Financial Crime World

Financial Institution Vulnerability Assessment: Indonesia’s New Cybersecurity Rules Aim to Boost Resilience Against Growing Threats

Indonesia has taken a significant step towards strengthening its financial sector’s cybersecurity posture by introducing new rules for banks, insurance companies, and other financial services providers. The Financial Services Authority (OJK) has issued Circular Nomor 29/SEOJK.03/2022, which outlines the implementation of Regulation Number 11/POJK.03/2022 concerning the Implementation of Information Technology by Banks.

New Rules for Financial Institutions

The new rules are designed to address the growing threat of cyber attacks in the financial sector and ensure the safety and security of business and customer data. Financial institutions will need to assess, test, and strengthen their cybersecurity practices to comply with the regulations.

Key Requirements

  • Inherent Risk Assessment: Financial institutions must submit an annual report assessing their inherent risk level based on factors such as technology, products, organizational characteristics, and cyber incident track record.
  • Risk Management Implementation: Entities must implement a risk management framework and processes to identify, assess, and mitigate risks related to cybersecurity.
  • Cyber Resilience Processes: Institutions must carry out regular assessments of assets, threats, and vulnerabilities, protect against cyber attacks, detect incidents, and respond and recover from breaches.
  • Cybersecurity Maturity Level Assessment: Financial institutions must annually assess their cybersecurity maturity levels based on risk management implementation and cyber resilience processes.

Assessment and Testing

The OJK will use a 1-5 scale to assess inherent risks and cybersecurity maturity levels. Entities must also submit an annual report assessing overall cybersecurity risk and conduct regular tests, including:

  • Vulnerability Analysis: Regular assessments of assets, threats, and vulnerabilities
  • Scenario-Based Testing: Simulated testing of incident response plans

Cybersecurity Units

The circular regulates units or functions responsible for handling cybersecurity, requiring them to have adequate capacity and resources and be independent of IT management.

Why Cybersecurity is Important in Indonesia

The growing need for cybersecurity in Indonesia is evident, with the country recording at least 1.6 billion cyberattacks in 2021 alone. Notable cases such as the theft of SIM card data and threats against government officials highlight the importance of strengthening cybersecurity practices.

Conclusion

Financial institutions, fintech firms, and startups alike must take action to strengthen their cybersecurity capacity. Conducting a vulnerability assessment is crucial for identifying weaknesses and implementing measures to prevent cyber attacks. By doing so, entities can ensure compliance with new regulations and meaningfully boost resilience against growing cyber threats.

About Dezan Shira & Associates

Dezan Shira & Associates assists foreign investors throughout Asia and maintains offices in Indonesia, Vietnam, Malaysia, the Philippines, Thailand, China, and India. Contact us at asean@dezshira.com or visit our website at www.dezshira.com for more information on doing business in Southeast Asia and beyond.