Security Centre

Q: Does CIBC monitor for fraudulent transactions?

Yes, CIBC Digital Business uses real-time transaction monitoring systems that analyze payment patterns for anomalies. Suspicious transactions — such as unusually large wire amounts, payments to new beneficiaries, or logins from unfamiliar locations — trigger automated alerts that may pause the transaction pending verification.

Q: What happens after a period of inactivity in online banking?

After a configured period of inactivity — typically 10 to 15 minutes — the CIBC Digital Business platform automatically terminates your session. You will need to re-authenticate with your credentials and multi-factor verification to resume banking. This prevents unauthorized access if you step away from your device.

Q: How does CIBC recognize the devices I use?

CIBC Digital Business uses device-recognition technology that creates a unique fingerprint for each browser or mobile device you use to log in. Logins from unrecognized devices may trigger additional verification steps, such as answering a security question or confirming via a registered phone number.

How CIBC Digital Business protects your accounts, transactions, and data with layered security controls.

Encryption Standards

CIBC Digital Business encrypts all data transmitted between your browser or mobile device and our servers using 256-bit TLS (Transport Layer Security). This is the same encryption standard deployed by major financial institutions globally and military-grade security frameworks. Every login session, balance inquiry, payment instruction, and account statement request travels through an encrypted tunnel that renders intercepted data unreadable to third parties. Server-side, account databases employ AES-256 encryption at rest, meaning stored account information and transaction records remain protected even in the unlikely event of physical infrastructure compromise.

The encryption handshake occurs before any sensitive information leaves your device. Your browser verifies the digital certificate presented by the CIBC Digital Business server, confirming the authenticity of the endpoint. Certificate pinning in the mobile app adds an additional verification layer that prevents man-in-the-middle attacks using fraudulent certificates. Session keys rotate at regular intervals during active banking sessions, limiting the exposure window of any single key.

Multi-Factor Authentication

Multi-factor authentication (MFA) stands between unauthorized access attempts and your business accounts. After entering your digital banking ID and password, the system requires a second verification factor: a one-time code sent via SMS to your registered mobile number, a push notification to the CIBC banking app on your enrolled device, or — for commercial banking clients with higher security requirements — a code generated by a hardware security token. This layered approach ensures that a stolen or guessed password, by itself, cannot grant entry to your accounts.

Administrators managing multi-user business profiles can enforce MFA policy across all authorized users, set session timeout intervals, restrict access to specific IP address ranges, and review authentication logs showing every login attempt — successful and failed — with timestamps, IP addresses, and device fingerprints. Dual-approval workflows add yet another barrier: one team member initiates a wire or ACH batch, and a second authorized user must approve the release before funds move. No single compromised credential can initiate and complete a significant funds transfer.

Fraud Monitoring and Anomaly Detection

CIBC Digital Business runs real-time fraud detection algorithms against every transaction passing through the platform. The system builds behavioural profiles for each business account — typical transaction sizes, common beneficiary accounts, regular payment schedules — and flags deviations from the established pattern. A wire transfer to a new international beneficiary that arrives outside normal business hours and exceeds the account's historical maximum by a factor of five, for example, would trigger an automated review. The transaction may be held pending verification while the system sends an alert to the account administrator's registered contact channels.

For commercial banking clients, additional monitoring layers include velocity checks that detect rapid sequences of payments to new recipients, geolocation analysis that compares login locations against travel patterns, and beneficiary screening against international sanctions and watchlists. The fraud operations team operates with coverage that spans all Canadian business hours plus extended monitoring for after-hours international payment corridors.

Security Feature Comparison

CIBC Digital Business deploys security controls across five protection layers — the table below maps each feature to its function and availability.

Security Feature	Protection Layer	Description
256-bit TLS Encryption	Data-in-Transit	Encrypts all browser and mobile app communication with CIBC servers; prevents eavesdropping on login credentials, account data, and payment instructions.
Multi-Factor Authentication	Access Control	Requires password plus second factor (SMS code, app push, or hardware token) for every login; prevents access via stolen credentials alone.
Real-Time Fraud Monitoring	Transaction Security	Analyses payment patterns for anomalies; pauses suspicious transactions for verification before funds are released.
Device Recognition	Access Control	Creates unique fingerprint for each device used; triggers additional verification for logins from unrecognized devices.
Automatic Session Timeout	Session Security	Terminates inactive sessions after 10–15 minutes; requires full re-authentication to resume banking.
Audit Logging	Compliance & Oversight	Records every login attempt, transaction, permission change, and data export with immutable timestamped entries.
Dual-Approval Workflows	Transaction Security	Requires initiation by one user and approval by a second; prevents unauthorized transfers via single compromised account.
IP Whitelisting	Access Control	Restricts platform access to specified IP ranges; available for commercial banking clients with fixed office locations.

