Overview

 

In today’s digital-first landscape, cybersecurity is vital to safeguarding customers’ financial and personal information and to maintaining the trust that is the foundation of banking. Cyber threats are not just about data breaches or financial losses; they can undermine financial stability, erode public confidence, and affect the well-being of individuals, communities, and the broader economy.

 

As stewards of sensitive data and financial assets, CIMB takes this responsibility seriously. We are committed to upholding data privacy by respecting individual rights and managing personal information with integrity. Through a strong risk management culture embedded across our operations, we work proactively to protect our customers and preserve the security of the financial system.

Cybersecurity Governance​

 

Information Security is a cornerstone of CIMB's risk management, as well as fraud and crime prevention programmes. CIMB has continuously improved efforts on assessment, monitoring, and strengthening of cybersecurity protection and access controls. Cybersecurity is a key component of technological risk, which is managed under the Enterprise-wide Risk Management Framework.

 

CIMB's cybersecurity processes, technology, and manpower are benchmarked against the best in the industry. We adhere to Financial Services Industry Best Security Standards, as well as local regulatory and procedural requirements. This also extends to the suite of policies that articulate our approach to security, including the Group Technology Risk Management Framework, and the Group IT Security Policy, developed and certified in alignment with the US National Institute of Standards and Technology Cybersecurity Framework (NIST) and ISO27001. ​

We are members of the Bank Negara Malaysia Financial Threat Intelligence Platform (FIN-TIP), BNM Cyber Working Group (CWG) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber-intelligence sharing community focused on financial services.​

 

Board Responsibility

Mr Chu Hong Keong, an Independent Director,  provides oversight on CIMB’s cybersecurity strategy as a member of the Banking Group Board Risk and Compliance Committee. He has over 30 years of experience and expertise in banking technology and operations, e-business, strategic and digital transformation and risk/fraud management.

 

Executive Management Responsibility

The Chief Information Security Officer has oversight of technology and cybersecurity risks, and regularly reports to the Group Chief Risk Officer. ​ The Data Protection Office serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/Data Protection regulator in respective countries.

 

Managing Technology and Cybersecurity Risk

 

Lines of Defence Description  

First Line of Defence

 

Group Information and Cyber Security teams, and Designated Compliance and Risk Officers, are responsible for the adoption and operationalisation of cybersecurity controls and monitoring to ensure the Group's IT Network and ecosystem are secured from internal and external cyber threats.

 
Second Line of Defence

The Chief Information Security Officer oversees Technology and Cyber Risks, reporting regularly to Group Risk.


The Data Protection Office serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/Data Protection regulator in countries that have such laws.

 
Third Line of Defence The Group Corporate Assurance Division provides independent assurance on the effectiveness of cyber security controls and risk management activities.  

Cybersecurity Operations

 

The Group IT and Cyber Security department conducts periodic, proactive security assessments and reviews, such as penetration tests, vulnerability assessments, patch assessments and risk and impact analyses, all of which are verified by independent external experts. The team carries out periodic cyber drill simulations, intelligence-led penetration tests, compromise assessments, red teaming exercises and business continuity exercises.

 

Our Security Operations Centre ensures round-the-clock security vigilance by employing an advanced analytics-driven Security Information and Event Management solution. The system collects, analyses and inspects high volumes of network and other machine data in real-time. At the same time, our Cyber Threat Intelligence team proactively monitors various sources and threat intelligence feeds for any information that can potentially impact the Bank’s security posture. Any potential risk is promptly escalated to the Computer Emergency Response Team (CERT) for further investigation. We have also continued to strengthen our environmental controls by augmenting CIMB’s access, segregation and encryption standards and technologies.

 

System Readiness and Testing

The Cyber Security Defense team is responsible for providing continuous monitoring via its Security Operations Centre (SOC), which processes thousands of early warning indicators of possible compromises, keeping our network secure.​ 

 

The Cyber Threat Intelligence and Computer Emergency Response teams prevent intrusions​, detect and monitor security alerts and anomalies​, perform impact assessments​, develop containment and remediation strategies​ and perform forensic investigations on internal and external threats​.

 

The Group's Information and Cyber Security department is ISO27001 certified to ensure its processes are robust. The teams also support employees with the provision of security tools, maintenance and support, and manage third-party physical and network security. ​

 

 

Information Security Awareness Training

 

CIMB has an information security management program that includes security awareness training. The Group IT and Cyber Security department conducts security awareness exercises and training for employees across the group. These training initiatives are part of their comprehensive cybersecurity operations which also include providing essential digital-related tools and services for day-to-day operations. Additionally, CIMB conducts cyber drill simulations and business continuity exercises to ensure preparedness. CIMB also performs security awareness assessments through simulation exercises to evaluate cybersecurity awareness among team members, with additional training provided to those who do not meet required standards.

 

Data and Information Governance​

 

We operate in accordance with our Group Data Privacy, Data Protection and Management Policies, which articulate our commitment to collecting, using, and safeguarding customer and stakeholder data at a consistent and high standard. Our data and security management policies and processes are seamlessly integrated into our robust risk and control framework. 

 

The Data Protection/ Privacy function reports to the Group Data Protection Office, led by the Group Data Governance Head for Data, Regulations and Standards. In 2023, we completed the consolidation of Privacy and Data Governance under Group Technology and Data in Malaysia, Indonesia, Singapore and Thailand. This allows CIMB to be agile and holistic in governing and responding to changes in non-financial laws and regulations pertaining to data and the responsible use of new technologies.

