Logo
Cybersecurity

The Security Gap Indonesian Financial Institutions Can't Afford to Ignore

From OJK mandates to UU PDP obligations, Indonesian banks and fintech companies face a security gap that annual audits can't close. ITSEC Asia, Indonesia's leading cybersecurity company, explains why continuous security validation is the standard that matters now.

ITSEC AsiaITSEC Asia
|
Jun 30, 2026
The Security Gap Indonesian Financial Institutions Can't Afford to Ignore

Introduction

Between late 2024 and 2025, Indonesia's Financial Services Authority (OJK) and the Indonesia Anti-Scam Center (IASC) recorded approximately 274,000 fraud cases with total public losses exceeding IDR 6 trillion. That number does not include the operational disruption and reputational fallout from high-profile breaches like the 2024 BI-Fast cyber incident, which prompted OJK to launch emergency inspections of regional banks across the country. Indonesia's financial sector is not fighting a periodic threat. It is fighting one that operates around the clock, and treating security validation as a once-a-year checkbox is one of the most dangerous assumptions a bank or fintech company can make right now.

Annual penetration tests are the industry norm, and for a long time they were considered sufficient. The logic was reasonable: test the system before it goes into production, document the findings, remediate the critical ones, and revisit in twelve months. That model made sense when environments were relatively static, when APIs were not the backbone of every product integration, and when attackers were not running automated tools continuously across the internet. None of those conditions hold today. ITSEC Asia, Indonesia's leading cybersecurity company with over a decade of experience serving financial institutions across Indonesia, Singapore, Australia, and the UAE, sees this gap directly in the organizations it works with. The infrastructure that passed an audit in January may look completely different by April — not because of negligence, but because modern financial services are built to move fast. New code ships weekly. APIs connect to third-party payment rails. Cloud configurations change in response to business needs. Each of those changes is a potential entry point, and none of them are visible to an organization waiting for next year's report.

Source: OJK & IASC Fraud Report 2025 · OJK Inspects Regional Banks After BI-Fast Breach · ITSEC Asia Company Profile

What Indonesian Regulators Are Now Demanding

The regulatory environment in Indonesia has moved faster in the past two years than in the previous decade, and it has moved specifically toward requiring proof of active security management, not just documentation of past compliance.

OJK Regulation No. 11/POJK.03/2022 and its companion SEOJK No. 29/SEOJK.03/2022 on Cybersecurity Resilience require commercial banks to conduct inherent risk assessments, implement robust risk management frameworks, and perform regular cybersecurity testing including vulnerability analysis, tabletop exercises, and social engineering assessments. The more recent POJK 30/2025 goes further, treating cyber risk as a standalone governance concern requiring board-level oversight and early-warning detection tools. In August 2025, OJK extended this posture to digital financial asset trading operators through dedicated Cyber Security Guidelines that emphasize building secure-by-design and resilient-by-architecture information systems — a standard that cannot be met through point-in-time assessments alone.

Then there is UU PDP. Indonesia's Personal Data Protection Law has been fully enforceable since October 2024, and its obligations on financial institutions are not soft. The law requires data controllers to implement appropriate technical and organizational measures to protect personal data throughout the entire processing lifecycle. When a breach occurs, regulators will not ask whether the organization had a privacy policy. They will ask what the organization actively did to test whether its systems were secure before the incident. Administrative sanctions under Article 57 of UU PDP can reach 2% of annual revenue, alongside criminal penalties of up to IDR 5 billion and five years' imprisonment for more serious violations. For a fintech platform or a mid-sized bank, that is not an abstract risk. It is a business-ending one.

The common thread across OJK regulations, UU PDP, and BSSN frameworks is the same: regulators are looking for evidence that security controls are being actively validated, not simply certified once and forgotten. An annual pentest report dated eleven months ago does not answer that question.

