Financial Crime World

New Cybersecurity Rules for Financial Institutions in Indonesia: amplifying the Fight Against Surging Digital Threats

Indonesia’s Financial Services Authority (OJK) has introduced groundbreaking cybersecurity regulations, specifically targeting banks, insurance companies, and other financial services providers. Below are the key details of the regulations, which aim to bolster the industry’s defenses against escalating cyber attacks.

OJK’s New Cybersecurity Regulations: Enhancing Financial Institutions’ Defenses

In response to an increased number of cybersecurity breaches on Indonesian financial institutions, the OJK has prioritized enhancing the cyber resilience of the sector. These regulations, Indonesia’s first focused on cybersecurity for financial services, cover risk assessments, data protection, and incident response planning.

Circular SEOJK 29: The Backbone of the New Regulations

Circular SEOJK 29, detailed in this document, focuses on areas such as inherent risk assessment, risk management, incident response planning, and maturity level assessments.

Inherent Risk Assessment: Evaluating and Reporting Risk

The OJK evaluates a company’s inherent risk based on technology, bank products, organizational characteristics, and cyber incident track records. Entities are required to submit annual risk assessments with classifications ranging from low (1) to high risk (5).

  • Annual submission of risk assessments
  • Classification of risk levels

Risk Management: Guidelines for Effective Governance and Controls

Regulations on risk management include requirements related to governance, frameworks, processes, and internal controls. Implementation adjusts based on the complexity of each entity’s business.

Cyber Resilience Processes: Identifying and Protecting Assets

Entities must identify assets, threats, and vulnerabilities, with requirements for inventory and valuation of IT assets and regular cybersecurity tests.

  • Asset identification and inventory
  • Threat and vulnerability assessment
  • Regular cybersecurity testing

Maturity Level Assessments: Evaluating the Quality of Risk Management and Cyber Resilience Processes

Banks are required to conduct annual assessments of their cybersecurity maturity level, with the quality of risk management and cyber resilience processes driving the evaluation.

Cybersecurity Risk Level: Assessing Overall Threat Levels

A combined review of inherent risk and cybersecurity maturity level determines the overall cybersecurity risk level for each entity, which must be reported to the OJK.

Cybersecurity Testing: Regular Testing and Reporting

Entities must conduct cybersecurity tests, which can be self-administered or outsourced to third parties, and submit the results annually to the OJK.

Cybersecurity Units: Adequate Capacity and Resources

Functional units responsible for cybersecurity must have adequate capacity and resources, operate independently, and focus on key tasks, like implementation and assessments.

Cybersecurity Incident Reporting: Immediate Action Requirement

Within 24 hours of a cybersecurity incident, entities must report to the OJK and provide a detailed report within five business days.

The Growing Importance of Cybersecurity in Indonesia

Indonesia’s government has taken significant steps to strengthen the country’s cybersecurity, as evidenced by the September 2022 passage of its data protection law. The country faced a record-breaking 1.6 billion cyberattacks in 2021. Some noteworthy breaches include those targeting SIM card data and government correspondence.

These regulations will not only benefit financial institutions but also other businesses as they evaluate and improve their cybersecurity practices and postures. In the face of increasingly sophisticated cybersecurity threats, the focus on comprehensive cybersecurity measures will be essential for ensuring the safety and security of customer data and protecting against attacks.

For more information about investing in Indonesia, please contact us at asean@dezshira.com or visit our website at www.dezshira.com.

About Dezan Shira & Associates

Dezan Shira & Associates is a pan-Asian, multi-disciplinary consulting firm with local offices in Vietnam, Indonesia, Malaysia, the Philippines, Singapore, Thailand, and China. Our mission is to guide foreign businesses through regulatory hurdles and facilitate their entry and growth in Asian markets. We provide a comprehensive range of strategic advisory, legal, tax, and operational consulting services to help businesses succeed in Asia. Please visit our website at www.dezshira.com.