Bank Indonesia Issues Regulation on Cybersecurity: A New Hope?

From m-Banking to other electronic payment systems, our lives have been made easier by technological innovation in the financial sector – which, unfortunately, poses both an opportunity and threat to the world. In the wake of this rapid advancement, cyberattacks have continued to disrupt the financial system for days on end. As reported by CNBC Indonesia on 21 May 2024, cybersecurity firm Kaspersky announced that there have been more than 20 million cyber-attacks occurring in Indonesia just last year, ranging from phishing, insider threats, remote desktop protocol, and ransomware.

Cybersecurity threats, particularly in the financial sector, have become a significant issue in Indonesia. Only last year, Bank Syariah Indonesia, the country’s largest sharia bank, fell victim to a cyber-attack which results in its customer data leak. Given these risks, robust measures must be taken by all stakeholders to maintain the stability of the Indonesian financial sectors against cyber-attacks.

Last month, Bank Indonesia (“BI”), Indonesia’s central bank, introduced a new piece of regulation in line with one of its mandates from Law No. 23 of 1999 on Bank Indonesia to regulate and ensure the stability of the Indonesian payment system – particularly relating to cyber resilience (“Regulation 2/2024”). The new regulation is one of the realizations by BI of its efforts to dampen the ever-growing risk of cyberattacks against businesses in the highly digitized landscape of the contemporary financial sector.

Regulation 2/2024 mandates market players in the payment system, money market and foreign exchange market operator businesses to implement information system security and cyber resilience (Keamanan Sistem Informasi dan Ketahanan Siber - “Cyber Resilience”) within their business activities. Those named under the regulation are as follows (“Operator”):

1. Payment service providers (Penyedia Jasa Pembayaran);

2. Payment system infrastructure providers (Penyelenggara Infrastruktur Sistem Pembayaran);

3. Financial sector business actors engaging in money and/or foreign exchange markets (Pelaku Usaha Sektor Keuangan yang Bergerak di Pasar Uang dan/atau Pasar Valuta Asing);

4. Money market and foreign exchange supporting institutions;

5. Non-bank foreign exchange operators; and

6. Other parties that are regulated and supervised by BI, such as providers of trading and clearing facilities.

The new regulation seeks to enhance Operators’ Cyber Resilience to bolster oversight and collaboration to prevent and mitigate against cyber incidents, as well as to boost cyber risks management. It elaborates the key Cyber Resilience strategy, policy and culture that Operators need to implement in managing cyberattack risks, as set out below:

Furthermore, to prevent cyberattacks and incidents, Operators must also implement Cyber Resilience preemptive measures that are categorized into three steps: (i) preparation and update of cyber risk profiles by the Operator ; (ii) creation of a defense system and protection of data; and (iii) monitoring and analysis of cyberattacks or use of malicious/unauthorized code.

Moreover, to mitigate against cyberattacks or incidents, Operators must enact response and recovery measures which involves planning, simulation, and communication of cyber incident management and recovery as well as restoring services to normal conditions and improvement of the current system.

Lastly, Regulation 2/2024 also requires Operators to report annually to BI on their Cyber Resilience maturity level and identification of vital information structure (which shall be set out further in a BI’s Governor regulation), as well as mandatory reporting for every cyberattack incident. Failure to comply with these reporting obligations may result in administrative sanctions from BI in the form of warnings, administrative fines, suspension of all or part of the Operators’ operations, and/or revocation of license.

Throughout the digital era, businesses, especially financial institutions, have faced the challenge of cyberattacks. In today's environment, it is imperative for businesses to take proactive steps to safeguard against these threats. Regulation 2/2024 arrived at a critical juncture, as the financial sector remains a prime target for cyberattacks. We look forward to witnessing the positive advancements in the Indonesian financial sector's endeavors to combat cyberattacks following the implementation of this Regulation 2/2024.

By: Nicole Huang and Rizky Akbar Idris

DISCLAIMER:

This material is prepared for general information purposes only. It is not intended to give legal or any other professional advice, opinion or recommendation and, accordingly, it should not be relied upon. Specific legal advice should be sought before taking any action based on the contents in this material. Please contact us if you need any assistance regarding this matter.