Bank Negara Malaysia (BNM) has imposed a RM1 million fine on Bank Kerjasama Rakyat Malaysia Bhd (Bank Rakyat) over inadequate cybersecurity controls and insufficient incident response measures that led to breaches of customer data. The fine was issued on 20 January 2026 and paid by the bank on 26 January 2026.
According to a statement on BNM’s website, the penalty followed a cyberattack that allowed unauthorised access to Bank Rakyat’s IT systems, highlighting lapses in the bank’s cybersecurity and consumer data protection protocols. In response, Bank Rakyat has implemented remedial actions to strengthen its cybersecurity infrastructure, ICT controls, governance arrangements, and resources.
BNM emphasised that all financial institutions must adhere to two key policy documents:
- Risk Management in Technology Policy Document – requires banks to maintain robust cybersecurity measures to detect, prevent, and respond to threats, with clear plans for incident management, recovery, and communication.
- Management of Customer Information Permitted Disclosures Policy Document – mandates strong safeguards to protect customer data against theft, misuse, or unauthorised access, with continuous monitoring for suspicious activity.
BNM warned that it will continue to take strict action against any financial institutions that fail to comply with legal and regulatory requirements, reinforcing the importance of cybersecurity and data protection in Malaysia’s banking sector.
