Financial Crime World

Banks in Indonesia Face Tougher Cyber Security Requirements

OJK Issues Circular to Enhance Bank Soundness and Customer Data Safety

JAKARTA, INDONESIA - JUNE 20, 2023

The Indonesian Financial Services Authority (OJK) has issued a circular requiring banks to improve their cyber security measures, effective immediately. The new regulations aim to enhance the overall soundness of banks and ensure the safety of customer data.

Key Requirements for Banks

  • Conduct self-assessed risk level reporting, which will be reviewed by OJK
    • Report any discrepancies between actual condition and stated risk level
    • Implement specific action plans to address relevant issues if necessary
  • Conduct regular cyber security testing, including:
    • Vulnerability analysis
    • Scenario-based testing
    • Proactive measures
    • Include test results in a “Report on the Current Condition of the Bank’s IT System Implementation” and submit to OJK
  • Establish an independent cyber security unit or function, separate from the bank’s IT management unit or function
  • Report any cyber incidents to OJK within 24 hours of becoming aware of the incident, with a detailed report submitted within five days

Industry Expert Response

Industry experts have welcomed the new regulations, citing the growing threat of cyber-attacks and data breaches in the banking sector. “This circular sets a high standard for banks to prioritize their cyber security efforts,” said Regina Damaris, a cybersecurity expert who contributed to the alert.

Implementation Concerns

However, some market players have expressed concerns about the implementation of certain requirements, such as the need for human resources to support the cyber security unit.

Model for Other Industries and Sectors

The OJK’s initiative is seen as a model for other industries and sectors to follow in improving their own cyber security efforts. As the circular takes effect, banks must prioritize their cyber security measures to ensure the safety of customer data and maintain confidence in the financial system.

Timeline

  • June 20, 2023: OJK issues circular requiring banks to improve cyber security measures
  • Ongoing: Banks required to conduct self-assessed risk level reporting and submit reports to OJK
  • Ongoing: Banks required to conduct regular cyber security testing and establish independent cyber security unit or function
  • Within 24 hours of becoming aware of a cyber incident: Banks must report the incident to OJK
  • Within five days of a cyber incident: Banks must submit detailed report to OJK