The Security Gap Indonesian Financial Institutions Can't Afford to Ignore

Introduction

Between late 2024 and 2025, Indonesia's Financial Services Authority (OJK) and the Indonesia Anti-Scam Center (IASC) recorded approximately 274,000 fraud cases with total public losses exceeding IDR 6 trillion. That number does not include the operational disruption and reputational fallout from high-profile breaches like the 2024 BI-Fast cyber incident, which prompted OJK to launch emergency inspections of regional banks across the country. Indonesia's financial sector is not fighting a periodic threat. It is fighting one that operates around the clock, and treating security validation as a once-a-year checkbox is one of the most dangerous assumptions a bank or fintech company can make right now.

Annual penetration tests are the industry norm, and for a long time they were considered sufficient. The logic was reasonable: test the system before it goes into production, document the findings, remediate the critical ones, and revisit in twelve months. That model made sense when environments were relatively static, when APIs were not the backbone of every product integration, and when attackers were not running automated tools continuously across the internet. None of those conditions hold today. ITSEC Asia, Indonesia's leading cybersecurity company with over a decade of experience serving financial institutions across Indonesia, Singapore, Australia, and the UAE, sees this gap directly in the organizations it works with. The infrastructure that passed an audit in January may look completely different by April — not because of negligence, but because modern financial services are built to move fast. New code ships weekly. APIs connect to third-party payment rails. Cloud configurations change in response to business needs. Each of those changes is a potential entry point, and none of them are visible to an organization waiting for next year's report.

Source: OJK & IASC Fraud Report 2025 · OJK Inspects Regional Banks After BI-Fast Breach · ITSEC Asia Company Profile

What Indonesian Regulators Are Now Demanding

The regulatory environment in Indonesia has moved faster in the past two years than in the previous decade, and it has moved specifically toward requiring proof of active security management, not just documentation of past compliance.

OJK Regulation No. 11/POJK.03/2022 and its companion SEOJK No. 29/SEOJK.03/2022 on Cybersecurity Resilience require commercial banks to conduct inherent risk assessments, implement robust risk management frameworks, and perform regular cybersecurity testing including vulnerability analysis, tabletop exercises, and social engineering assessments. The more recent POJK 30/2025 goes further, treating cyber risk as a standalone governance concern requiring board-level oversight and early-warning detection tools. In August 2025, OJK extended this posture to digital financial asset trading operators through dedicated Cyber Security Guidelines that emphasize building secure-by-design and resilient-by-architecture information systems — a standard that cannot be met through point-in-time assessments alone.

Then there is UU PDP. Indonesia's Personal Data Protection Law has been fully enforceable since October 2024, and its obligations on financial institutions are not soft. The law requires data controllers to implement appropriate technical and organizational measures to protect personal data throughout the entire processing lifecycle. When a breach occurs, regulators will not ask whether the organization had a privacy policy. They will ask what the organization actively did to test whether its systems were secure before the incident. Administrative sanctions under Article 57 of UU PDP can reach 2% of annual revenue, alongside criminal penalties of up to IDR 5 billion and five years' imprisonment for more serious violations. For a fintech platform or a mid-sized bank, that is not an abstract risk. It is a business-ending one.

The common thread across OJK regulations, UU PDP, and BSSN frameworks is the same: regulators are looking for evidence that security controls are being actively validated, not simply certified once and forgotten. An annual pentest report dated eleven months ago does not answer that question.

Source: ICLG Cybersecurity Laws and Regulations Indonesia 2026 · HBT Indonesia Personal Data & Cybersecurity Quarterly Update Oct 2025 · Chambers and Partners Data Protection Indonesia 2026

Why Financial Environments Break the Annual Testing Model

Banks and fintech companies are structurally different from other industries in ways that make the limitations of periodic testing especially acute. The attack surface in financial services is unusually broad and unusually dynamic, a single digital banking platform might expose hundreds of API endpoints connecting to payment gateways, credit scoring engines, KYC verification services, and partner institutions, each carrying its own risk profile and capable of changing without the security team being the first to know.

• The financial sector's average data breach cost globally has reached $6.08 million — 22% higher than the overall average across industries — precisely because these environments are complex, interconnected, and high-value targets.

• Attackers are not waiting for an organization's next scheduled assessment. They are scanning continuously, and the window between an annual test and the next one is exactly where most breaches begin.

• Product teams at fintech companies ship features under pressure from competition and market expectations, meaning security reviews can lag behind release cycles even in organizations with strong security cultures.

• A vulnerability introduced in a new payment flow in March will not appear in a pentest commissioned the following January — by that time, it may have already been exploited.

The IBM 2024 Cost of a Data Breach Report puts the global average breach cost at $4.88 million, and breach investigations consistently show that many incidents exploit vulnerabilities that were not unknown but simply not prioritized for remediation. This is the pattern that continuous testing is specifically designed to break — surfacing risks in the context of current systems, not systems as they existed at the time of the last assessment.

Source: Cybri: Fintech Penetration Testing Strategic Guide 2025 · IBM Cost of a Data Breach Report 2024 · IndoSec: Impact of Regulatory Changes on Cybersecurity for Financial Institutions in Indonesia

Continuous Security Validation as the New Standard

The concept of continuous security validation is not about testing more often for the sake of frequency. It is about aligning the security validation cycle with the actual pace of change in the environment — when a new API goes live, when a cloud configuration is updated, when a new feature is released. This is what "continuous" means in practice: not a daily pentest, but a validation program that follows the rhythm of the business rather than the calendar.

• Every assessment cycle generates documentation of what was tested, what was found, what was remediated, and when — building a continuous paper trail of security due diligence that periodic testing cannot produce.

• Over time, that record becomes exactly the kind of evidence that UU PDP regulators, OJK examiners, and international business partners look for when evaluating whether an organization's security posture is credible.

• Bronyx, ITSEC Asia's AI-powered autonomous penetration testing platform, combines intelligent automation with human expert oversight to enable faster assessments, broader attack surface coverage, and audit-ready reports.

• For financial institutions that need to demonstrate active security management to OJK, document UU PDP technical safeguards, or meet international partner expectations, Bronyx provides the continuous validation infrastructure that annual testing simply cannot deliver.

It transforms compliance from a point-in-time certification into an ongoing, demonstrable practice — one that regulators increasingly expect and that the pace of modern financial services demands.

Source: ITSEC Asia: Why Annual Penetration Testing Is No Longer Enough · Bronyx.AI Continuous Penetration Testing Platform · Optisol: Why Penetration Testing Is Essential for Fintech Cybersecurity in 2025

Start Building Your Security Evidence Now

The question for banks and fintech companies in Indonesia is not whether continuous security validation is necessary. Regulators have already answered that through evolving OJK frameworks, UU PDP enforcement, and BSSN incident management requirements. The question is whether an organization will build that evidence proactively or be forced to explain its absence after an incident.

ITSEC Asia has spent over a decade working with financial institutions across Indonesia, Singapore, Australia, and the UAE, helping security, compliance, and executive teams demonstrate accountability that meets both technical and regulatory standards. If your organization processes financial data in Indonesia and is still relying on a single annual audit as your primary security validation, the exposure is real and the time to address it is now — not after the next breach, and not after OJK's next inspection.

Visit bronyx.ai or contact the ITSEC Asia team at itsec.asia/contact to arrange a consultation and see how continuous security validation can be tailored to your environment.