Source: ICLG Cybersecurity Laws and Regulations Indonesia 2026 · HBT Indonesia Personal Data & Cybersecurity Quarterly Update Oct 2025 · Chambers and Partners Data Protection Indonesia 2026

Why Financial Environments Break the Annual Testing Model

Banks and fintech companies are structurally different from other industries in ways that make the limitations of periodic testing especially acute. The attack surface in financial services is unusually broad and unusually dynamic, a single digital banking platform might expose hundreds of API endpoints connecting to payment gateways, credit scoring engines, KYC verification services, and partner institutions, each carrying its own risk profile and capable of changing without the security team being the first to know.

  • The financial sector's average data breach cost globally has reached $6.08 million — 22% higher than the overall average across industries — precisely because these environments are complex, interconnected, and high-value targets.

  • Attackers are not waiting for an organization's next scheduled assessment. They are scanning continuously, and the window between an annual test and the next one is exactly where most breaches begin.

  • Product teams at fintech companies ship features under pressure from competition and market expectations, meaning security reviews can lag behind release cycles even in organizations with strong security cultures.

  • A vulnerability introduced in a new payment flow in March will not appear in a pentest commissioned the following January — by that time, it may have already been exploited.

The IBM 2024 Cost of a Data Breach Report puts the global average breach cost at $4.88 million, and breach investigations consistently show that many incidents exploit vulnerabilities that were not unknown but simply not prioritized for remediation. This is the pattern that continuous testing is specifically designed to break — surfacing risks in the context of current systems, not systems as they existed at the time of the last assessment.

Source: Cybri: Fintech Penetration Testing Strategic Guide 2025 · IBM Cost of a Data Breach Report 2024 · IndoSec: Impact of Regulatory Changes on Cybersecurity for Financial Institutions in Indonesia

Continuous Security Validation as the New Standard

The concept of continuous security validation is not about testing more often for the sake of frequency. It is about aligning the security validation cycle with the actual pace of change in the environment — when a new API goes live, when a cloud configuration is updated, when a new feature is released. This is what "continuous" means in practice: not a daily pentest, but a validation program that follows the rhythm of the business rather than the calendar.

  • Every assessment cycle generates documentation of what was tested, what was found, what was remediated, and when — building a continuous paper trail of security due diligence that periodic testing cannot produce.

  • Over time, that record becomes exactly the kind of evidence that UU PDP regulators, OJK examiners, and international business partners look for when evaluating whether an organization's security posture is credible.

  • Bronyx, ITSEC Asia's AI-powered autonomous penetration testing platform, combines intelligent automation with human expert oversight to enable faster assessments, broader attack surface coverage, and audit-ready reports.

  • For financial institutions that need to demonstrate active security management to OJK, document UU PDP technical safeguards, or meet international partner expectations, Bronyx provides the continuous validation infrastructure that annual testing simply cannot deliver.

It transforms compliance from a point-in-time certification into an ongoing, demonstrable practice — one that regulators increasingly expect and that the pace of modern financial services demands.

Source: ITSEC Asia: Why Annual Penetration Testing Is No Longer Enough · Bronyx.AI Continuous Penetration Testing Platform · Optisol: Why Penetration Testing Is Essential for Fintech Cybersecurity in 2025

Start Building Your Security Evidence Now

The question for banks and fintech companies in Indonesia is not whether continuous security validation is necessary. Regulators have already answered that through evolving OJK frameworks, UU PDP enforcement, and BSSN incident management requirements. The question is whether an organization will build that evidence proactively or be forced to explain its absence after an incident.

ITSEC Asia has spent over a decade working with financial institutions across Indonesia, Singapore, Australia, and the UAE, helping security, compliance, and executive teams demonstrate accountability that meets both technical and regulatory standards. If your organization processes financial data in Indonesia and is still relying on a single annual audit as your primary security validation, the exposure is real and the time to address it is now — not after the next breach, and not after OJK's next inspection.

