Indonesia recently released new cybersecurity rules for the financial sector, including banks, insurance companies, and other financial services providers. The new rules developed by the Financial Services Authority (OJK) are Indonesia’s first dedicated cybersecurity rules specifically for the financial sector.
The OJK explained the rules in a circular titled Nomor 29/SEOJK.03/2022 (SEOJK 29) dated December 27, 2022. The circular offers details on the implementation of Regulation Number 11/POJK.03/2022 concerning the Implementation of Information Technology by Banks.
The rules cover a range of areas, including risk assessments, risk management, data protection, incident response planning, and employee capacity. They aim to address the growing threat of cyber attacks in the financial sector and to ensure the safety and security of business and customer data, coming in the wake of escalating cyber attacks against financial institutions in Indonesia.
Financial institutions in Indonesia will need to assess, test, and, potentially, strengthen their cybersecurity practices in response to the new rules. The key points of the cybersecurity rules are highlighted below.
Inherent risk assessment
The circular describes the criteria for judging a company’s level of inherent risk in Chapter II. Inherent risk refers to the level of cybersecurity risk an entity faces without any mitigating controls in place.
Regulators will assess inherent risk on at least four factors. These include an institution’s technology, bank products, organizational characteristics, and cyber incident track record.
Entities should submit a risk assessment report to the OJK on an annual basis. The OJK will consider inherent risk relating to cybersecurity as a component of an entity’s broader inherent risk regarding IT.
The regulator’s determination of inherent risks will be done on a 1-5 scale for categorization, where one is low risk and five is high risk.
Implementation of risk management
Regulations for the implementation of risk management are delineated in Chapter III of the circular. Regulations apply to four different areas of implementation:
- Governance of risks related to cybersecurity (e.g. oversight of the Board of Directors);
- Risk management framework related to cybersecurity (e.g. risk management strategy);
- Risk management processes, adequacy of human resources, and adequacy of the risk management information system related to cybersecurity; and
- Risk control systems related to cyber security (e.g. internal controls).
The circular further notes that the implementation of risk management will adjust to the complexity of the entity’s business.
Implementation of cyber resilience processes
Chapter IV of the circular outlines the implementation of cyber resilience processes that entities must carry out. These are:
- Identification of assets, threats, and vulnerabilities;
- Asset protection;
- Cyber incident detection; and
- Cyber incident response and recovery.
The circular describes requirements for each of these areas, such as inventory and valuation of IT assets and regular cybersecurity tests.
Cybersecurity maturity level assessment
The circular describes requirements for banks to undertake an annual assessment of their cybersecurity maturity levels in Chapter V. The maturity level is mainly based on the quality of risk management implementation related to cyber security and the quality of the implementation of cyber resilience processes.
Regulators use a 1-5 scale to assess cybersecurity maturity, where one is strong and five is unsatisfactory. Entities are then placed on a 1-5 scale to rank their level of maturity.
Cybersecurity risk level
Chapter VI of the circular states a requirement for entities to submit an annual assessment of overall cybersecurity risk to the OJK. This is based on the combined review of inherent risk related to cybersecurity and the maturity level of cybersecurity.
Cybersecurity testing requirements
Chapter VII describes the tests that entities must conduct before reporting the results to the OJK. There are two main types of tests: cybersecurity testing based on vulnerability analysis and scenario-based cybersecurity testing. Entities can conduct these tests themselves or enlist a third party.
Units or functions handling cybersecurity
Chapter VIII regulates the features and capacity of units or functions responsible for handling cybersecurity. These are the units or functions responsible for carrying out much of the requirements of the circular, such as implementation and assessments. Such units or functions must have adequate capacity and resources to undertake their responsibilities and be independent of the IT management function, among other requirements.
Reporting cybersecurity incidents
Requirements for reporting cybersecurity incidents and threats are described in Chapter IX of the circular. It defines a cyber threat as efforts, activities, and/or actions that cause an entity’s electronic system to fail or stop functioning as it should.
Within 24 hours of a cybersecurity incident, the entity must report to the OJK. Entities must then submit a more detailed report within five business days of the incident.
Growing need for cybersecurity in Indonesia
Strengthening Indonesia’s cybersecurity laws has been a priority for policymakers in recent years. For example, in September 2022, Indonesia passed its first data protection law, which was inspired by the EU’s GDPR framework.
The attention on cybersecurity comes as Indonesia has been hit by a series of high-profile cyber incidents. In September 2022, a hacker using the name Bjorka stole the data of around 1.3 billion SIM card numbers. In another incident, a perpetrator threatened to sell the correspondence between President Joko Widodo and his ministers.
Cybersecurity incidents have not been limited to notable cases such as these. According to Indonesia’s National Cyber and Crypto Agency (BSSN), Indonesia recorded at least 1.6 billion cyberattacks in 2021 alone.
Considering these threats, Indonesian-based financial institutions have clear incentives to strengthen their cybersecurity practices. The introduction of new cybersecurity rules offers guidance and structure for such entities to institute and monitor their cybersecurity capacity. Such rules could be especially important for newer fintech firms and startups that do not have extensive cybersecurity infrastructure.
Accordingly, financial entities – and other businesses looking to strengthen their cybersecurity – would do well to undertake an assessment of their cybersecurity practices and vulnerabilities. These practices range from technical capabilities and risk measures to internal controls and company culture. A successful assessment, and the resulting actions, will not just ensure compliance but meaningfully strengthen resilience against growing cyber threats.
About Us
ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.