Financial Crime World

Indonesia Introduces New Cybersecurity Rules for Financial Institutions

Indonesia has taken a significant step towards strengthening its financial sector’s defenses against cyber threats by releasing new cybersecurity rules for banks, insurance companies, and other financial services providers.

Background

The regulations were developed by the Financial Services Authority (OJK) to ensure the safety and security of business and customer data. The OJK introduced the new rules in a circular titled Nomor 29/SEOJK.03/2022, which outlines the implementation of Regulation Number 11/POJK.03/2022 concerning the Implementation of Information Technology by Banks.

Key Requirements

Under the new rules, financial institutions in Indonesia will be required to:

  • Assess their inherent risk levels
  • Implement robust risk management frameworks
  • Conduct regular cyber resilience processes
  • Submit annual reports on their cybersecurity maturity levels and overall cybersecurity risk

The OJK has outlined specific requirements for each of these areas, including:

  • Identification of assets, threats, and vulnerabilities
  • Asset protection
  • Cyber incident detection
  • Cyber incident response and recovery

Assessment and Compliance

The regulator will assess the effectiveness of financial institutions’ cybersecurity measures using a 1-5 scale, with one being strong and five being unsatisfactory. Financial entities, including fintech firms and startups, are advised to undertake an assessment of their cybersecurity practices and vulnerabilities to ensure they are adequately prepared to meet the new regulations.

Rationale

The introduction of these new rules comes as Indonesia has been hit by a series of high-profile cyber incidents in recent years. In September 2022, a hacker stole the data of around 1.3 billion SIM card numbers, while another incident saw a perpetrator threaten to sell correspondence between President Joko Widodo and his ministers.

Indonesia recorded at least 1.6 billion cyberattacks in 2021 alone, highlighting the growing need for strengthened cybersecurity measures in the country’s financial sector. The new rules offer guidance and structure for financial institutions to institute and monitor their cybersecurity capacity, which is essential for ensuring compliance and resilience against growing cyber threats.

By implementing these new regulations, Indonesia aims to reduce the risk of costly cyber attacks and ensure a safer and more secure financial system for its citizens and businesses.

Conclusion

The introduction of new cybersecurity rules for financial institutions in Indonesia marks an important step towards strengthening the country’s financial sector. Financial entities are advised to take immediate action to assess their cybersecurity practices and vulnerabilities, and implement measures to ensure compliance with the new regulations. By doing so, they can strengthen their defenses and reduce the risk of costly cyber attacks.