Cybersecurity & Data Privacy

Cybersecurity Governance​

Information Security is a cornerstone of CIMB's risk management, as well as fraud and crime prevention efforts. Cybersecurity is embedded within the Enterprise-wide Risk Management Framework and guided by the Three Lines of Defence model to identify, manage and mitigate technology and cybersecurity risks. Oversight is provided by the Group Operational Risk and Resilience Committee and the Board Risk and Compliance Committee, supported by clear policies and ongoing capability building across the Group.

CIMB's cybersecurity processes, technology and capabilities are benchmarked against the best in the industry. We adhere to Financial Services Industry Best Security Standards, as well as local regulatory and procedural requirements. This also extends to the suite of policies that articulate our approach to security, including the Group Technology Risk Management Framework, and the Group IT Security Policy, developed and certified in alignment with the US National Institute of Standards and Technology Cybersecurity Framework (NIST) and ISO27001. ​

​

We are also active participants in industry collaboration platforms, including the Bank Negara Malaysia (BNM) Financial Threat Intelligence Platform, BNM Cyber Working Group and the Financial Services Information Sharing and Analysis Center, enabling intelligence sharing and coordinated responses to emerging cyber threats.

Board Responsibility

The Board, through the Board Risk and Compliance Committee, provides oversight of CIMB’s information security and cybersecurity strategy and risks, ensuring that appropriate governance, controls and risk management practices are in place across the Group.

A number of Independent Directors have relevant technology background Mr Chu Hong Keong, an Independent Director, provides oversight on CIMB’s cybersecurity strategy as a member of the Banking Group Board Risk and Compliance Committee. He has over 30 years of experience in CIMB Group and expertise in banking technology and operations, e-business, strategic and digital transformation and risk/fraud management.

Executive Management Responsibility

The Chief Information Security Officer has oversight of technology and cybersecurity risks, and regularly reports to the Group Chief Risk Officer. ​ The Data Protection Office serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/Data Protection regulator in respective countries.

Managing Technology and Cybersecurity Risk

CIMB adopts the Three Lines of Defence model:

Cybersecurity Operations

To protect our customers and stakeholders, CIMB’s Safeguarding the Bank programme focuses on frontline vigilance, advanced detection and prevention technologies, including artificial intelligence and machine learning, as well as collaboration with industry and regulators. CIMB adopts a human-first approach to both technology and customer protection, prioritising awareness, empathy and sound judgment, particularly in high-risk situations.

The Group IT and Cyber Security department conducts regular proactive security assessments and reviews, including penetration testing, vulnerability assessments, patch assessments and risk and impact analyses, all of which are verified by independent external experts. The team carries out periodic cyber drill simulations, intelligence-led penetration tests, compromise assessments, red teaming exercises and business continuity exercises.

The Security Operations Centre ensures round-the-clock security vigilance by employing an advanced analytics-driven Security Information and Event Management solution. The system collects, analyses and inspects high volumes of network and machine data in real time.

At the same time, the Cyber Threat Intelligence team proactively monitors various sources and threat intelligence feeds for information that may impact the Bank’s security posture. Any potential risk is promptly escalated to the Computer Emergency Response Team (CERT) for further investigation.

CIMB has strengthened its environmental controls by enhancing access, segregation and encryption standards and technologies.

System Readiness and Testing

The Cyber Security Defense team is responsible for providing continuous monitoring via its Security Operations Centre (SOC), which processes thousands of early warning indicators of possible compromises, keeping our network secure.​ 

The Cyber Threat Intelligence and Computer Emergency Response teams prevent intrusions​, detect and monitor security alerts and anomalies​, perform impact assessments​, develop containment and remediation strategies​ and perform forensic investigations on internal and external threats​.

The Group's Information and Cyber Security department is ISO27001 certified to ensure its processes are robust. The teams also support employees with the provision of security tools, maintenance and support, and manage third-party physical and network security. ​

Information Security Awareness Training

CIMB has an information security management programme that includes security awareness training. The Group IT and Cyber Security department conducts security awareness exercises and training for employees across the Group.

