The Financial Services Authority ("OJK") of Indonesia has taken significant steps to boost the digital banking transformation in the country. In line with this goal, OJK Regulation No. 11/POJK.03/2022 on the Implementation of Information Technology by Commercial Banks was issued last year, addressing various aspects such as data, technology, risk management, collaboration, and institutional setting. As a follow-up to this regulation, Circular Letter No. 29/SEOJK.03/2022 on Cyber Security and Resilience for Commercial Banks ("Circular") has been introduced. The Circular emphasises the importance of cyber security and places the responsibility on banks to assess their cyber security risk annually, report their self-assessed ratings, and establish dedicated cyber security units.
Under the Circular, banks are required to conduct assessments of inherent risk and cyber security maturity to determine their cyber security risk level. The results of these assessments must be reported to OJK, along with regular cyber security testing. Additionally, banks must establish independent cyber security units to manage cyber security and coordinate cyber incident response teams. While some market players view the requirements under the Circular as reasonable for effective risk management, challenges may arise in implementing certain aspects, particularly those related to human resources for the cyber security units. The success of these regulations will depend on customer awareness and participation in preventing cyber security threats, and it remains to be seen if similar standards will be adopted by non-bank financial services and other industries in the future.
For more information, click here to read our Legal Update.