Given that the growing utilization of information technology poses an ever-expanding risk in terms of the overall stability of the financial system that could potentially result in financial losses, Bank Indonesia (“BI”) has decided to introduce a new framework that sets out various provisions that specifically address the application of information system security and cyber resilience (Keamanan Sistem Informasi dan Ketahanan Siber – “KKS”).[1] This new framework of Regulation No. 2 of 2024 (“Regulation 2/2024”) should be implemented by certain parties that are regulated and supervised by BI and that are categorized as posing a potential systemic or non-systemic cyber risk to the financial system (“Organizers”)[2] and has been in force since 22 April 2024.[3]

As BI is authorized to regulate and supervise the implementation of KKS by Organizers, Regulation 2/2024 has now affirmed that the overall goal of KKS is to improve the capacities of Organizers to prevent and mitigate cyber-attacks, as well as to improve Organizers’ overall cyber-incident risk management.[4] In this regard, KKS should be implemented based on five core principles (e.g. comprehensive strategy, enterprise risk management, development of KKS culture and so forth) and comprises a wide range of aspects (i.e. governance, prevention, mitigation, supervision and collaboration).[5]

Given the importance of KKS, particularly for Organizers, as regards the prevention and mitigation of cyber risks, this edition of Indonesian Legal Brief (ILB) offers an elaboration of the various provisions that are set out under Regulation 2/2024, specifically as they relate to the following matters:

1. KKS Subjects;
2. Implementation of KKS; and
3. Reporting Obligations.

KKS Subjects

As previously mentioned, Organizers are subject to the mandatory implementation of KKS.[6] In this regard, Regulation 2/2024 specifies which parties fall under the definition of Organizers and are thus required to implement KKS, as follows:[7]

Implementation of KKS

Pursuant to Regulation 2/2024, the implementation of KKS by Organizers comprises three core aspects (i.e. governance, prevention and mitigation measures), each with its own corresponding objectives and measures. The following three tables highlight key aspects of each of the above-listed core aspects of KKS implementation:

Reporting Obligations

Organizers are required to submit relevant data and/or information relating to the above-outlined implementation of KKS aspects to BI in the form of documents and raw and/or processed data as a part of the following types of reports:[18]

It is important to note that any Organizers that fail to comply with the above-outlined reporting obligations may be subject to the imposition of the following types of administrative sanctions:[19]

1. Reprimands;
2. Administrative fines that amount to maximum of Rp. 5 million per report;
3. Temporary, partial or complete suspension of activities (including the implementation of cooperation); and/or
4. Revocation of issued permits and/or approvals.

Source : hukumonline.com