Bank Negara Malaysia (BNM) has imposed a RM1 million administrative monetary penalty on Bank Kerjasama Rakyat Malaysia Berhad (Bank Rakyat) over cybersecurity and customer data protection breaches linked to a previous cyber incident. The penalty was issued on 20 January 2026, with the bank settling the fine six days later on 26 January.
According to the central bank, the breaches stemmed from an incident where an external threat actor gained unauthorised access to Bank Rakyat’s IT infrastructure. Investigations found that the lapse was caused by inadequate cybersecurity controls and weaknesses in incident response processes, which failed to meet regulatory expectations.
A Recap Of What Happened
The enforcement action is linked to a cybersecurity incident disclosed in September 2024, when Bank Rakyat acknowledged a possible data infringement involving customer information. At the time, the bank said it had contained the issue through proactive measures and notified affected customers, while advising them to remain vigilant against phishing attempts and suspicious activities.
Customers had earlier reported receiving SMS notifications warning of potential data-related issues, prompting concerns over possible unauthorised access. The bank subsequently reported the matter to relevant authorities and maintained that its operations remained unaffected.
Breaches Cybersecurity And Data Protection Policies
BNM said Bank Rakyat failed to comply with requirements under its Risk Management in Technology Policy Document (RMiT PD), which mandates financial institutions to implement robust cybersecurity frameworks capable of detecting, preventing, and responding to threats. The bank was also found to have breached the Management of Customer Information and Permitted Disclosures Policy Document (MCIPD PD), which requires strict safeguards to protect customer data from misuse or unauthorised access.
The central bank noted that these shortcomings indicated a lack of sufficient controls to secure sensitive information. It also highlighted gaps in monitoring and response mechanisms during the incident.
Bank Rakyat Assures Remedies Are Already In Place
In a follow-up statement to BNM’s announcement, Bank Rakyat has since taken steps to strengthen its cybersecurity posture. These include enhancements to its IT infrastructure, monitoring capabilities, threat detection systems, and governance oversight, aimed at aligning with regulatory requirements and industry practices.
The bank stated that it remains committed to maintaining a secure and reliable banking environment. It added that improvements have also been made to its operational processes and internal controls.
Strict Enforcement Going Forward
BNM said the RM1 million penalty was determined after considering multiple factors, including the severity of the breaches and the bank’s failure to exercise reasonable care in complying with regulatory requirements. The central bank also took into account Bank Rakyat’s past compliance record, existing controls, and the effectiveness of remedial actions taken after the incident.
BNM emphasised that all financial institutions must comply with both the RMiT PD and MCIPD PD, warning that it will not hesitate to take supervisory or enforcement action against any entity that fails to meet regulatory standards. The central bank added that the action against Bank Rakyat aligns with its established enforcement approach to ensure accountability and strengthen cybersecurity resilience across the financial sector.
(Source: Bernama / Bank Rakyat [press release])
