Our Cybersecurity Programme

OUR APPROACH
By adopting a whole-of-organisation approach to managing cyber risks and data breaches, we remain committed to building robust cyber resilience and data protection controls. Key elements of our strategy include:
Review

Review

Initiate proactive assessment and regular updates of our information security, digital (i.e. cyber and technology) and data protection risk framework, policies and standards. This ensures alignment with the constantly evolving landscape and growing regulatory requirements, with regular inspections conducted to verify compliance.
Transform

Transform

Strengthen our prevention, detection and response capabilities by implementing cutting-edge security tools and solutions. These advancements enhance our ability to collect and analyse security logs, significantly improving our capacity to identify and address potential anomalies. In recognition of our robust cybersecurity measures, the Bank has been awarded the Cyber Security Agency of Singapore Cyber Trust Mark since 2023.

Additionally, by achieving the Data Protection Trustmark and APEC Cross Border Privacy Rules Certification in 2024, we have transformed our data protection culture by embedding a culture of accountability and excellence in data protection across the Bank.

These achievements underscore our commitment to adopting industry-leading cybersecurity and data protection practices and measures.
React

React

Perform regular vulnerability assessments and penetration tests – both external and internal – on the Bank’s IT systems to identify and address security vulnerabilities. We also perform cyber-related tabletop exercises, adversarial attack simulations and disaster recovery drills to test and enhance the effectiveness of our processes and controls. Furthermore, our IT infrastructure and information security management systems undergo rigorous internal as well as external audits.

Develop

Develop

Foster a culture of cybersecurity and data protection awareness by engaging our employees through e-learning and the Cyber Smart Programme, a multi-year initiative integrated with the Group-wide Future Smart Programme. The Cyber Smart Programme aims to evaluate and enhance employees’ knowledge, skills and behaviours in managing risks associated with cybersecurity, data protection and social engineering.

Our approach is underpinned by a robust risk management framework, supported by policies and standards that integrate essential regulatory requirements and align with international industry guidelines. These cover critical areas such as risk management practices, information security, personal data protection and cyber resilience. To ensure their continued relevance and effectiveness, these policies and standards are reviewed regularly and approved by senior risk committees, including the Group Information Security and Digital Risk Management Committee and the Board Risk Management Committee.

Information Security and Digital Risk Policy

This Policy establishes the control expectations regarding organisational responsibilities and specific information security and digital risk domains, including technology and cyber risks. It aims to manage risks arising from internal and external threats to the Group’s information assets and personnel. These control expectations aim to ensure the confidentiality, integrity and availability of the Group’s information assets.
Acceptable Use Sub-Policy

This Policy defines the proper conduct and use of the Group's information assets, including technology equipment, information, software services and communication services.
Information Classification and Handling Sub-Policy

This Policy establishes the control expectations for ownership, classification and handling of information to protect against unauthorised access and disclosure.
Technology Security Standards and Cryptographic Key Management Standards

These Standards define the baseline security requirements for any technology or systems implemented and the cryptographic algorithm and processes that are acceptable to be adopted.
General Personal Data Protection Policy

This Policy institutionalises ten OCBC Data Protection Principles, which govern OCBC’s collection, use and disclosure of personal data. The OCBC Data Protection Principles (which include the Consent, Notification, Purpose Limitation, Protection, Retention Limitation, Access and Correction and Accountability Principles) are aligned with the requirements of the Data Protection Trustmark and APEC Cross Border Privacy Rules certifications, and local data protection laws. Designed to be jurisdiction-neutral, these principles establish a consistent baseline to facilitate trusted cross-border data transfers and oblige our business units to implement technical and organisational measures to protect personal data in their care.
Data Protection Policy

Our Data Protection Policy is publicly available and provides clear and transparent notice to individuals regarding the ways in which we collect, use and disclose their personal data. The policy makes it clear that we do not sell personal data, nor do we provide personal data to third parties except when it is legally acceptable or when we have the consent to do so. It provides a framework for the responsible collection, use, disclosure and retention of personal data while ensuring that individuals are notified of their rights to access, correct and withdraw consent to the further processing of their personal data.

Are you sure you want to leave our site?

You are leaving the OCBC Bank website and about to enter a third party website that OCBC Bank has no control over and is not responsible for. Before you proceed to use the third party website, please review the terms of use and privacy policy of their website. OCBC Bank’s Conditions of Access and Privacy and Security Policies do not apply at third party websites.
I would like to stayLeave website