Why Indonesian banks are under more scrutiny than ever
In May 2023, Bank Syariah Indonesia (BSI), one of the largest Islamic banks in the country, suffered a ransomware attack that took ATM networks and mobile banking offline for several days. Millions of customers couldn't access their accounts. LockBit later claimed responsibility, demanded USD 20 million in ransom, and after negotiations failed, published 1.5 terabytes of stolen customer and employee data on the dark web.1
OJK was watching. Within weeks, regulators had issued additional guidance on incident reporting timelines and started tightening supervisory expectations around IT risk management. The message to Indonesia's banking sector was clear: cybersecurity compliance is no longer optional, and failure has both operational and regulatory consequences.
This guide covers what OJK actually requires of banks and financial institutions today. Not the theoretical framework, but the specific controls, timelines, and governance structures you need to have in place.
The regulatory landscape
OJK's cybersecurity requirements for banks are spread across several regulations. The two most important ones:
POJK No. 11/POJK.03/2022: risk management for commercial banks
This regulation updated and consolidated earlier risk management rules, formally adding cyber risk as one of eight risk types banks must manage. Core obligations:
- A board-level risk committee with oversight of IT and cyber risk
- Annual IT risk assessment using an OJK-approved framework
- Business Continuity Plans (BCP) with defined Recovery Time Objectives (RTO)
- Reporting significant IT incidents to OJK within 1x24 hours of detection
SEOJK No. 29/SEOJK.03/2022: IT risk management guidance
This circular letter has the most detailed technical requirements. It sets controls across five domains: governance, asset management, access control, incident management, and third-party risk. The framework maps to ISO 27001 and NIST CSF with Indonesia-specific additions layered on top.
Supporting regulations
- POJK No. 38/POJK.03/2016: the foundational IT risk management regulation for commercial banks, still referenced in audits
- PBI No. 9/15/PBI/2007 and subsequent Bank Indonesia regulations governing payment system security
- PP No. 71/2019 (BSSN): national cybersecurity strategy framework aligned with OJK requirements
What OJK actually requires: seven areas
1. IT governance and board accountability
OJK requires board-level ownership of IT and cyber risk. You cannot delegate this entirely to the IT team.
- The Board of Commissioners must receive IT risk reports at least quarterly
- The Board of Directors must approve the IT Security Policy and any significant changes
- A dedicated IT Steering Committee must exist with at least one Director as a member
- The IT risk function must be organizationally separate from IT operations (the four-eyes principle)
In practice, your CISO needs a direct reporting line to a Director, and board minutes need to show real discussion of IT risk, not just a sign-off on an annual report.
2. Asset inventory and classification
You cannot protect what you cannot see. OJK requires banks to maintain a complete, current inventory of all IT assets, classified by criticality.
- A documented asset register covering hardware, software, data, and network components
- A data classification policy with at least three tiers (public, internal, confidential)
- Customer data classified as confidential and subject to access controls
- The asset register reviewed at least annually and updated when significant changes occur
Without classification, you cannot risk-rate an asset. Everything else in your risk assessment depends on this.
3. Access control and privileged account management
Most bank breaches start with compromised credentials. OJK's access control requirements are specific:
- Least privilege must be applied: users and systems get only the access they need
- Privileged accounts (admin, root, service accounts) must be inventoried, reviewed quarterly, and subject to enhanced monitoring
- MFA is required for remote access and for any system that processes or stores customer data
- Shared accounts are prohibited on critical systems
- Access rights must be reviewed when staff change roles or leave the organization
OJK examiners specifically look at how quickly terminated employees are removed from systems. A 24-hour SLA is the expectation.
4. Security monitoring and incident response
This is where many Indonesian banks fall short. OJK requires continuous monitoring of IT systems, not just perimeter firewalls.
For monitoring, you need:
- Log collection from critical systems (network, servers, applications, databases)
- Log retention for a minimum of 5 years (3 years online, 2 years archived)
- Anomaly detection for suspicious access patterns and data exfiltration
For incident response:
- A documented Incident Response Plan (IRP) tested at least annually
- An incident classification framework with defined escalation thresholds
- Critical incidents reported to OJK within 1x24 hours
- Significant incidents (affecting operations but not critical) reported within 3x24 hours
- Post-incident reports submitted within 14 calendar days of resolution
OJK considers any incident affecting customer-facing systems, involving data exfiltration, or triggering BCP activation to be critical.
5. Penetration testing and vulnerability management
OJK requires formal testing of your defences, not just scanning.
- Annual penetration testing of internet-facing systems, conducted by a qualified third party
- Quarterly vulnerability assessments of critical internal systems
- Findings documented with risk ratings and remediation timelines
- Critical and high vulnerabilities remediated within 30 days of discovery
- Penetration test results presented to the Board Risk Committee
Banks applying for or renewing SWIFT connectivity face additional testing requirements under SWIFT's Customer Security Programme (CSP), which OJK aligns with.
