The Financial Services Authority (OJK) has developed new cybersecurity rules for financial institutions in Indonesia. This marks the first time Indonesia has released cybersecurity rules that are specifically addressed to the country’s financial sector.
The OJK provided details about the rules in a circular known as Nomor 29/SEOJK.03/2022 (SEOJK 29). The rules address a number of topics, including risk management, risk assessments, incident response planning, employee capacity, and data protection with the goal of securing data in financial institutions and tackling the rise in cyber attacks in Indonesia’s financial sector. The vital parts of the cybersecurity rules are discussed below.
Inherent risk assessment
Chapter 2 of the circular discusses the criteria for measuring the inherent risk level in a company. Regulators will evaluate inherent risk using at least four factors, including bank products, technology, cyber incident track record, and organizational characteristics. They will also use a 1-5 scale to determine the level of inherent risks, where “1” is low risk and “5” is high risk. In addition, companies would need to submit a risk assessment report to the OJK annually.
Implementation of risk management
Chapter 3 of the circular outlines the regulations for the implementation of risk management, and they apply to four different areas of implementation:
- Governance of risks related to cybersecurity.
- Risk management framework related to cybersecurity.
- Risk management processes, adequacy of human resources, and adequacy of the risk management information system related to cybersecurity.
- Risk control systems related to cyber security.
Implementation of cyber resilience processes
The circular highlights the implementation of cyber resilience processes that businesses must execute in chapter 4. They include:
- Identification of assets, threats, and vulnerabilities.
- Asset protection.
- Cyber incident detection.
- Cyber incident response and recovery.
Cybersecurity maturity level assessment
Chapter 5 delineates requirements for banks to undertake an assessment of their cybersecurity maturity levels annually. Regulators use a 1-5 scale to evaluate cybersecurity maturity levels, where “1” is strong and “5” is unsatisfactory.
Cybersecurity risk level
Chapter 6 of the circular outlines a requirement for institutions to present an overall cybersecurity risk assessment to the OJK on an annual basis. This is based on the combined analysis of cybersecurity maturity levels and inherent cybersecurity risks.
Cybersecurity testing requirements
The tests that companies must carry out before submitting the results to the OJK are described in chapter 7. The two main types of tests are scenario-based cybersecurity testing and cybersecurity testing based on vulnerability analysis.
Units or functions handling cybersecurity
Chapter 8 discusses the characteristics of units or functions that handle cybersecurity in an entity. These units or functions must be independent of the IT management function, and they must have adequate capacity and resources to carry out their responsibilities.
Reporting cybersecurity incidents
The circular explains the requirements for reporting cybersecurity incidents and threats in Chapter 9. Entities are required to report a cybersecurity incident to the OJK within 24 hours of the incident. Afterwhich, the company must present a more detailed report within 5 business days of the incident.
Considering the incessant rise of cybersecurity threats in Indonesia, financial institutions have no choice but to assess and strengthen their cybersecurity practices. These new cybersecurity regulations offer the guidance and structure for institutions to carry out a successful assessment of their cybersecurity infrastructure, which will help prevent and fight against all sorts of cyber attacks.