POJK 11/2022 + SEOJK 29/2022
Cybersecurity compliance for commercial banks: POJK 11/2022 and SEOJK 29/2022
In short
How commercial banks (Bank Umum) meet POJK 11/2022 and SEOJK 29/2022: the five cyber resilience control domains, OJK incident reporting requirements, and Alpha Code services that help banks satisfy them.
Indonesia's commercial banks handle the deposits, loans, and transfers that reach tens of millions of customers every day. When core banking systems, mobile applications, and connections to payment infrastructure become the backbone of that service, a technology failure is felt by customers, not just by the IT team. OJK addressed this directly when it issued POJK 11/2022, then reinforced its technical requirements through SEOJK 29/2022.
These two instruments together form the cyber resilience framework that applies to every OJK-licensed commercial bank. This page sets out the concrete obligations they contain and how Alpha Code services help banks satisfy them. For a deeper treatment of the specific controls and their technical context, see our articles on OJK cybersecurity requirements for Indonesian banks and penetration testing requirements for Indonesian banks under POJK 11/2022.
POJK 11/2022 + SEOJK 29/2022
POJK 11/2022 governs IT implementation by commercial banks and includes cyber risk as one of eight risk categories banks must manage. SEOJK 29/2022 specifies the cyber resilience obligations across five control domains: IT governance, asset management, access control, incident management, and third-party risk. Core requirements include an initial incident notification to OJK within 1x24 hours followed by a full report within 5 working days, annual penetration testing by an independent third party, continuous monitoring, and five-year log retention.
Who these regulations apply to
POJK 11/2022 and SEOJK 29/2022 apply to commercial banks (Bank Umum) operating under an OJK licence, including conventional banks, sharia banks, foreign banks operating in Indonesia, and regional development banks (BPD). They do not apply to rural banks (BPR and BPRS), which are governed by a separate framework under POJK 34/2025, and they do not apply to payment system operators overseen by Bank Indonesia under PBI 2/2024.
Commercial banks that also operate payment services or other products licensed by Bank Indonesia may face both regulatory frameworks at once. In that situation, mapping each regulator's requirements separately is the right starting point. Terms like "information security" and "cyber resilience" appear on both sides, but with slightly different scopes and control expectations, so assuming one compliance programme covers two regulators is a risk in itself.
The five control domains of SEOJK 29/2022
SEOJK 29/2022 organises information security obligations into five domains. This is the structure OJK uses during IT examinations, so understanding all five together is more useful than treating them as a list of separate technical controls.
The first domain is IT governance, which reaches deepest into the bank's leadership structure. OJK requires that ownership of IT and cyber risk sits at board level: the board of commissioners receives IT risk reports at least quarterly, the board of directors approves the IT security policy, and a dedicated IT steering committee with at least one director as a member must exist. The IT risk function must also be organisationally separate from IT operations, so that risk assessments are not conducted by the same people running the systems. In practice, a CISO needs a direct reporting line to the directors, and board minutes should reflect real discussion of IT risk, not just signatures on an annual report.
The second domain is asset management. Banks must maintain an asset register covering all hardware, software, data, and network components, classified by criticality level with at least three tiers. Customer data is classified as confidential with strict access controls. The register is reviewed at least annually and updated whenever a significant change occurs. Without complete classification, risk assessments cannot be accurate because there is no basis for prioritising assets by potential impact.
The third domain is access control, and it is often where the most gaps surface when a bank undergoes its first independent assessment. OJK requires the principle of least privilege, quarterly inventorying and monitoring of privileged accounts, MFA for remote access and for any system that processes or stores customer data, and deprovisioning of access within a tight SLA when employees change roles or leave. OJK examiners pay particular attention to how quickly accounts of departing staff are disabled, and a 24-hour expectation is commonly used as the reference point.
The fourth domain is incident management. This covers detection capability through log collection from critical systems with a minimum five-year retention period (three years online, two years archived), a documented incident response plan tested at least annually, and a classification framework with clear escalation thresholds. Testing the plan at least twice a year in tabletop format is aligned with OJK expectations.
The fifth domain is third-party risk. More commercial banks now use cloud services, external core banking vendors, and fintech partners. OJK requires a security assessment of every third party that accesses bank systems or processes customer data before onboarding, annual reassessment of critical vendors, and contractual clauses covering audit rights, incident notification obligations, and data handling requirements. Deploying a core banking system to the cloud requires prior notification to OJK, and cloud providers must meet Indonesian data residency requirements.
| Obligation | Status |
|---|---|
| IT governance at board level with quarterly risk reporting | Mandatory |
| Classified asset register, reviewed at least annually | Mandatory |
| MFA for remote access and systems processing customer data | Mandatory |
| Continuous monitoring and log retention of at least 5 years | Mandatory |
| Annual penetration test by an independent third party | Mandatory |
| Quarterly vulnerability assessment of critical internal systems | Mandatory |
| Security assessments and contractual clauses for third parties | Mandatory |
| OJK notification before deploying core banking to cloud | Mandatory |
Incident reporting deadlines
One of the most operationally demanding aspects of SEOJK 29/2022 is the incident reporting obligation, which runs on two clocks: a short one for the initial notification and a second one for the full report. These cannot be improvised when an incident is already active. The procedures, escalation paths, and ability to assemble a regulatory report all need to be in place beforehand.
