Financial Crime World

Compliance Risks for Financial Institutions in Indonesia

Indonesia has recently introduced new cybersecurity rules specifically designed for the financial sector to address the growing threat of cyber attacks against financial institutions.

Background

The new regulations were developed by the Financial Services Authority (OJK) and are outlined in a circular titled Nomor 29/SEOJK.03/2022, dated December 27, 2022.

Key Areas Covered

The rules cover various areas, including:

  • Risk Assessments: Financial institutions must conduct an annual risk assessment report to the OJK, considering factors such as technology, bank products, organizational characteristics, and cyber incident track record.
  • Risk Management: Regulators require financial institutions to implement a risk management framework, including governance, risk management processes, and risk control systems related to cybersecurity.
  • Cyber Resilience Processes: Financial institutions must identify assets, threats, and vulnerabilities, protect assets, detect cyber incidents, and respond to and recover from such incidents.
  • Cybersecurity Maturity Level Assessment: Regulators require financial institutions to undertake an annual assessment of their cybersecurity maturity levels, based on the quality of risk management implementation and the quality of cyber resilience processes.

Compliance Requirements

Financial institutions in Indonesia must also:

  • Submit an annual assessment of overall cybersecurity risk to the OJK, based on inherent risk and cybersecurity maturity.
  • Conduct regular cybersecurity testing.
  • Report cybersecurity incidents within 24 hours.
  • Maintain units or functions responsible for handling cybersecurity with adequate capacity and resources.

Context and Incentives

Indonesia has been hit by a series of high-profile cyber incidents, including the theft of SIM card numbers and threats to sell correspondence between President Joko Widodo and his ministers. The country recorded at least 1.6 billion cyberattacks in 2021 alone. Financial institutions have clear incentives to strengthen their cybersecurity practices, particularly newer fintech firms and startups that may not have extensive cybersecurity infrastructure.

Conclusion

To ensure compliance and strengthen resilience against growing cyber threats, financial entities should undertake an assessment of their cybersecurity practices and vulnerabilities. A successful assessment will not only ensure compliance but also meaningfully strengthen resilience against cyber attacks.

Get in Touch

For more information on compliance risks for financial institutions in Indonesia or to learn how Dezan Shira & Associates can assist with regulatory requirements, please contact us at asean@dezshira.com or visit our website at www.dezshira.com.