These initiatives form part of CIMB’s comprehensive cybersecurity programme, which also includes the provision of essential digital tools and services for day-to-day operations. CIMB also conducts cyber drill simulations and business continuity exercises to ensure preparedness.

Security awareness assessments are conducted through simulation exercises to evaluate employee preparedness, with additional training provided where required.

Data and Information Governance​

We operate in accordance with our Group Data Privacy, Data Protection and Management Policies, which articulate our commitment to collecting, using, and safeguarding customer and stakeholder data at a consistent and high standard. Our data and security management policies and processes are seamlessly integrated into our robust risk and control framework. 

The Data Protection/ Privacy function reports to the Group Data Protection Office, led by the Group Data Governance Head for Data, Regulations and Standards. In 2023, we completed the consolidation of Privacy and Data Governance under Group Technology and Data in Malaysia, Indonesia, Singapore and Thailand. This allows CIMB to be agile and holistic in governing and responding to changes in non-financial laws and regulations pertaining to data and the responsible use of new technologies.

The Data Protection Office also serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/ Data Protection regulator in countries that have such laws. Our regional teams engage independent assessors to evaluate our readiness for emerging legal requirements. Thailand and Vietnam enacted their Personal Data Protection laws in 2022 and 2023 respectively, and in line with these, CIMB Thai and Vietnam have rolled out policies and procedures under their Data Protection Office. CIMB Niaga also completed its first phase of readiness in 2023 for the enforcement of the law in 2024, with a review done in 2024.

The execution of the policies and framework is a shared responsibility among all employees, overseen through senior level governance forums. To ensure compliance, Data Protection Officers are appointed to monitor, enforce and update the organisation’s policies and procedures, aligning with local laws and regulations.

CIMB embeds ethical, responsible and empathetic data-use practices across the organisation, reflecting respect for individuals whose personal data we collect, process or store. Our Privacy Policy outlines how we manage and protect personal data in line with evolving regulations and best practices.

The Data Protection and Privacy function, together with the Technology Risk Management team under Group Risk, supports governance and alignment with evolving regulatory and industry standards, working closely with Compliance, Legal and other Risk functions.

The Group Technology Steering Committee and Group Risk and Compliance Committee guides management decisions, including the oversight of outsourced service providers, while the Group Transformation Committee monitors technology and data plans, overseeing the implementation progress and ensuring alignment with business plans.

We regularly review our data management practices as technology and digitalisation evolve. Privacy notices are refined to improve ease of understanding, consent processes are streamlined and data impact and risk assessments are strengthened. Privacy controls are built into new systems and technology projects from the design stage.

Data is retained in accordance with legal and regulatory requirements and is deleted or rendered unreadable upon the end of the retention period. The Group regularly monitors customer feedback and potential data incidents. There were no reports or complaints of material data or data security breaches over the past five years.

As part of CIMB's risk and control framework, we regularly conduct reviews to ensure our data, privacy and security controls and processes operate effectively.

As per our Code of Conduct, all employees are reminded of the consequences of breaching customer privacy and confidentiality of customer information. Any employee who breaches these laws will be subject to disciplinary action, which may include dismissal.

All employees are trained on their responsibility to safeguard customer information and data privacy as part of the Information Security Awareness compulsory e-learning. We provide comprehensive training to all our employees on these policies to ensure they are fully aware of our stance regarding data protection and confidentiality in the workplace. In cases of breaches, incidents or suspicious activities, employees are required to escalate concerns through established channels. Our Whistleblowing Policy clearly outlines the escalation process for reporting incidents, which enables employees to report concerns confidentially and securely. Reports on wrongdoings, malpractices or irregularities may be emailed to the designated whistleblowing channel, where matters will be investigated accordingly.

Permitted Data Disclosures and Transfers​

We adopt the following principles to take incremental measured steps to manage our data disclosures. 

