Financial Crime World

Indonesia Releases New Cybersecurity Rules for Financial Sector

The Indonesian Financial Services Authority (OJK) has issued new cybersecurity rules specifically designed for the financial sector, including banks, insurance companies, and other financial services providers. The regulations aim to address the growing threat of cyber attacks in the financial sector and ensure the safety and security of business and customer data.

Key Points of the Cybersecurity Rules

  • Inherent Risk Assessment: Entities must submit an annual report on inherent risk relating to cybersecurity, which is assessed by regulators based on four factors: technology, bank products, organizational characteristics, and cyber incident track record.
  • Implementation of Risk Management: Regulations apply to governance of risks related to cybersecurity, risk management framework, risk management processes, adequacy of human resources, and adequacy of the risk management information system related to cybersecurity.
  • Implementation of Cyber Resilience Processes: Entities must carry out:
    • Identification of assets, threats, and vulnerabilities
    • Asset protection
    • Cyber incident detection
    • Cyber incident response and recovery

Additional Requirements

  • Annual Assessment of Cybersecurity Maturity Levels: Banks must undertake an annual assessment of their cybersecurity maturity levels.
  • Submission of Annual Assessment of Overall Cybersecurity Risk: Entities must submit an annual assessment of overall cybersecurity risk to the OJK.
  • Regular Cybersecurity Testing and Reporting: Entities must conduct regular cybersecurity testing and reporting of incidents within 24 hours.

Background

The need for strengthening Indonesia’s cybersecurity laws has been a priority for policymakers in recent years, particularly following high-profile cyber incidents such as the hacking of SIM card data and threats to sell correspondence between President Joko Widodo and his ministers. According to Indonesia’s National Cyber and Crypto Agency (BSSN), Indonesia recorded at least 1.6 billion cyberattacks in 2021 alone.

Conclusion

The introduction of new cybersecurity rules offers guidance and structure for financial entities to institute and monitor their cybersecurity capacity. Financial institutions would do well to undertake an assessment of their cybersecurity practices and vulnerabilities to ensure compliance and meaningfully strengthen resilience against growing cyber threats.

About ASEAN Briefing

ASEAN Briefing is a publication that provides in-depth analysis, research, and insights on doing business in ASEAN countries. For more information, please visit our website at www.dezshira.com or contact us at asean@dezshira.com.