BNM said Bank Rakyat was found to have breached several requirements following a cybersecurity incident in which an external threat actor gained unauthorised access to its information technology infrastructure.

“These breaches were attributed to inadequate cybersecurity controls and incident response,” it said in a statement.

BNM said Bank Rakyat has since taken remedial measures to strengthen its cybersecurity, information and communications technology controls, resources, and governance arrangements.

The central bank said it considered both aggravating and mitigating factors in determining the penalty.

These included the severity of the breaches and Bank Rakyat’s lack of reasonable care in ensuring compliance with the cybersecurity and customer information standards; the adequacy of current controls; past compliance record; and post-misconduct behaviour, including the effectiveness of remedial actions taken to prevent recurrence of non-compliance.

Bank Rakyat paid the RM1 million penalty on Jan 26.

BNM said it will not hesitate to take appropriate supervisory and enforcement action against any financial institution which fails to meet legal and regulatory requirements.