Visit bronyx.ai or contact the ITSEC Asia team at itsec.asia/contact to arrange a consultation and see how continuous security validation can be tailored to your environment.

Share this post

You may also like

Four Strong Reasons to Use an MSSP
Cybersecurity

Four Strong Reasons to Use an MSSP

Test

The multitude of challenges to be faced is the main reason why most organizations today are turning to managed security service providers (MSSPs) to help them address these issues. The challenges of strengthening human resources, processes, and technologies as efforts to secure their intellectual property and data appropriately, while still complying with cybersecurity regulations, can be a daunting task even for well-managed IT departments. With these considerations in mind, here are four main reasons why I prefer MSSPs over in-house security. USING MSSP SAVES YOU MONEY Building, running, and maintaining a cybersecurity ecosystem comes with significant costs. One of the reasons is that many software solutions require specialized hardware and equipment to run, and they often come with recurring licensing costs. Additionally, the salaries of cybersecurity employees and the training they need to effectively utilize new tools and technologies add to the expenses. One of the CFO's favorite aspects of using MSSP is that it can replace the capital expenditures often needed to add new tools with a large

ITSEC AsiaITSEC Asia
|
Jul 10, 2023 5 minutes read
Web Application Penetration Testing Explained: Why Applications Remain a Top Target for Attackers
Cybersecurity

Web Application Penetration Testing Explained: Why Applications Remain a Top Target for Attackers

Web applications have become the foundation of digital business. From customer portals and online banking platforms to e-commerce systems and internal business applications, organizations rely on web technologies to deliver services and create seamless user experiences. Unfortunately, attackers rely on them too. Because web applications are often exposed to the internet and handle sensitive information, they remain one of the most attractive targets for cybercriminals. This is why Web Application Penetration Testing has become an essential part of a modern cybersecurity strategy. WHAT IS WEB APPLICATION PENETRATION TESTING? Web Application Penetration Testing is a security assessment designed to identify and validate vulnerabilities within web applications before malicious actors can exploit them. Unlike automated vulnerability scanning, penetration testing simulates real-world attack techniques to understand how weaknesses could affect an organization's confidentiality, integrity and availability. The objective is not simply to discover vulnerabilities but to determine their actual impact. WHY ARE WEB APPLICATIONS FREQUENTLY TARGETED? Attackers are constantly searching for exposed applications because they often provide direct access to valuable assets. SENSITIVE DATA Web applications commonly process: * Customer

ITSEC AsiaITSEC Asia
|
Jun 15, 2026 5 minutes read
Think Your System Is Secure? Penetration Testing Can Prove It
Cybersecurity

Think Your System Is Secure? Penetration Testing Can Prove It

INTRODUCTION Today, almost every organization relies on digital systems to run daily operations, from websites and cloud applications to payment systems and internal databases.  However, as digital infrastructure grows, so do cybersecurity risks. Attackers constantly look for vulnerabilities in applications, networks, and systems that they can exploit to gain unauthorized access or steal sensitive data (Cloudflare, 2024). Because of this growing threat landscape, organizations need ways to test their defenses before real attackers attempt to breach them. One of the most effective methods is penetration testing, often called pen testing, where cybersecurity professionals simulate attacks to identify security weaknesses before malicious actors do (IBM, 2024). In simple terms, penetration testing is authorized hacking designed to improve security rather than cause damage. Source: Cloudflare.com [https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/], ibm.com [https://www.ibm.com/think/topics/penetration-testing] WHAT IS PENETRATION TESTING? Penetration testing is a cybersecurity assessment where security experts simulate cyberattacks on systems to identify vulnerabilities that attackers could exploit. These experts that are often known as penetration testers or ethical hackers use techniques similar to real attackers, but with permission from the organization and with the goal

ITSEC AsiaITSEC Asia
|
Apr 02, 2026 6 minutes read

Receive weekly
updates on new posts

Subscribe