You Are In

  • Who We Are
  • Sustainability
  • Our Businesses
  • Newsroom
  • Careers
Who We Are
Sustainability
Our Businesses
Newsroom
Careers
Our Presence
Leadership
History
Awards
Our Roadmap
Our Priorities
2025
2024
2023
2022
2021
2020
2019
2018

Overview

 

CIMB recognises the significant cyber threats faced by financial institutions due to the abundance of customer data and financial assets. Given the potential for severe repercussions from cyber-attacks, safeguarding the credibility and integrity of our online systems remains a top priority. 

 

By prioritising cybersecurity, CIMB not only fortifies customers' trust but also ensures the continued protection of critical data and seamless business continuity. This long-term approach, rooted in robust data management practices, enhances efficiency in meeting stakeholders' needs and expectations while shielding against fraud and scams.

Managing Technology and Cybersecurity Risk

First Line of Defense Second Line of Defense Third Line of Defense

Group Information and Cyber Security teams, and Designated Compliance and Risk Officers, are responsible for the adoption and operationalisation of cybersecurity controls and monitoring to ensure the Group's IT Network and ecosystem are secured from internal and external cyber threats.

 

The Chief Information Security Officer oversees Technology and Cyber Risks, reporting regulary to Group Risk.


The Data Protection Office serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/Data Protection regulator in countries that have such laws.

The Group Corporate Assurance Divison provides independent assurance on the effectiveness of cyber security controls and risk management activities.

 

 

 

 

Cybersecurity Governance​

 

Information Security is a cornerstone of CIMB's risk management, as well as fraud and crime prevention programmes. CIMB has continuously improved efforts on assessment, monitoring, and strengthening of cybersecurity protection & access controls. Cybersecurity is a key component of technological risk, which is managed under the Enterprise-wide Risk Management Framework. Independent Directors with technology backgrounds oversee technology and cybersecurity risks and strategy. The Chief Information Security Officer has oversight of technology and cybersecurity risks, and regularly reports to the Group Chief Risk Officer. ​

CIMB's people, processes and technology are benchmarked against the best in the industry. We adhere to Financial Services Industry Best Security Standards, as well as local regulatory and procedural requirements. This also extends to the suite of policies that articulate our approach to security, including the Group Technology Risk Management Framework, and the Group IT Security Policy, developed and certified in alignment with the US National Institute of Standards and Technology Cybersecurity Framework (NIST) and ISO27001. ​

We are members of the Bank Negara Malaysia Financial Threat Intelligence Platform (FIN-TIP), BNM Cyber Working Group (CWG) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber-intelligence sharing community focused on financial services.​

 

Data and Information Governance​

 

CIMB's Privacy Policy sets out our commitment to collect, use and protect customer and stakeholder data to a consistent standard. Group Technology and Data's governance and risk reporting and escalation adhere to the Group's framework, whereby the strategy and plans, as well as the issues and risks are reported and approved by the respective Board nominated committees.

 

At the tactical and operational level, the Group Technology Steering Committee and Group Risk and Compliance Committee provide guidance and management decision-making including monitoring outsourced service providers. The Group Transformation Committee monitors the technology and data plans, as well as the implementation progress and alignment to business plans, while all CIMBians are responsible for the management of data and information risk, with oversight through appropriate governance forums. ​

As part of CIMB's risk and control framework, we regularly conduct reviews to ensure our data, privacy and security controls and processes are operating effectively. Data Protection Officers are appointed in applicable countries to monitor and enforce the organizations processes for personal data in accordance with the applicable laws and the Group's policy and procedures. As per our Code of Conduct, all employees are constantly reminded of the consequences of breaching customer privacy and confidentiality of customer information. Any employees found in breach of these laws will be subject to disciplinary action, which may include dismissal.​

System Readiness and Testing

 

The Cyber Security Defense team is responsible for providing continuous monitoring via its Security Operation Centre (SOC), which processes thousands of early warning indicators of possible compromises, keeping our network secure.​

 

The Cyber Threat Intelligence and Computer Emergency Response teams have the following duties:​

  • Prevent intrusions​

  • Detect and monitor security alerts and anomalies​

  • Perform impact assessments​

  • Develop containment and remediation strategies​

  • Perform forensic investigation on internal and external threats​

 

The teams also conduct cyber drill simulations, business continuity exercises and security awareness and training, alongside the provision of security tools, maintenance and support, as well as management of third-party physical and network security. ​

As part of our commitment to trust and security, CIMB Group's Information and Cyber Security department continues to maintain international security standards, with ISO27001 independent certification for our security operations, while also encouraging employees to report any suspicious activities related to information security or cybersecurity.​