Device Recognition and Access Control

Every time you log into CIBC Digital Business, the platform builds a device fingerprint from browser characteristics, operating system details, screen resolution, installed fonts, and other attributes that collectively identify your specific device. This fingerprint is compared against previously registered devices on your account. A login from a new device — even with correct credentials and MFA — triggers additional identity verification steps such as answering a pre-set security question or confirming through a second registered contact channel. Business account administrators can review the list of registered devices and revoke access for any device they no longer recognize.

For commercial clients operating from fixed office locations, IP whitelisting adds a perimeter control: the platform will only accept authentication attempts from IP addresses within the approved range. Attempts from outside that range are blocked before reaching the password prompt. Combined with device recognition, this creates two parallel gatekeeping mechanisms that operate independently: where you are connecting from, and what device you are using.

Audit Logging and Compliance

CIBC Digital Business maintains immutable audit logs of every significant event within the platform: login attempts (successful and failed), transaction initiations and approvals, user permission changes, beneficiary additions, data exports, and session terminations. Each log entry carries a timestamp, user identifier, IP address, device fingerprint, and action description. These logs serve dual purposes — they are the primary data source for internal security investigations when anomalies are detected, and they provide the evidentiary trail required by external auditors, regulatory examiners, and your own internal compliance reviews.

Logs are retained in accordance with Canadian financial record-keeping requirements as specified by OSFI guidelines. Business account administrators can request export of their organization's audit logs through the support resources page, subject to identity verification and approval from a second authorized user. For additional information about Canadian data protection standards, visit the Office of the Privacy Commissioner of Canada.

After a thorough security review of the CIBC Digital Business platform, our audit committee was satisfied with the combination of MFA enforcement, dual-approval payment workflows, and the immutable audit trail. Those three controls together address every concern our external auditors raised last cycle.
— Laura Espinoza-Muñoz, Controller, Summit Industrial Supply, Edmonton

Essential Information for Decision Makers

CIBC Digital Business secures your accounts with 256-bit TLS encryption, multi-factor authentication, real-time fraud monitoring, device recognition, automatic session timeout, immutable audit logging, and dual-approval workflows. No single compromised credential can initiate and complete a funds transfer. Commercial clients may add IP whitelisting and hardware token authentication.

Visit the Financial Consumer Agency of Canada for additional information about consumer protection standards in Canadian banking.

Related Services

Frequently Asked Questions About CIBC Digital Business Security

What encryption does CIBC Digital Business use?

CIBC Digital Business uses 256-bit TLS (Transport Layer Security) encryption for all data transmitted between your browser or mobile device and our servers. This is the same encryption standard used by major financial institutions globally. Server-side account databases also employ AES-256 encryption at rest, protecting stored information even in the event of infrastructure compromise. Session keys rotate at regular intervals during active banking sessions.

How does multi-factor authentication protect my business account?

Multi-factor authentication (MFA) requires two or more verification factors to access your account — typically your password plus a one-time code delivered via SMS, push notification through the CIBC mobile app, or a hardware security token. This layered approach means a stolen password alone cannot grant access. Administrators can enforce MFA across all users and restrict access to specific IP ranges.

Does CIBC monitor for fraudulent transactions?

Yes, CIBC Digital Business runs real-time fraud detection algorithms against every transaction. The system builds behavioural profiles per account — typical transaction sizes, common beneficiaries, regular payment schedules — and flags deviations. Suspicious transactions trigger automated alerts and may be paused pending verification through your registered contact channels.

What happens after a period of inactivity in online banking?

After 10 to 15 minutes of inactivity, the CIBC Digital Business platform automatically terminates your session. You must re-authenticate with credentials and multi-factor verification to resume banking. This prevents unauthorized access if you step away from your device without manually signing out.

How does CIBC recognize the devices I use?

Device-recognition technology creates a unique fingerprint for each browser or mobile device you use to log in. Logins from unrecognized devices trigger additional verification steps such as answering a security question or confirming through a registered phone number. Administrators can review and revoke registered devices at any time.