Financial Crime World

Here is the converted article in markdown format:

Financial Institution Cybersecurity Best Practices in Indonesia: New Regulations Unveiled

In an effort to enhance the security of financial data in Indonesia’s increasingly vulnerable financial sector, the Financial Services Authority (OJK) has introduced new cybersecurity rules specifically tailored for financial institutions in the country. The regulations, outlined in Circular Nomor 29/SEOJK.03/2022 (SEOJK 29), aim to address various aspects of cybersecurity, including risk management, risk assessments, incident response planning, employee capacity, and data protection.

Risk Assessment

According to Chapter 2 of the circular, financial institutions will be required to conduct an inherent risk assessment using at least four factors:

  • Bank products
  • Technology
  • Cyber incident track record
  • Organizational characteristics

The OJK will evaluate the inherent risk level using a 1-5 scale, with “1” indicating low risk and “5” indicating high risk.

Risk Management

Financial institutions must also implement effective risk management strategies, as outlined in Chapter 3 of the circular. This includes:

  • Governance of risks related to cybersecurity
  • Risk management framework
  • Risk management processes
  • Adequacy of human resources
  • Adequacy of the risk management information system related to cybersecurity

Cyber Resilience Processes

The implementation of cyber resilience processes is another crucial aspect of the new regulations, as highlighted in Chapter 4. These processes include:

  • Identification of assets, threats, and vulnerabilities
  • Asset protection
  • Cyber incident detection
  • Cyber incident response and recovery

Annual Assessment

In addition, financial institutions are required to conduct an annual assessment of their cybersecurity maturity levels, using a 1-5 scale to evaluate their level of preparedness.

Reporting

Chapter 6 outlines the requirement for institutions to present an overall cybersecurity risk assessment to the OJK on an annual basis, based on the combined analysis of cybersecurity maturity levels and inherent cybersecurity risks.

The tests that companies must carry out before submitting the results to the OJK are described in Chapter 7. These include:

  • Scenario-based cybersecurity testing
  • Cybersecurity testing based on vulnerability analysis

Characteristics of Units or Functions Handling Cybersecurity

Chapter 8 discusses the characteristics of units or functions handling cybersecurity in an entity, which must be independent of the IT management function and have adequate capacity and resources to carry out their responsibilities.

Reporting Cybersecurity Incidents

Reporting cybersecurity incidents is another critical aspect of the new regulations, outlined in Chapter 9. Entities are required to report a cybersecurity incident to the OJK within 24 hours of the incident, followed by a more detailed report within five business days.

Conclusion

Indonesia’s financial institutions must take proactive measures to strengthen their cybersecurity practices in response to the growing threat of cyber attacks. The new regulations provide a much-needed framework for institutions to assess and enhance their cybersecurity infrastructure, ultimately protecting sensitive data and preventing cyber threats.