Administrative Monetary Penalty on BKRM for Cybersecurity and Customer Information Breaches

Imposition of Administrative Monetary Penalty on Bank Kerjasama Rakyat Malaysia Berhad for Cybersecurity and Customer Information Protection Breaches

Embargo : For immediate release
1 Apr 2026

On 20 January 2026, Bank Negara Malaysia (BNM) imposed an Administrative Monetary Penalty (AMP) [1] of RM1,000,000 on Bank Kerjasama Rakyat Malaysia Berhad (BKRM) for failure to:

1. implement robust cybersecurity standards as required under the Risk Management in Technology Policy Document (RMiT PD); [2] and
2. safeguard customer information through adequate controls as required under the Management of Customer Information and Permitted Disclosures Policy Document (MCIPD PD). [3] BNM discovered that BKRM had breached several requirements under the RMiT PD and MCIPD PD following a cybersecurity incident in which an external threat actor gained unauthorised access to its IT infrastructure. These breaches were attributed to inadequate cybersecurity controls and incident response.

BKRM has taken remedial measures to strengthen its cybersecurity and information and communication technology (ICT) controls, resources and governance arrangements.

In deciding the AMP to be imposed, relevant aggravating and mitigating factors have been considered. These include the severity of the breaches and BKRM’s:

1. lack of reasonable care in ensuring compliance with the RMiT PD and MCIPD PD requirements;
2. current controls to ensure compliance with the requirements;
3. past compliance record; and
4. post-misconduct behaviour and the effectiveness of remedial actions to prevent the recurrence of non-compliances. On 26 January 2026, BKRM paid RM1,000,000 for the AMP imposed by BNM.

BNM requires all financial institutions (FIs) to comply with the RMiT PD and MCIPD PD. BNM will not hesitate to take appropriate supervisory and enforcement actions should any FI fail to meet legal and/or regulatory requirements.

The enforcement action taken against BKRM is in line with the approach and processes outlined in BNM’s published Enforcement Approach.

RMiT PD requirements

Given the growing use of technology in financial services, it is essential that FIs strengthen their technology resilience against cyber threats and other operational disruptions, thereby maintaining customer confidence. To this end, the RMiT PD requires FIs to implement strong cybersecurity measures to detect, identify, protect from and respond to various cyber threats. In addition, FIs must also integrate comprehensive cyber incident management into their business continuity and recovery plans, including effective communication protocols for all stakeholders during incidents.

MCIPD PD requirements

With financial service providers (FSPs) [4] handling large volumes of customer information, it is important that FSP establish robust processes and controls to protect such information against theft, loss, misuse, or unauthorised access, modification or disclosure, thereby maintaining public trust and confidence in the financial system. In this regard, the MCIPD PD requires FSPs, among others, to deploy preventive and detective ICT controls to safeguard customer information and promptly detect errors or irregularities. FSPs must also regularly monitor these controls and implement mechanisms to identify unauthorised access, suspicious viewing or downloading activities, and any unauthorised disclosure of customer information.

[1] BNM imposed the AMP pursuant to section 106A(3)(b)(i) of the Development Financial Institutions Act 2002 (DFIA).

[2] The requirements are set out under section 41(4)(a) of the DFIA read together with paragraphs 10.63(a), 11.4(a), 11.15(c), 11.18(f) and 11.22 of the RMiT PD. The RMiT PD was in effect from 1 June 2023, with the latest re-issuance taking effect on 28 November 2025. These requirements are preserved under paragraphs 10.18(a), 11.3(h), Appendix 5 (Part B, 2(c)), Appendix 5 (Part C, 2(f)) and paragraph 11.12 of the 2025 RMiT PD.

[3] The requirements are set out under section 41(4)(a) of the DFIA read together with paragraphs 10.12, 10.13 and 10.23 of the MCIPD PD. The MCIPD PD was in effect from 3 April 2023, with the latest re-issuance taking effect on 31 October 2025. These requirements are preserved under paragraphs 10.12, 10.13 and 10.23 of the 2025 MCIPD PD.

[4] The term “financial institution” is used in the RMiT PD, while the term “financial service provider” is used in the MCIPD PD. For the purpose of this public notice, BKRM is referred to as a “financial institution”.

Bank Negara Malaysia
1 April 2026

© Bank Negara Malaysia, 2026. All rights reserved.