Indonesia's financial sector operates under specific cybersecurity regulations issued by the Financial Services Authority (OJK). For commercial banks, these requirements include explicit security testing obligations. This article presents only verified facts.
The Regulatory Framework
The Otoritas Jasa Keuangan (OJK) issued OJK Regulation No. 11/POJK.03/2022 on the Implementation of Information Technology by Commercial Banks. This regulation replaced the earlier POJK 38/POJK.03/2016 on risk management in the use of IT by commercial banks.
To elaborate on the cybersecurity requirements, OJK issued Circular Letter No. 29/SEOJK.03/2022 (SEOJK 29) on Cyber Resilience and Security for Commercial Banks, issued on 27 December 2022. SEOJK 29 is described as the first cybersecurity regulation developed specifically for banks in Indonesia, and it consists of ten chapters covering end-to-end cybersecurity topics.
The Security Testing Requirement
These regulations require financial institutions to perform regular cybersecurity testing. According to published analysis, the mandated testing includes annual scenario-based testing such as penetration tests, tabletop exercises, social engineering assessments, and adversarial attack simulations (red team testing).
Banks are also required to conduct a series of annual assessments — inherent risk assessment, maturity level assessment, and cyber security risk assessment — each producing a rating on a defined scale. The results must be included in the "Report on the Current Condition of the Bank's IT System Implementation" submitted to OJK.
Alignment with International Standards
Indonesia's financial-sector cyber rules incorporate international frameworks. Published analysis notes that OJK and Bank Indonesia rules on cyber resilience incorporate elements found in frameworks like those of the Basel Committee, and that the OJK regime addresses matters also covered by the EU's Digital Operational Resilience Act (DORA), including IT risk management, incident reporting, and third-party risk.
Bank Indonesia's Parallel Requirements
Beyond OJK, Bank Indonesia Regulation No. 2 of 2024 addresses information system security and cyber resilience for payment system organisers and other BI-supervised entities, setting strengthened requirements for controls and cyber readiness. Payment-sector organisations should consider both the OJK and BI frameworks.
How Simuna Infosec Helps
Our human-led penetration testing and adversarial simulation capabilities directly address the scenario-based testing that OJK's framework mandates — penetration tests, social engineering, and red team assessments. We produce the detailed, documented results that banks must submit to OJK, and our experience securing major banks across multiple regions translates to the rigour Indonesia's financial sector requires.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified Indonesian legal counsel for compliance decisions.*