Transparency

We will be clear and transparent about how we use customers’ information.

Lawful and regulatory bases

We will only use customers’ information in accordance with relevant laws, and where we have a legal basis for doing so. Where disclosures to law enforcement or other regulatory authorities are required, we will assess and verify these requests, as well as the scope and veracity of data that we are permitted to disclose.

Purpose limitation and data minimisation

We will only use customers’ information for specific purposes and not more widely for unrelated purposes. We only use and disclose the data necessary for that purpose.

Data transfer

Where we need to transfer customers’ information to another CIMB entity, a third party or another jurisdiction, we will assess whether the transfer is allowed under relevant laws, and whether the receiving party commits to use and protect the data under the same laws.

Third parties

If we use a third-party provider or agent, we will undertake due diligence, monitoring and assurance to ensure our customers’ information is appropriately protected, and that the data is processed to CIMB’s standards and requirements.

The Group Information Security Policy sets out requirements for third parties (e.g. suppliers) to ensure they are responsible for the security of information they possess, or otherwise store, process, or transmit on behalf of the Group.

We foster trust by upholding Data Protection (Privacy) principles and standards across the region to ensure that our data subjects, products and services are managed confidentially and securely. We integrate security, privacy and confidentiality considerations within the design and operations of our systems, products and services to keep our data and stakeholders safe. Our Privacy Policy applies to CIMB Group's operations including suppliers, as outlined in the Group Privacy Notice. Customers and other data subjects seeking to understand how we manage their data can refer to our Privacy Notice for more information. 

CIMB's policies, procedures and control measures for safeguarding customer information are subject to an independent review at least once every two years. This is reflected in the Management of Customer Information and Permitted Disclosures (MCIPD) audit, which assesses the adequacy and effectiveness of key controls in safeguarding customer information. Bi-annual audits of privacy and confidentiality are also conducted by Internal Audit as part of reviews covering data protection (PDPA), MCIPD regulations and other applicable regulatory requirements. Our most recent audits were conducted in 2024 and 2025. The audit covers our relevant framework, governance structure, and key controls relating to information and communication technology, access and permitted disclosures. It also examines the handling of data privacy incidents and the management oversight of outsourced service providers. 

The Group’s governance includes appropriate due diligence and service agreements, intra-group services and centralised systems. Where the regulations differ, the Group or its licensed financial institution will adopt the stricter requirements.

Principles of Privacy and Responsible Use of Data​

CIMB operates in a highly regulated and digital environment. We seek to maintain and continuously improve on ethical, responsible and consistent approaches to managing data and systems, as well as their corresponding risks, be it privacy, quality or security. The core tenets of our approach are:​

• Purpose / Consent
  Protects a data subject by requiring consent and the purpose for any processing.
  
  
• Disclosure
  Prohibits disclosure without consent or for an appropriate purpose.
  
  
• Security
  Levels of security to protect from unauthorised or accidental loss or misuse.
  
  
• Integrity / Quality
  Data is accurate, not misleading, and kept up to date, for the purpose it was processed.
  
  
• Retention
  Data is not stored longer than required.
  
  
• Access
  Right of access and correction by the data subject.
  
  
• Notice and Choice
  Transparency and choice given to the data subject on the nature of processing.

CIMB is committed to protecting its customers’ personal data and respecting their individual preferences. In line with the Personal Data Protection Act 2010 (PDPA) and its Privacy Policy, CIMB provides its customers with the ability to manage how their personal data is processed. Customers have the option to opt in or opt out of selected uses of their personal data, including how CIMB communicates with them.

Responsible and Fair Use of Data​

CIMB’s philosophy of ethical and responsible use of data reflects respect and empathy for individuals whose personal data we collect, process, store or transmit. Our Privacy Policy and notices outline the principles guiding the collection, use and protection of personal data, including our approach to emerging technologies such as cloud and artificial intelligence.

These practices are embedded across the organisation, supporting the responsible and ethical use of data and AI in line with evolving regulatory and industry expectations.