6. Business continuity and disaster recovery
OJK requires banks to show they can survive a major IT failure, not just claim it on paper.
- A documented BCP covering all critical IT systems
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined per critical system
- Core banking systems typically require RTO of 4 hours or less and RPO of 1 hour or less
- A full DR test (failover to backup site) at least once per year
- Tabletop exercises at least twice per year
- BCP must cover ransomware scenarios, not just hardware failure
DR test results must be documented and gaps remediated within a defined timeline.
7. Third-party and cloud risk management
As Indonesian banks increase their use of cloud services and fintech partnerships, third-party requirements have become harder to ignore.
- A documented TPRM policy
- Security assessment of all third parties that access bank systems or process customer data, completed before onboarding
- Annual reassessment of critical third parties
- Contractual security clauses covering audit rights, incident notification, and data handling obligations
- OJK notification required before deploying core systems to the cloud
- Cloud providers must meet Indonesian data residency requirements
Penalties for non-compliance
OJK has real enforcement power and is using it.
| Violation | Potential consequence |
|---|---|
| Failure to report a critical incident within 1x24 hours | Written warning, then administrative sanction |
| Significant IT weaknesses found during examination | Mandatory remediation plan with OJK oversight |
| Repeated or severe non-compliance | Fines, business activity restrictions, licence conditions |
| Board failure to demonstrate adequate oversight | Personal liability for Directors and Commissioners |
After the BSI incident, OJK publicly stated it would increase the frequency and technical depth of IT examinations for systemically important banks. Mid-tier banks have seen more IT-focused examination questions in recent supervisory cycles too.
Building a compliant security program: a practical roadmap
Phase 1: gap assessment (months 1-2)
Before you can close gaps, you need to find them. Map your current controls against SEOJK No. 29:
- Is your asset inventory complete and classified?
- Do you have documented policies for access control, incident response, BCP, and third-party risk?
- Are penetration tests being conducted and tracked to remediation?
- Are logs being collected, retained, and monitored?
Phase 2: governance foundation (months 2-4)
If your board is not actively engaged with IT risk, that is the first gap to close.
- Establish or formalise the IT Steering Committee with Director-level membership
- Get the IT Security Policy board-approved and on an annual review cycle
- Implement quarterly IT risk reporting to the Board Risk Committee
- Hire or designate a CISO with a clear mandate and escalation path
Phase 3: technical controls (months 3-9)
Priority order:
- MFA on remote access and critical systems: highest risk reduction per effort
- Privileged access management: inventory and monitor all admin accounts
- Log management and SIEM: you cannot detect or report incidents without visibility
- Vulnerability management: establish a scan-track-remediate cycle
- Endpoint detection and response (EDR): important for catching ransomware early
Phase 4: testing and documentation (ongoing)
Compliance is not a one-time project:
- Annual penetration tests budgeted and scheduled
- Quarterly vulnerability scans with documented findings
- Annual DR test with board presentation
- Tabletop exercises covering ransomware and data breach scenarios
How managed security services can help
Most Indonesian banks, particularly regional banks (BPD) and mid-tier commercial banks, don't have the headcount to run continuous security monitoring in-house. That's not a criticism; it's just the reality of the sector.
A qualified MSSP can:
- Provide 24/7 SOC coverage for log monitoring and incident detection, meeting OJK's monitoring requirements
- Conduct or coordinate annual penetration tests with documentation in the format OJK examiners expect
- Help draft and maintain policy documents (IRP, BCP, TPRM policy) aligned to SEOJK No. 29
- Generate board-ready reports showing control status against OJK requirements
The question is finding a partner who actually understands Indonesian regulatory expectations. An MSSP that simply maps international frameworks to OJK requirements and hopes the mapping holds up under examination is a risk, not an asset.
What examiners actually look for
In OJK IT examinations, the same questions come up repeatedly:
- Show me your asset register. They want to see it is current, classified, and has a named owner.
- Walk me through your last incident. They want a timeline, escalation evidence, and the post-incident report.
- When was your last DR test? What failed? They want honest documentation, not a clean report.
- Show me access reviews for your core banking system. Who has admin access, when was it last reviewed?
- What happened with your last pen test findings? Critical vulnerabilities open for more than 30 days are a red flag.
If you cannot answer these questions quickly and with documentation, you have a compliance gap, regardless of what your policies say.
Next steps
If you are not sure where your bank stands, start with a structured IT risk gap assessment against SEOJK No. 29/SEOJK.03/2022. That gives you a prioritised remediation roadmap you can take to your board and, if needed, to OJK supervisors.
Alpha Code Technologies works with Indonesian banks to assess, build, and operate security programs that meet OJK requirements. To discuss your bank's current posture, contact our team.
References
Footnotes
-
LockBit Leaks 1.5TB of Data Stolen From Indonesia's BSI Bank — Bank Info Security, May 2023 ↩