New Cybersecurity Rules for Indonesia’s Financial Sector

Kamso Oguejiofor-Abugu Kamso Oguejiofor-Abugu Writer

The Financial Services Authority (OJK) has developed new cybersecurity rules for financial institutions in Indonesia. This marks the first time Indonesia has released cybersecurity rules that are specifically addressed to the country’s financial sector.

The OJK provided details about the rules in a circular known as Nomor 29/SEOJK.03/2022 (SEOJK 29). The rules address a number of topics, including risk management, risk assessments, incident response planning, employee capacity, and data protection with the goal of securing data in financial institutions and tackling the rise in cyber attacks in Indonesia’s financial sector. The vital parts of the cybersecurity rules are discussed below.

Inherent risk assessment

Chapter 2 of the circular discusses the criteria for measuring the inherent risk level in a company. Regulators will evaluate inherent risk using at least four factors, including bank products, technology, cyber incident track record, and organizational characteristics. They will also use a 1-5 scale to determine the level of inherent risks, where “1” is low risk and “5” is high risk. In addition, companies would need to submit a risk assessment report to the OJK annually.

Implementation of risk management

Chapter 3 of the circular outlines the regulations for the implementation of risk management, and they apply to four different areas of implementation:

  • Governance of risks related to cybersecurity.
  • Risk management framework related to cybersecurity.
  • Risk management processes, adequacy of human resources, and adequacy of the risk management information system related to cybersecurity.
  • Risk control systems related to cyber security.

Implementation of cyber resilience processes

The circular highlights the implementation of cyber resilience processes that businesses must execute in chapter 4. They include:

  • Identification of assets, threats, and vulnerabilities.
  • Asset protection.
  • Cyber incident detection.
  • Cyber incident response and recovery.

Cybersecurity maturity level assessment

Chapter 5 delineates requirements for banks to undertake an assessment of their cybersecurity maturity levels annually. Regulators use a 1-5 scale to evaluate cybersecurity maturity levels, where “1” is strong and “5” is unsatisfactory.

Cybersecurity risk level

Chapter 6 of the circular outlines a requirement for institutions to present an overall cybersecurity risk assessment to the OJK on an annual basis. This is based on the combined analysis of cybersecurity maturity levels and inherent cybersecurity risks.

Cybersecurity testing requirements

The tests that companies must carry out before submitting the results to the OJK are described in chapter 7. The two main types of tests are scenario-based cybersecurity testing and cybersecurity testing based on vulnerability analysis.

Units or functions handling cybersecurity

Chapter 8 discusses the characteristics of units or functions that handle cybersecurity in an entity. These units or functions must be independent of the IT management function, and they must have adequate capacity and resources to carry out their responsibilities.

Reporting cybersecurity incidents

The circular explains the requirements for reporting cybersecurity incidents and threats in Chapter 9. Entities are required to report a cybersecurity incident to the OJK within 24 hours of the incident. Afterwhich, the company must present a more detailed report within 5 business days of the incident.


Considering the incessant rise of cybersecurity threats in Indonesia, financial institutions have no choice but to assess and strengthen their cybersecurity practices. These new cybersecurity regulations offer the guidance and structure for institutions to carry out a successful assessment of their cybersecurity infrastructure, which will help prevent and fight against all sorts of cyber attacks.

About the Author

About the Author

Kamso Oguejiofor is a former Content Writer at SafetyDetectives. He has over 2 years of experience writing and editing topics about cybersecurity, network security, fintech, and information security. He has also worked as a freelance writer for tech, health, beauty, fitness, and gaming publications, and he has experience in SEO writing, product descriptions/reviews, and news stories. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.

Leave a Comment