Monitoring customer data privacy and security is carried out by Board of Commissioners through Risk Monitoring Committee (KPR) and the Board of Directors through Risk Management & Credit Policy Committee (RMPC). Risk Monitoring Committee carries out active supervision, direction, monitoring and evaluation of cyber security & data privacy activity as the part of the Sustainable Finance Action Plan which is reported on a quarterly basis by the Board of Directors (represented by the Director of Risk Management & Director of Finance). The topics including Data Management & Infrastructure and also IT Security on Governance (include Awareness), Protection & Operation.

In order to strengthening cyber security on daily activities, Bank Mandiri has CISO Division that manages IT security in design, service and operational aspects. CISO also review periodically IT Security on IT Contractor as third-party accordance with the materiality and criticality of collaboration with the Bank

Bank Mandiri respects and understands that maintaining customer data privacy is a part of human rights (HAM). Therefore, we protect customers’ personal information through technological, process & administrative, organizational and physical security steps. We have also instigated a code of ethics/ conduct and business ethics including standards on how employees must protect customer confidential information.

Therefore. since customer opening an account, they fill customer consent according to the applicable regulations. Customers are also allowed to withdraw consumer consent at any time. Furthermore, Bank Mandiri requires Non-Disclosure Agreement (NDA) for third party if there is cooperation that uses customer data, and only sends customer data according to customer consent. The bank also ensures that delivery of campaign covering customer consent.

The governance of customer data management has been formed in operational policies, namely Standard Data Management Procedures and Operational Technical Guidelines for the provision of internal and external data. Further information regarding the privacy policy and data security (including our subsidiaries) can be accessed through:

Mandiri Group are committed to building and realizing reliable cybersecurity defense trough developing security requirement standards as a reference for each subsidiary based on Bank Mandiri’s Cybersecurity Framework. Based on the standards, each Subsidiary will conduct a self-assessment and prepare an action plan for compliance if there are any gaps with assistance by CISO Division. Furthermore, the action plan of each subsidiary is reported to Bank Mandiri’s Management by Board of Directors of Subsidiaries to getting feedback to realize reliable cybersecurity defense in Mandiri Group.

In addition, in order to perform the data harmonization process in the Subsidiaries, including data privacy and security, Mandiri Subsidiary Management Principle Guideline (MSMPG) has regulated provisions on data management that can be adopted and harmonized by the Subsidiaries. Issues and discussion topics related to data management, including data privacy and security, are reported and discussed at the board-level committee, namely the Data Steering Forum. The Data Steering Forum is held at least once a year attended by the Director of Risk Management, Director of Compliance, Director of Finance and Strategy, and Director of IT.

In order to minimize the misuse of customer data, Bank Mandiri has launched Livin’ Supper Apps with liveness detection and face recognition features so the customer can make financial transactions through mobile banking. With this feature, customer data is directly stored in the system without going through a physical form. Livin' customers can changing/ rectification personal data, open savings accounts & credit cards, withdraw cash without a card, quick pick favorite transactions, instant e-money, and online shopping payments. Furthermore, Bank Mandiri ensure customer rights to rectification and control the personal data through all branches or call center 14000.

As part of the internal control process, we have internal audit IT Security to ensures that all operational comply with internal and regulatory requirements. The audit is carried out at least once a year.

CISO division has developed and implemented Security Awareness Program to educate and train all employees from BoD & BoC, Manager, Staff, Clerk to increase employees’ security awareness level. Security Awareness Program has thematic topics and using various methods (e.g. Newsletter, Podcast, Poster, e-Learning).

Sample of topics: Data classification, how to handle data properly, How to transfer data securely, How to identify phishing email, etc. This Security Awareness Program also covers contractors and third party as audiences. In addition, CISO division also test the employees by conduction phishing email campaign to equip employees with near-real phishing attack experience, so they can identify and avoid phishing email.

Bank Mandiri Human Resources Which Receiving Cyber-Security Training & Awareness Based On Job Level

As of June 2022, Bank Mandiri has EDA (Enterprise Data Analytics) Division which is operated by more 140 data scientist and data analytics and also has CISO Division with 87 employees that is responsible for manage cyber security threats. In order to have international standardized process, Bank Mandiri also implemented and has certification in:

Bank Mandiri has CSIRT (Computer Security Incident Response Team) that capable to detect and response cybersecurity incident properly. To strengthen Bank Mandiri cyber defense and contribute to national cyber defense, Bank Mandiri CSIRT registered to National Cyber and Crypto Agency (BSSN – Badan Siber dan Sandi Negara).