Financial Services Authority of Indonesia (OJK) and No.29/SEOJK.03/2022 on Cyber Security and Resilience for Commercial Banks
The Financial Services Authority (OJK) in Indonesia has issued a regulatory guideline, OJK Circular Letter No. 29/SEOJK.03/2022, on Cyber Security and Resilience for Commercial Banks. This circular letter aims to strengthen the cybersecurity and resilience of commercial banks in Indonesia and to ensure that they are adequately prepared to deal with cyber threats.
Under this circular letter, commercial banks in Indonesia are required to establish and implement a comprehensive cybersecurity and resilience policy that covers risk assessment, monitoring, and reporting, as well as incident response planning and testing. The circular letter also mandates that commercial banks must conduct regular vulnerability assessments, penetration testing, and security audits, and to establish a dedicated cybersecurity team or unit to oversee these activities.
Compared to previous regulations, OJK Circular Letter No. 29/SEOJK.03/2022 introduces several new requirements and expectations for commercial banks in Indonesia. Here are some of the notable changes and updates:
- Comprehensive cybersecurity and resilience policy: The circular letter requires commercial banks to establish and implement a comprehensive cybersecurity and resilience policy that covers risk assessment, monitoring, and reporting, incident response planning and testing, and training and awareness programs.
- Vulnerability assessments, penetration testing, and security audits: The circular letter mandates that commercial banks must conduct regular vulnerability assessments, penetration testing, and security audits to identify and address security weaknesses and vulnerabilities.
- Dedicated cybersecurity team or unit: The circular letter requires commercial banks to establish a dedicated cybersecurity team or unit to oversee and manage cybersecurity and resilience activities.
- Business continuity plan for cybersecurity incidents: The circular letter mandates that commercial banks must develop and implement a business continuity plan (BCP) that covers cybersecurity incidents, including procedures for identifying, containing, and recovering from cyber attacks.
- Reporting requirements: The circular letter requires commercial banks to report any cybersecurity incidents to OJK and relevant authorities within 24 hours of discovery. Commercial banks must also provide regular updates to OJK on their cybersecurity and resilience activities.
Overall, OJK Circular Letter No. 29/SEOJK.03/2022 introduces more specific and comprehensive requirements for commercial banks in Indonesia to improve their cybersecurity and resilience capabilities. It demonstrates OJK's commitment to promoting a secure and resilient digital ecosystem for financial services in the country.
At Spentera, we offer a range of services that can help commercial banks meet these requirements and protect themselves against cyber threats. Our services include:
Cyber Security Risk Assessment
Cyber Security Compliance Services
- Maturity Assessment
- Risk Assessment
- Compliance Audit
Cyber Security Testing
- Security Assessment
- Vulnerability Assessment
- Penetration Testing
- Scenario
- Table-top Exercise
- A Table-top Exercise is a type of simulation or drill that allows organizations to test and evaluate their incident response plans and procedures in a controlled and safe environment
- Cyber Range Exercise
- A Cyber Range is a controlled and secure environment that replicates a real-world network and allows organizations to simulate various cyber-attacks and scenarios. A Cyber Range Exercise, therefore, is a simulation of a real-world cyber-attack in a controlled environment
- Table-top Exercise
- Social Engineering Exercise
- Social engineering refers to the use of deception and manipulation to trick individuals into divulging sensitive information or performing certain actions. Social Engineering Exercises, therefore, are simulations of social engineering attacks that are designed to test the organization’s ability to detect and respond to such attacks.
- Adversarial Attack Simulation Exercise
- Adversarial Attack Simulation Exercises (AASE) are a type of cybersecurity simulation that can be used to test an organization’s ability to defend against real-world cyber threats. AASEs are similar to Cyber Range Exercises, but they focus specifically on simulating sophisticated and realistic attacks that are carried out by experienced and skilled attackers, often referred to as “red teamers.”
- Social Engineering Exercise
Cyber Incident Report
- SOC Development
- SOC as a Service
- Incident Analysis and Computer Forensic Investigation
- Threat Hunting
Cyber Security Testing
- Cyber Security Blueprint
View Our Other Services
Network And Server Environment Testing
We continuously serve to detect and understand any potential cybersecurity events, especially those aimed at harmful access.
Red Team Assessment
Our team is well positioned to respond to and help you recover from any cybersecurity incidents that may occur.
Social Engineering Testing
In the information security chain, people are often the weakest link. While there is no fixed method for people assessment testing, we use a baseline testing that includes.