The diagram below shows the two reporting windows. The time axis is compressed so that both deadlines are legible in a single view.
The initial notification is sent in writing through electronic means, such as email, within 1x24 hours of discovering a cyber incident. That window is tight when the team is focused on technical containment, which is exactly why the reporting procedure must be ready before any incident occurs. The full incident report follows within 5 working days and covers the reporter information, impact assessment, chronology of events, root cause analysis, and final assessment. The reporting duty covers cyber incidents broadly: anything affecting customer-facing systems, involving data exfiltration, or triggering BCP activation clearly qualifies.
OJK treats the ability to report accurately and on time as evidence that incident management actually works in practice, not merely as written policy.
Mandated testing schedule
Security testing is not optional under SEOJK 29/2022. Banks must conduct a penetration test at least once a year against internet-facing systems, using a qualified third-party tester that is independent of the bank. Results are presented to the Board Risk Committee, not simply retained as a technical document.
For critical internal systems, a vulnerability assessment is conducted quarterly. Critical and high findings must be remediated within 30 days of discovery. Banks seeking or renewing SWIFT connectivity face an additional layer of testing requirements under the SWIFT Customer Security Programme (CSP), aligned with OJK expectations.
For detailed guidance on the penetration testing requirements for banks under POJK 11/2022, see our article on penetration testing requirements for Indonesian banks.
A path to compliance
There is no fixed sequence that works for every bank, because each starts from a different position. The pattern that most often succeeds begins with understanding the current state, then improving governance and technical controls, followed by building the testing and reporting capabilities that run continuously.
- 1
Gap assessment
Map existing controls, policies, and procedures against the five domains of SEOJK 29/2022. Identify gaps in monitoring, incident management, access control, and third-party risk.
- 2
Governance and technical controls
Establish IT risk reporting at board level, strengthen privileged account management, deploy MFA, and complete the classified asset register.
- 3
Testing and monitoring
Schedule the annual penetration test, build the quarterly vulnerability assessment cycle, and implement continuous log monitoring with compliant retention.
- 4
Incident procedures and reporting
Document the incident response plan with OJK escalation paths, test it at least twice a year, and confirm the teams involved are trained and ready.
The gap assessment at the outset prevents the bank from improving what is already adequate while overlooking the gaps that actually carry risk. Its output becomes a prioritised roadmap that can be taken to the board and directors for budget decisions and timeline planning.
How Alpha Code helps
We begin with a gap assessment that maps the bank's information security posture against the specific obligations of POJK 11/2022 and SEOJK 29/2022. The result is not a simple list of problems but a prioritised map that distinguishes what is already in place, what is partially covered, and what needs immediate attention, giving the bank a clear basis for planning budget and time.
For the monitoring obligations mandated by SEOJK 29/2022, our SOC service provides continuous log monitoring and anomaly detection, along with log collection and storage that meets the five-year retention requirement. We also help banks set up periodic detection-system testing as required by the regulation.
When an incident occurs, our incident response service covers technical containment alongside support for assembling the report to OJK within the applicable deadline. Our team understands the content and structure that regulators expect in incident disclosures, so the bank is not learning that process for the first time while managing an active incident.
For the mandated penetration test, we provide testing by an independent team and deliver a report in the format that OJK examiners expect, including risk categorisation and remediation recommendations with clear deadlines. Results can be presented directly to the Board Risk Committee.
On the governance side, our GRC consulting helps align information security policies, strengthen third-party risk management, and prepare the documentation that OJK examines. For banks that need security leadership without hiring a full-time CISO, our vCISO service provides that function with a more flexible engagement model.
Next steps
POJK 11/2022 and SEOJK 29/2022 are already in force. For banks that have not yet completed a gap assessment against both regulations, starting now is considerably better than waiting until an OJK examination or an incident forces a rushed response. If you want to understand where your bank stands against these obligations, our team is ready to help you set out a clear and concrete first step.
References
Frequently asked questions
POJK 11/2022 treats cyber risk as one of eight risk categories that commercial banks must manage. SEOJK 29/2022 then specifies the cyber resilience obligations across five control domains: IT governance, asset management, access control, incident management, and third-party risk. Together they form the information security framework that every OJK-licensed commercial bank must comply with.
Related
Solutions
From the blog
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.