 

The Data Protection Office also serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/ Data Protection regulator in countries that have such laws. Our regional teams engage independent assessors to evaluate our readiness for emerging legal requirements. Thailand and Vietnam enacted their Personal Data Protection laws in 2022 and 2023 respectively, and in line with these, CIMB Thai and Vietnam have rolled out policies and procedures under their Data Protection Office. CIMB Niaga also completed its first phase of readiness in 2023 for the enforcement of the law in 2024, with a review done in 2024.

 

The execution of the policies and framework is a shared responsibility among all employees, overseen through senior level governance forums. To ensure compliance, Data Protection Officers are appointed to monitor, enforce and update the organisation’s policies and procedures, aligning with local laws and regulations.

 

The Group Technology Steering Committee and Group Risk and Compliance Committee guides management decisions, including the oversight of outsourced service providers, while the Group Transformation Committee monitors technology and data plans, overseeing the implementation progress and ensuring alignment with business plans.

 

As part of CIMB's risk and control framework, we regularly conduct reviews to ensure our data, privacy and security controls and processes operate effectively.

 

As per our Code of Conduct, all employees are reminded of the consequences of breaching customer privacy and confidentiality of customer information. Any employee who breaches these laws will be subject to disciplinary action, which may include dismissal.​

 

All employees are trained on their responsibility to safeguard customer information and data privacy as part of the Information Security Awareness compulsory e-learning. We provide comprehensive training to all our employees on these policies to ensure they are fully aware of our stance regarding data protection and confidentiality in the workplace. In cases of breaches, incidents or suspicious activities, employees are required to escalate concerns through established channels. Our Whistleblowing Policy clearly outlines the escalation process for reporting incidents, which enables employees to report concerns confidentially and securely. Reports on wrongdoings, malpractices or irregularities may be emailed to the designated whistleblowing channel, where matters will be investigated accordingly.

 

 

Permitted Data Disclosures and Transfers​

 

We adopt the following principles to take incremental measured steps to manage our data disclosures. 

 

Transparency

We will be clear and transparent about how we use customers’ information.

 

Lawful and regulatory bases

We will only use customers’ information in accordance with relevant laws, and where we have a legal basis for doing so. Where disclosures to law enforcement or other regulatory authorities are required, we will assess and verify these requests, as well as the scope and veracity of data that we are permitted to disclose.

 

Purpose limitation and data minimisation

We will only use customers’ information for specific purposes and not more widely for unrelated purposes. We only use and disclose the data necessary for that purpose.

 

Data transfer

Where we need to transfer customers’ information to another CIMB entity, a third party or another jurisdiction, we will assess whether the transfer is allowed under relevant laws, and whether the receiving party commits to use and protect the data under the same laws.

 

Third parties

If we use a third-party provider or agent, we will undertake due diligence, monitoring and assurance to ensure our customers’ information is appropriately protected, and that the data is processed to CIMB’s standards and requirements.

 

The Group Information Security Policy sets out requirements for third parties (e.g. suppliers) to ensure they are responsible for the security of information they possess, or otherwise store, process, or transmit on behalf of the Group.

Upholding Trust in Privacy and Confidentiality​

 

We foster trust by upholding Data Protection (Privacy) principles and standards across the region to ensure that our data subjects, products, and services are managed confidentially and securely. We integrate security, privacy, and confidentiality considerations within the design and operations of our systems, products, and services to keep our data and stakeholders safe. Our privacy policy applies to CIMB Group's operations including suppliers, as outlined in the Group Privacy Notice. Customers and other data subjects seeking to understand how we manage their data can refer to our Privacy Notice for more information. 

 

CIMB's policies, procedures and control measures for safeguarding customer information are subject to an independent review at least once every two years. This is reflected in the Management of Customer Information and Permitted Disclosures audit, which assesses the adequacy and effectiveness of key controls in safeguarding customer information. Bi-annual audits of privacy and confidentiality are also performed by Internal Audit while performing data protection (PDPA) /Management of Customer Information and Permitted Disclosures (MCIPD) regulation and other regulatory requirements. Our most recent audits were conducted in 2024 and 2025. The audit covers our relevant framework, governance structure, and key controls relating to information and communication technology, access and permitted disclosures. It also examines our handling of data privacy incidents and the management oversight of outsourced service providers. 

 

The Group’s governance includes appropriate due diligence and service agreements, intra-group services and centralised systems. Where the regulations differ, the Group or its licensed financial institution will adopt the stricter requirements.

Principles of Privacy and Responsible Use of Data​

 

CIMB operates in a highly regulated and digital environment. We seek to maintain and continuously improve on ethical, responsible and consistent approaches to managing data and systems, as well as their corresponding risks, be it privacy, quality or security. The core tenets of our approach are:​

 

  • Purpose / Consent
    Protects a data subject by requiring consent and the purpose for any processing.

  • Disclosure
    Prohibits disclosure without consent or for an appropriate purpose.

  • Security
    Levels of security to protect from unauthorised or accidental loss or misuse.

  • Integrity / Quality
    Data is accurate, not misleading, and kept up to date, for the purpose it was processed.

  • Retention
    Data is not stored longer than required.

  • Access
    Right of access and correction by the data subject.

  • Notice and Choice
    Transparency and choice given to the data subject on the nature of processing.

 

 

CIMB is committed to protecting its customers’ personal data and respecting their individual preferences. In line with the Personal Data Protection Act 2010 (PDPA) and its Privacy Policy, CIMB provides its customers with the ability to manage how their personal data is processed. Customers have the option to opt in or opt out of selected uses of their personal data, including how CIMB communicates with them.

 

Responsible and Fair Use of Data​

 

CIMB’s philosophy of ethical and responsible use of data means that we are respectful and empathetic to those whose personal data we collect, process, store or transmit. Our Privacy Policy and notices outline the fundamental principles guiding the collection, use and protection of personal data, including our approach to emerging technologies such as Cloud and Artificial Intelligence (AI).