Skip to main content

Penetration Testing

Penetration testing for Indonesian banks and financial services

In short

How Indonesian banks scope, run, and report the annual penetration test SEOJK 29/2022 requires, from banking apps and BI-SNAP APIs to core banking systems.

Penetration testing

An Indonesian bank cannot wait for an OJK examination to find out whether its internet banking app or its BI-SNAP connection is exploitable. SEOJK 29/2022 makes that testing a standing obligation rather than a one-off project: internet-facing systems tested at least once a year by an independent third party, critical internal systems checked quarterly, and findings fixed against a clock. This page covers what has to be in scope for a bank specifically, how the two forms of testing the regulation recognises differ, and what happens to the report once it lands. For how a penetration test works in general, see our penetration testing service page.

Why penetration testing is a standing obligation for banks

Security testing sits inside the same framework as the rest of a bank's cyber resilience programme. POJK 11/2022 treats cyber risk as one of eight risk categories a commercial bank must manage, and SEOJK 29/2022 turns that into a concrete testing schedule, not a discretionary good practice.

Internet and mobile banking apps

Most real attacks land on the customer-facing app, not the data centre. Authentication flaws, session handling bugs, and business-logic gaps here are what a pentest is built to catch before a fraud crew finds them first.

Open banking APIs (BI-SNAP)

Each fintech partner connected through BI-SNAP is another API endpoint in scope. Weak authorization or missing rate limiting on these connections is a common finding as the open banking rollout widens the surface.

External network perimeter

VPN gateways, exposed admin panels, and internet-facing infrastructure outside the app layer are routine entry points. A perimeter test checks what an attacker sees before they ever touch a login page.

Core banking and payment segmentation

The real question is whether a compromised web server can reach core banking, SWIFT, or the BI-FAST rails. Segmentation testing checks that boundary rather than assuming it holds.

The table below summarises what SEOJK 29/2022 mandates on testing and remediation, on top of the SWIFT Customer Security Programme requirements that apply to banks connected to SWIFT.

ObligationSourceWhat it means in practice
Annual penetration test of internet-facing systemsSEOJK 29/2022An independent third party tests internet banking, mobile apps, and public APIs at least once a year
Quarterly vulnerability assessment of critical internal systemsSEOJK 29/2022Internal-facing core banking and network segments are checked every quarter
Remediation of critical and high findings within 30 daysSEOJK 29/2022Findings are tracked to closure with evidence a regulator can review
Results presented to the Board Risk CommitteeSEOJK 29/2022The report goes to the board, not just into a technical file
Additional self-attestation testingSWIFT Customer Security ProgrammeLayered on top of SEOJK 29/2022 for banks connected to SWIFT

Two forms of security testing, one regulation

SEOJK 29/2022 recognises two forms of cyber security testing, and it is worth keeping them separate rather than treating "testing" as one undifferentiated activity. Vulnerability-analysis-based testing is the classic penetration test: it identifies weaknesses in a defined scope and attempts to exploit them. Scenario-based testing is closer to a red-team exercise, run against live defences to check how well the bank detects, contains, and recovers from a simulated incident.

 Penetration testScenario-based test
What it checksExploitable vulnerabilities in a defined scopeWhether the bank detects, contains, and recovers from a simulated incident
Typical scopeInternet banking, mobile apps, public APIs, network perimeterA live attack scenario run against current defences, often coordinated with the SOC
Cadence under SEOJK 29/2022At least once a yearSet by the bank based on its own risk profile
Reporting to OJKFindings recorded as part of the annual testing programmeResults reported to OJK within 10 business days of completion

For the full detail on cadence, scope, and how OJK treats each form, see our article on penetration testing requirements for Indonesian banks under POJK 11/2022. If you are weighing a lighter-touch vulnerability scan against a full test, our page on vulnerability assessment vs penetration testing sets out where each one fits.

What we test and how we deliver it

A bank's attack surface is wider than a single web app, so scoping has to account for every channel that reaches customer money or data.

Internet and mobile banking applicationsOpen banking (BI-SNAP) API endpointsExternal network perimeter and VPN gatewaysCore banking network segmentationCloud-hosted banking workloadsSWIFT environment perimeter (where connected)
Scope against SEOJK 29/2022 and the bank's risk profileTest internet-facing systems, APIs, and segmentationValidate exploitability and business impactDeliver a board-ready report with remediation deadlines

Every engagement includes a free retest once fixes are in, because a report that says "fixed" only means something if someone checks. Findings are categorised by severity and mapped to remediation timeframes the bank can defend to OJK, and results can be presented directly to the Board Risk Committee in the format examiners expect.

What the numbers say about the sector

US$20M

Ransom demanded in the 2023 Bank Syariah Indonesia attack, which disrupted services for 13 days (The Jakarta Post)

12%

Of Indonesian organisations rated mature on cyber readiness in 2024 (Cisco Cybersecurity Readiness Index 2024)

Untested systems are how a single exploitable gap turns into an incident on the scale of the Bank Syariah Indonesia case. With only 12 percent of Indonesian organisations rated mature on cyber readiness, an annual test that actually gets acted on is one of the more direct ways a bank can move off that baseline. For the regulatory background behind the testing mandate, see our article on OJK cybersecurity requirements for Indonesian banks.

If your annual test is coming up and you want it scoped to what OJK and your own risk profile actually require, our team can set out a concrete next step.

References

  1. 1.OJK, SEOJK No. 29/SEOJK.03/2022 on Cyber Resilience and Security for Commercial Banks
  2. 2.OJK, POJK No. 11/POJK.03/2022 on Information Technology Implementation by Commercial Banks
  3. 3.The Jakarta Post, reporting on the 2023 Bank Syariah Indonesia ransomware attack
  4. 4.Cisco, Cybersecurity Readiness Index 2024

Reviewed by Naren Krishnan, Cybersecurity Manager

Frequently asked questions

Yes. SEOJK 29/2022 requires a penetration test at least once a year against internet-facing systems, carried out by a qualified third party that is independent of the bank. Critical internal systems get a quarterly vulnerability assessment on top of that, and critical or high findings from either test must be remediated within 30 days.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.