Monitoring customer data privacy and security is carried out by Board of Commissioners through Risk Monitoring Committee (KPR) and the Board of Directors on Risk Management & Credit Policy Committee (RMPC). Risk Monitoring Committee conducts active supervision, direction, monitoring and evaluation process of cyber security & data privacy activities as the part of the Sustainable Finance Action Plan which is reported on a quarterly basis by the Board of Directors (represented by the Director of Risk Management & Director of Finance). The discussion topics will cover iData Management & Infrastructure and IT Security Governance (including Awareness), Protection & Operation.

In order to strengthening cyber security on daily activities, Bank Mandiri has established CISO Division that managed IT security in designs, services and operational aspects. CISO conducted periodic review related to IT Security included IT Contractor as third-party which cooperated with the Bank

Bank Mandiri sets priority on maintaining customer data privacy as part of human rights (HAM). We safeguard customers’ personal information through technological, process & administrative, organizational and physical security steps. We develop code of ethics/business conduct including standards on how employees must protect customer confidential information.

Therefore, since customers open an account in Bank Mandiri Group, customers require to fill and check customers’ consent according to the applicable regulations. Customers are also allowed to withdraw consumer’s consent at any time. Furthermore, Bank Mandiri requires Non-Disclosure Agreement (NDA) for third party if there is cooperation that uses customer data, and only sends customer data according to customer’s consent. The bank also ensures that delivery of campaign covering customer’s consent.

The governance of customer data management has been formed in operational policies, namely Standard Data Management Procedures and Operational Technical Guidelines for the provision of internal and external data. Further information regarding the privacy policy and data security (including our subsidiaries) can be accessed through:

Mandiri Group are committed to building and updating reliable cybersecurity defense trough developing security requirement standards as a reference for each subsidiary based on Bank Mandiri’s Cybersecurity Framework. Each Subsidiary will conduct self-assessment and prepare an action plan for compliance if there are any gaps with assistance by CISO Division. Furthermore, the action plan of each subsidiary is reported to Bank Mandiri’s Management by Board of Directors of Subsidiaries to getting feedback to adapting the cybersecurity defense in Mandiri Group.

In addition, in order to perform the data harmonization process in the Subsidiaries, including data privacy and security, Mandiri Subsidiary Management Principle Guideline (MSMPG) has regulated provisions on data management that can be adopted and harmonized by the Subsidiaries. Issues and discussion topics related to data management, including data privacy and security, are reported and discussed at the board-level committee, namely the Data Steering Forum. The Data Steering Forum is held at least once a year attended by the Director of Risk Management, Director of Compliance, Director of Finance and Strategy, and Director of IT.

In order to minimize the misuse of customer data, Bank Mandiri has launched Livin’ Supper Apps with liveness detection and face recognition features so the customer can make financial transactions through mobile banking. With this feature, customer data is directly stored in the system without going through a physical form. Livin' customers can change/ rectify their personal data, open savings accounts & apply credit cards, withdraw cash without a card, quick pick favorite transactions, instant e-money top up, and online shopping payments. Furthermore, Bank Mandiri ensure customer rights to rectification and control the personal data can be done in all branches or via call center 14000.

As part of the internal control process, we have internal audit IT Security to ensuring that all operations comply with internal and regulatory requirements. The audit is carried out at least once a year. Bank Mandiri also has external independent audits on IT Security in place. This initiative has been formed on our SFAP (Sustainability Financial Account Plan) 2023 – 2027 which was approved by the Board of Commissioner and Board of Director, with coverage of audit such as: IT Security, with scoping audit: Governance & Risk Management, Operations and Infrastructure, Business Continuity Plan and Disaster Recovery Plan, Customer Protection, Information Security and Privacy Data Security, Fraud Management & Management of Goods or Service Providers

CISO division has developed and implemented Security Awareness Program to educate and train all employees from BoD & BoC, Manager, Staff, Clerk to increase employees’ security awareness level. Security Awareness Program has thematic topics and using various platforms (e.g. Newsletter, Podcast, Poster, e-Learning).

Sample of topics: Data classification, how to handle data properly, How to transfer data securely, How to identify phishing email, etc. This Security Awareness Program also covers contractors and third party as audiences. In addition, CISO division also test the employees by conduction phishing email campaign to equip employees with near-real phishing attack experience, so they can identify and avoid phishing email.

Bank Mandiri Human Resources Which Receiving Cyber-Security Training & Awareness Based On Job Level

POSITION LEVEL	Completion	Media program
Employee ( Banking Staff up to Board of Directors and Board if Commisioners)	100%	e-learning certification, Newsletter, podcast, poster
Contractor (Outsourcing)	100%	Newsletter

As of June 2022, Bank Mandiri has EDA (Enterprise Data Analytics) Division which is operated by more 140 data scientist and data analytics and also has CISO Division with 87 employees that is responsible for manage cyber security threats. In order to have international standardized process, Bank Mandiri also implemented and has certification in:

Bank Mandiri has CSIRT (Computer Security Incident Response Team) that capable to detect and response cybersecurity incident properly. To strengthen Bank Mandiri cyber defense and contribute to national cyber defense, Bank Mandiri CSIRT registered to National Cyber and Crypto Agency (BSSN – Badan Siber dan Sandi Negara).