After previously discussing the Bank Indonesia Regulation (PBI) on Cyber Security and Resilience, in this blog, I want to dive deeper into its derivative regulation, the Member of the Board of Governors Regulation (PADG) on Cyber Security and Resilience (KKS), which provides more detailed guidelines. The key points covered in the PADG include:

1. Purpose & Scope

  • Strengthening cyber security and resilience in the financial sector.
  • Regulating Payment System Operators (PJP), money market participants, and other entities under BI’s supervision.
  • Covering governance, prevention, incident handling, reporting, and sanctions.

2. Cyber Security Governance

  • Organizations must develop a KKS strategy & roadmap.
  • Conduct regular audits at least once a year (internal or external).
  • Provide training & education on cyber security for employees and external partners.

3. Cyber Incident Prevention

  • Identify risks & map threats (people, process, technology).
  • Protect data & systems (restricted access, encryption, malware detection).
  • Conduct real-time threat monitoring & vulnerability testing (at least once a year).

4. Cyber Incident Handling

  • Establish a cyber incident response team ready to take action.
  • Report incidents to BI (initial notification within 1 hour, full report within 3 days).

5. Sanctions for Violations

  • Administrative fines up to IDR 5 million per report.
  • Possible sanctions: warnings, temporary suspension, or even license revocation.

6. Collaboration & Information Sharing

  • Organizations must share threat information with BI.
  • BI has the authority to isolate systems affected by cyberattacks.
  • Self-Regulatory Organizations (SROs) are appointed to assist with regulation.

Looking at this regulation, it seems quite comprehensive… but I do see some gaps. So, let’s go back to my dissertation outline.

One key aspect I’m focusing on is the identification and mapping of security standards like ISO 27001, NIST, IEEE, and ECSS. Right now, the KKS regulation does not specify any particular technology standards. My guess? Maybe BI wants to allow PSPs (including PJPs) the flexibility to explore their own technology choices. But is that a good move?

In my opinion, cybersecurity requires clear technical details to address the complexity of modern IT environments. Mtsweni et al. (2018) describe today’s digital landscape as a web of interconnected systems, overlapping processes, and complex organizational structures, much of which operates in a black box. Without well-defined standards, PSPs could implement security measures inconsistently, leading to gaps in protection.

Many studies, including Villalón-Fonseca (2022), emphasize the importance of international standards like ISO 27001, which provides a framework for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Mandating at least a minimum level of compliance with this standard would be a solid step forward. Interestingly, BI’s regulatory counterpart, OJK, has already taken this approach, explicitly requiring ISO 27001 for banks under SEOJK 29 – 03 – 2022.

If we look deeper into the core principles of ISO/IEC 27001, it follows a process-based approach, involving planning, implementation, monitoring, review, and continuous improvement—all centered around risk management. The KKS regulation does mention cyber risk, but it doesn’t specify a clear methodology or require a Statement of Applicability (SoA). It also doesn’t address information asset classification, which is crucial for ensuring structured data governance. Some of these aspects are mentioned in the PADG, but again, not in much detail.

This raises an important question: is the lack of detail because the PADG simply isn’t designed to regulate at that level? If that’s the case, then my research could provide recommendations on which areas need more clarity, so that PJP operators don’t have to “guess” their way through compliance. The goal is to ensure flexibility, while still aligning with international best practices for data protection.

Reference:

Mtsweni, J., Gcaza, N., & Thaba, M. (2018). A unified cybersecurity framework for complex environments. SAICSIT 2018, 26–28 September, Port Elizabeth, South Africa.

Villalón-Fonseca, R. (2022). The nature of security: A conceptual framework for integral-comprehensive modeling of IT security and cybersecurity. Computers & Security, 120, 102805. https://doi.org/10.1016/j.cose.2022.102805

Cybersecurity in Indonesia’s Financial Sector: Gaps & Insights from the PADG / Nadia Nur Amalina / Future Governance: KIPP & Futures Project (2024-25) by is licensed under a