Critical Information
Your business accounts receive multiple layers of protection at CIBC Digital Business. Encryption guards data at every stage. Multi-factor authentication prevents unauthorized access. Automated monitoring watches for unusual activity around the clock. This page explains how each security layer works and what you can do to keep your accounts safe.
Encryption Standards Across All Channels
Every piece of data that moves between your device and CIBC Digital Business servers travels through TLS 1.3 encryption. This is the same protocol used by the world's largest financial institutions. Nobody can intercept your login credentials, account numbers, or transaction details while they are in transit.
Data at rest receives AES-256 encryption. Account databases, transaction records, and client information files are encrypted on our servers. Even if someone gained physical access to our infrastructure, the data would be unreadable without the cryptographic keys, which are stored separately in hardware security modules.
Our mobile applications enforce certificate pinning. The app verifies that it is communicating with genuine CIBC Digital Business servers before transmitting any data. This blocks man-in-the-middle attacks where an attacker tries to impersonate our platform. The mobile banking experience carries the same security guarantees as the desktop portal.
Multi-Factor Authentication
Logging into your CIBC Digital Business account requires more than a password. Every sign-in triggers a second verification step. You receive a one-time code via SMS to your registered mobile number, or you can use an authenticator application for time-based codes. The system requires both factors before granting access. A stolen password alone gets an attacker nowhere.
Business accounts support hardware security keys. A physical USB or NFC device must be present to authorize high-value transactions. This creates a physical barrier that remote attackers cannot bypass. Even if someone compromises your password and intercepts your SMS codes, they cannot move money without the hardware key in their possession.
Role-based access control adds another dimension. You assign permissions to each user in your organization. A junior accountant can view transaction history but cannot initiate payments. A finance manager can approve transfers up to a set limit. The company director can access full reporting and override controls. No single user has unrestricted access, and every action is logged with a timestamp and user identity.
24/7 Fraud Monitoring and Threat Detection
Automated systems watch every transaction that flows through CIBC Digital Business accounts. The monitoring engine builds a baseline of normal activity for each account: typical transaction amounts, regular counterparties, common login locations, and standard timing patterns. When something deviates from the baseline, the system responds.
A payment to a new recipient in an unfamiliar jurisdiction may trigger a verification call. A login attempt from a device never seen before prompts additional authentication steps. An unusually large transfer outside business hours generates an immediate alert to the account's registered contacts. These checks happen in real time, not in a nightly batch process.
Our security operations team reviews flagged activity and can freeze affected accounts within minutes. The team follows protocols aligned with guidance from the FinCEN on suspicious activity reporting. Where appropriate, incidents are escalated to relevant regulatory authorities in the affected jurisdiction.
Regulatory Compliance Framework
CIBC Digital Business operates under the anti-money laundering and counter-terrorist financing standards of the Caribbean Financial Action Task Force. Reference the CFATF for the full regional framework. Each banking centre also complies with the regulations of its host jurisdiction's central bank and financial services authority.
Know Your Customer requirements apply to every business account. We verify company registration documents, beneficial ownership structures, and the identity of authorized signatories before opening an account. Enhanced due diligence applies to businesses in higher-risk sectors or those with complex ownership arrangements. Ongoing monitoring ensures that account activity remains consistent with the stated nature of each business.
Independent audits validate our security posture annually. External penetration testers attempt to breach our systems under controlled conditions. Compliance reviewers examine our policies, procedures, and records against regulatory requirements. The results of these assessments inform continuous improvements to our security framework.
Platform Security Features Comparison
Different CIBC Digital Business platforms offer different security capabilities. The table below compares the protections available across each access method.
| Security Feature | Web Portal | Mobile App | API Access |
|---|---|---|---|
| TLS 1.3 Encryption | Yes | Yes | Yes |
| Multi-Factor Authentication | SMS or Authenticator | SMS or Authenticator | API Key + IP Whitelist |
| Hardware Security Key Support | Yes (FIDO2) | Yes (NFC) | Client Certificate |
| Role-Based Access Control | Full | Full | Scoped Permissions |
| Session Timeout | 15 min idle | 5 min idle | Token Expiry 60 min |
| Login Attempt Lockout | 5 failed attempts | 5 failed attempts | Rate Limited |
| Audit Logging | All actions | All actions | All API calls |
| Certificate Pinning | N/A | Yes | Mutual TLS |
Customer Security Best Practices
Security is a shared responsibility. CIBC Digital Business provides the infrastructure. You control how it gets used within your organization. These practices reduce the risk of account compromise.
Use unique passwords. The password for your CIBC Digital Business account should not match any other service. A password manager makes this practical. Enable biometric authentication on mobile devices to add a layer that cannot be phished or guessed.
Review account activity weekly. The digital platform shows every login, every transaction, and every permission change. Spotting an anomaly early limits the damage. Set up transaction alerts so you receive notifications for activity above a threshold you define. Configure new payee notifications so you know immediately when someone adds a payment recipient.
Never share credentials. Each user in your organization needs their own login with appropriately scoped permissions. Sharing a single login between multiple people destroys the audit trail and makes it impossible to determine who performed a given action. It also means you cannot revoke one person's access without disrupting everyone else.
Keep contact information current. If our fraud monitoring system detects unusual activity, we need to reach you quickly. An outdated phone number or email address creates a dangerous delay. Update your registered contacts whenever someone leaves the organization or changes their phone number.