Financial Crime World

Indonesia Introduces New Cybersecurity Rules for Financial Sector

The Indonesian Financial Services Authority (OJK) has recently released a new circular, Nomor 29/SEOJK.03/2022 (SEOJK 29), dated December 27, 2022, outlining the implementation of Regulation Number 11/POJK.03/2022 concerning the Implementation of Information Technology by Banks.

Strengthening Cybersecurity in the Financial Sector

The OJK developed these rules to address the growing threat of cyber attacks in the financial sector and to strengthen the safety and security of business and customer data. The new rules aim to ensure that financial institutions in Indonesia assess, test, and strengthen their cybersecurity practices to prevent potential risks.

Key Areas Covered by the New Rules

The circular covers a range of areas, including:

  • Risk assessments
  • Risk management
  • Data protection
  • Incident response planning
  • Employee capacity

Financial institutions will need to implement these measures to ensure compliance with the new rules.

Inherent Risk Assessment and Risk Management

The OJK will assess inherent risk on at least four factors, including:

  • Technology
  • Bank products
  • Organizational characteristics
  • Cyber incident track record

Entities must submit a risk assessment report to the OJK on an annual basis. Regulations for implementation of risk management include:

  • Governance of risks related to cybersecurity
  • Risk management framework
  • Risk management processes
  • Risk control systems

Cyber Resilience Processes

The circular also outlines requirements for implementation of cyber resilience processes, including:

  • Identification of assets, threats, and vulnerabilities
  • Asset protection
  • Cyber incident detection
  • Cyber incident response and recovery

Incentives to Strengthen Cybersecurity Practices

Financial institutions in Indonesia have clear incentives to strengthen their cybersecurity practices, considering the country’s recent high-profile cyber incidents. In 2021 alone, Indonesia recorded at least 1.6 billion cyberattacks.

Conclusion

The introduction of new cybersecurity rules offers guidance and structure for financial entities to institute and monitor their cybersecurity capacity. Financial institutions can undertake an assessment of their cybersecurity practices and vulnerabilities to ensure compliance and strengthen resilience against growing cyber threats.

By implementing these measures, Indonesia aims to address the growing threat of cyber attacks in the financial sector, ensuring the safety and security of business and customer data.