As part of CIMB's risk and control framework, we regularly conduct reviews to ensure our data, privacy and security controls and processes are operating effectively. Data Protection Officers are appointed in applicable countries to monitor and enforce the organizations processes for personal data in accordance with the applicable laws and the Group's policy and procedures. As per our Code of Conduct, all employees are constantly reminded of the consequences of breaching customer privacy and confidentiality of customer information. Any employees found in breach of these laws will be subject to disciplinary action, which may include dismissal.​

Permitted Data Disclosures and Transfers​

 

We adopt key principles in our effort to take incremental measured steps to manage our data disclosures. 

 

Transparency

We will be clear and transparent about how we use customers’ information.

 

Lawful and regulatory bases:

We will only use customers’ information in accordance with relevant laws, and where we have a legal basis for doing so. Where disclosures to law enforcement or other regulatory authorities are required, we will assess and verify these requests, as well as the scope and veracity of data that we are permitted to disclose.

 

Purpose limitation and data minimisation:

We will only use customers’ information for specific purposes and not more widely for unrelated purposes. We only use and disclose the data necessary for that purpose.

 

Data transfer

Where we need to transfer customers’ information to another CIMB entity, a third party or another jurisdiction, we will assess whether the transfer is allowed under relevant laws, and whether the receiving party commits to use and protect the data under the same laws.

 

Third parties

If we use a third-party provider or agent, we will undertake due diligence, monitoring and assurance to ensure our customers’ information is appropriately protected, and that the data is processed to CIMB’s standards and requirements.

Principles of Privacy and Responsible Use of Data​

 

CIMB operates in a highly regulated and digital environment. We seek to maintain and continuously improve on ethical, responsible and consistent approaches to managing data and systems, as well as their corresponding risks, be it privacy, quality or security. The core tenets of our approach are:​

 

  • Purpose / Consent
    Protects a data subkect by requiring consent and purpose for any processing.

  • Disclosure
    Prohibits disclosure without consent or appropriate purpose.

  • Security
    Levels of security to protect from unauthorised or accidental loss or misuse.

  • Integrity / Quality
    Data is accurate, not misleading, and kept up to date, for the purpose it was processed.

  • Retention
    Data is not stored longer than required.

  • Access
    Right of access and correction by the data subject.

  • Notice and Choice
    Transparency and choice given to the data subject on the nature of processing.

 

Upholding Trust in Privacy and Confidentiality​

 

We foster trust by upholding Data Protection (Privacy) principles and standards across the region to ensure that our data subjects, products and services are managed in a confidential and secure manner. We embed security, privacy and confidentiality considerations within the design and operations of our systems, products and services to keep our data and stakeholders safe

 

The Group’s governance includes appropriate due diligence and service agreements, including intra-group services and centralised systems. Where the regulations differ, the Group or its licensed financial institution will adopt the stricter requirements.

 

Our policies, procedures and control measures for safeguarding customer information are subject to an independent review at least once every two years. This is reflected in our Management of Customer Information and Permitted Disclosures audit, which assesses the adequacy and effectiveness of our key controls in safeguarding customer information. The audit covers our relevant framework, governance structure, and key controls such as those relating to information and communication technology (ICT), access, and permitted disclosures. It also examines our handling of data privacy incidents and management oversight on outsourced service providers. Our most recent audit was conducted in 2023. 

Responsible and Fair Use of Data​

 

CIMB's philosophy of ethical and responsible use of data means that we are respectful and empathetic to our data subjects in our management and use of data. Our privacy policy and notices communicate the fundamental way we collect, use and care for personal data, as well as address services from net technologies such as cloud and Artificial Intelligence (AI). In addition to privacy principles, our obligations as a regulated financial institution requires us to safeguard customer confidentiality and ensure the secure use of customer data.​

You may also like

Our Roadmap
Sustainable & Responsible Finance
Governance & Ethics
Risk Management & Business Resilience
Digitalisation & Innovation
Customer Experience
Statement on Biodiversity and Nature
Our Path to Net Zero Whitepaper
Our Sustainable Finance Framework
Latest Sustainability Report
The Cooler Earth Sustainability Summit

You are about to enter a third party website & CIMB Group's Privacy Policy will cease to apply.

This link is provided for your convenience only and shall not be considered or construed as an endorsement or verification of such linked website or its contents by CIMB Group.

 

CIMB Group makes no warranties as to the status of this link or information contained in the website you are about to access.

 

Do you wish to proceed?

Yes, please proceed