member of the Banking Group Board Risk and Compliance Committee. He has over 30 years of experience and expertise in banking technology and operations, e-business, strategic and digital transformation and risk/fraud management.

Executive Management Responsibility

The Chief Information Security Officer has oversight of technology and cybersecurity risks, and regularly reports to the Group Chief Risk Officer. ​ The Data Protection Office serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/Data Protection regulator in respective countries. 

Managing Technology and Cybersecurity Risk

Cybersecurity Operations

The Group IT and Cyber Security department conducts periodic, proactive security assessments and reviews, such as penetration tests, vulnerability assessments, patch assessments and risk and impact analyses, all of which are verified by independent external experts. The team carries out periodic cyber drill simulations, intelligence-led penetration tests, compromise assessments, red teaming exercises and business continuity exercises. It also conducts security awareness exercises and training and provides essential digital-related tools and services for day-to-day operations across the organisation.

Our Security Operations Centre ensures round-the-clock security vigilance by employing an advanced analytics-driven Security Information and Event Management solution. The system collects, analyses and inspects high volumes of network and other machine data in real-time. At the same time, our Cyber Threat Intelligence team proactively monitors various sources and threat intelligence feeds for any information that can potentially impact the Bank’s security posture. Any potential risk is promptly escalated to the Computer Emergency Response Team (CERT) for further investigation. We have also continued to strengthen our environmental controls by augmenting CIMB’s access, segregation and encryption standards and technologies.

System Readiness and Testing

The Cyber Security Defense team is responsible for providing continuous monitoring via its Security Operations Centre (SOC), which processes thousands of early warning indicators of possible compromises, keeping our network secure.​ 

The Cyber Threat Intelligence and Computer Emergency Response teams prevent intrusions​, detect and monitor security alerts and anomalies​, perform impact assessments​, develop containment and remediation strategies​ and perform forensic investigations on internal and external threats​.

The Group's Information and Cyber Security department is ISO27001 certified to ensure its processes are robust. The teams also conduct cyber drill simulations, business continuity exercises, security awareness and training, support employees with the provision of security tools, maintenance and support, and manage third-party physical and network security. ​

​

Data and Information Governance​

We operate in accordance with our Group Data Protection and Management Policies, which articulate our commitment to collecting, using, and safeguarding customer and stakeholder data at a consistent and high standard. Our data and security management policies and processes are seamlessly integrated into our robust risk and control framework. The execution of the policies and framework is a shared responsibility among all employees, overseen through senior level governance forums. To ensure compliance, Data Protection Officers monitor, enforce and update the organisation’s policies and procedures, aligning with local laws and regulations.  

CIMB's Privacy Policy sets out our commitment to collect, use and protect customer and stakeholder data to a consistent standard. As part of CIMB's risk and control framework, we regularly conduct reviews to ensure our data, privacy and security controls and processes operate effectively.

Data Protection Officers are appointed to monitor and enforce personal data protection following the applicable laws and the Group's policy and procedures. As per our Code of Conduct, all employees are reminded of the consequences of breaching customer privacy and confidentiality of customer information. Any employee who breaches these laws will be subject to disciplinary action, which may include dismissal.​

Permitted Data Disclosures and Transfers​

We adopt the following principles to take incremental measured steps to manage our data disclosures. 

Transparency

We will be clear and transparent about how we use customers’ information.

Lawful and regulatory bases

We will only use customers’ information in accordance with relevant laws, and where we have a legal basis for doing so. Where disclosures to law enforcement or other regulatory authorities are required, we will assess and verify these requests, as well as the scope and veracity of data that we are permitted to disclose.

Purpose limitation and data minimisation

We will only use customers’ information for specific purposes and not more widely for unrelated purposes. We only use and disclose the data necessary for that purpose.

Data transfer

Where we need to transfer customers’ information to another CIMB entity, a third party or another jurisdiction, we will assess whether the transfer is allowed under relevant laws, and whether the receiving party commits to use and protect the data under the same laws.

Third parties

If we use a third-party provider or agent, we will undertake due diligence, monitoring and assurance to ensure our customers’ information is appropriately protected, and that the data is processed to CIMB’s standards and requirements.

We foster trust by upholding Data Protection (Privacy) principles and standards across the region to ensure that our data subjects, products, and services are managed confidentially and securely. We embed security, privacy, and confidentiality considerations within the design and operations of our systems, products, and services to keep our data and stakeholders safe. Customers and other data subjects seeking to understand how we manage their data can refer to our Privacy Notice for more information. 

The Group’s governance includes appropriate due diligence and service agreements, intra-group services and centralised systems. Where the regulations differ, the Group or its licensed financial institution will adopt the stricter requirements.

Our policies, procedures and control measures for safeguarding customer information are subject to an independent review at least once every two years. This is reflected in our Management of Customer Information and Permitted Disclosures audit, which assesses the adequacy and effectiveness of our key controls in safeguarding customer information. The audit covers our relevant framework, governance structure, and key controls relating to information and communication technology, access and permitted disclosures. It also examines our handling of data privacy incidents and the management oversight of outsourced service providers. 

Principles of Privacy and Responsible Use of Data​

CIMB operates in a highly regulated and digital environment. We seek to maintain and continuously improve on ethical, responsible and consistent approaches to managing data and systems, as well as their corresponding risks, be it privacy, quality or security. The core tenets of our approach are:​

• Purpose / Consent
  Protects a data subject by requiring consent and the purpose for any processing.
  
  
• Disclosure
  Prohibits disclosure without consent or for an appropriate purpose.
  
  
• Security
  Levels of security to protect from unauthorised or accidental loss or misuse.
  
  
• Integrity / Quality
  Data is accurate, not misleading, and kept up to date, for the purpose it was processed.
  
  
• Retention
  Data is not stored longer than required.
  
  
• Access
  Right of access and correction by the data subject.
  
  
• Notice and Choice
  Transparency and choice given to the data subject on the nature of processing.

Responsible and Fair Use of Data​

CIMB’s philosophy of ethical and responsible use of data means that we are respectful and empathetic to those whose personal data we collect, process, store or transmit. Our Privacy Policy and notices outline the fundamental principles guiding the collection, use and protection of personal data, including our approach to emerging technologies such as Cloud and Artificial Intelligence (AI).

We operate in accordance with our Group Data Protection and Management Policies, which articulate our commitment to collecting, using, and safeguarding customer and stakeholder data at a consistent and high standard. Our data and security management policies and processes are seamlessly integrated into our robust risk and control framework. Execution of these policies is a shared responsibility among all employees and is overseen through senior level governance forums.

To ensure compliance, Data Protection Officers monitor, enforce and update the organisation’s policies and procedures, aligning them with local laws and regulations. We are committed to ensuring that our management of data and systems is ethical, responsible and consistent. Our regional teams engage independent assessors to evaluate our readiness for emerging legal requirements.