November 26, 2025 | 09:12 am
By Randy Taufik and Ahmad Novindri Aji Sukma
Data security and prudent regulations form the essential bedrock of digital-era investment. Recent high-profile breaches involving unauthorized access to investor accounts, resulting in estimated losses of Rp70 billion, raise serious red flags concerning investor confidence in Indonesia. If left unaddressed, these incidents will directly undermine trust in the capital market’s resilience. At the time of the breach, there were no binding rules governing withdrawal destination protocols, verification procedures, data reconciliation, or robust cybersecurity requirements to safeguard investor funds.
In a seemingly reactive measure, the Indonesia Stock Exchange (IDX), the Indonesian Central Securities Depository (KSEI), and the Indonesian Securities Clearing and Guarantee Corporation (KPEI) issued Joint Circular Letter (SEB) No SE-00005/2025 on September 16, 2025. This letter mandates that the host-to-host connection between brokers and Customer Fund Account (RDN) banks must be served daily unless the institutions meet designated security standards. While this marks a necessary step forward, the broader, more urgent question remains: is this intervention sufficient?
The Financial Services Authority (OJK), established under Law No. 21/2011, is tasked with overseeing financial services in a fair, transparent, and accountable manner, including the protection of consumers and the public interest. In the capital market context, core legislation like Law No. 8 of 1995 and subsequent OJK regulations, such as POJK No. 6/POJK.04/2021, clearly require financial service providers to maintain data and system integrity. Personal data protection is also governed under the broader Law No. 27/2022.
Further investor safeguards are detailed in POJK No. 25/POJK.04/2014 (fund segregation and reporting transparency), POJK No. 1/POJK.04/2015 (mandatory risk disclosures) and POJK No. 55/POJK.04/2015 (bank account supervised by OJK).
However, a substantial gap persists. While funds held at licensed banks are protected by the guarantees from the Indonesia Deposit Insurance Corporation (LPS), funds held at securities companies rely primarily on regulatory enforcement and compliance with risk management rules. This leaves investors exposed, particularly given the inherent volatility risks associated with capital market fluctuations.
Several countries have stepped up protections in response to growing cyber threats within their financial systems. In China, the Securities Law requires firms to assess investor risk profiles, disclose accurate financial data, and comply with strict oversight by the China Securities Regulatory Commission (CSRC), which enforces rules from IPOs to corporate governance. Newer reforms have added harsher penalties for fraud and streamlined dispute resolution mechanisms.
In the European Union, the Market Abuse Regulation (MAR) standardizes rules on insider trading, market manipulation, and data misuse. National Competent Authorities (NCAs) impose sanctions ranging from hefty fines to criminal penalties, while mandating that firms implement robust staff training, internal reporting, and whistleblower mechanisms.
Meanwhile, the United States mandates financial institutions to report cyber-related incidents in granular detail—such as IP addresses with timestamps, virtual wallet details, and device identifiers. This transparency does not, however, excuse firms from their obligation to promptly report and mitigate incidents involving critical systems or operational disruption.
The urgency for these reforms is underscored by alarming global data. According to an International Monetary Fund (IMF) report on global cyber risks, an "extreme loss" for a finance firm due to a cyber incident was around US$285 million in 2017; by 2021, that figure had jumped to $2.24 billion. Furthermore, a major cyber incident resulting in an extreme loss of US$2.5 billion is likely to occur once every ten years. These losses included everything from ransom payouts and lost revenue to business disruption, legal battles, and audit costs. Hence, this is a major issue that every country needs to tackle seriously.
Indonesia must transition from reactive fixes to more proactive and systemic safeguards. Securities companies and financial institutions should be required to adopt proven digital security standards from the banking sector, such as token-based authentication and secure API (Application Programming Interface) architectures.
Regulatory mechanisms—including enhanced cybersecurity standards, robust audit frameworks, and stricter disclosure requirements—must reflect the same level of rigor seen in banking sector compliance. Furthermore, regulatory and supervisory bodies must be equipped with full operational independence and sufficient technical capacity. Audit standards, cybersecurity infrastructure, reporting protocols, and deposit guarantee schemes, such as those provided by the LPS (Deposit Insurance Corporation), must be integrated to truly uphold prudence and investor trust in the capital market.
Indonesia's ambition for 8 percent economic growth will not be realized without strong, credible, and trustworthy regulators. This breach incident should serve as a turning point in the governance of capital markets. While investors are prepared to take on financial risk, they will not tolerate regulatory uncertainty or digital vulnerability. Cybersecurity is no longer a technical afterthought; it is a core pillar of investor protection, market confidence, and long-term economic growth.
* Randy Taufik is a legal counsel and Oxford alumni specializing in corporate and tech law and Ahmad Novindri Aji Sukma is a regulatory compliance lawyer based in London and a PhD researcher at the University of Cambridge.
*) DISCLAIMER
Articles published in the “Your Views & Stories” section of en.tempo.co website are personal opinions written by third parties, and cannot be related or attributed to en.tempo.co’s official stance.
Indonesia and UK Partner to Strengthen Cybersecurity
26 hari lalu
Deputy Minister of Communication and Digital, Nezar Patria, emphasizes the importance of cybersecurity as the backbone of digital sovereignty.
Eleven UK Companies Explore Cybersecurity Opportunities in Indonesia
29 hari lalu
Eleven cybersecurity companies from the UK are part of an innovative sector involving academics, entrepreneurs, and the government.
European Airports Disruption Due to Ransomware, Says EU Agency
23 September 2025
The European Union's cybersecurity agency ENISA said the type of ransomware that caused airport chaos last week has been identified.
Indonesia's Digital Economy Projected to Reach US$109bn in 2025
13 September 2025
Indonesia, he said, is one of the largest digital communities in the world, with such potential values.
TNI Responds to Civil Coalition Criticism: "Cyber Threats Are Borderless"
13 September 2025
The TNI spokesperson said domestic threats could disguise themselves as normal civilian activities, making them difficult to detect.
Cyberattack Risk in Indonesia at Alarming Level: Weak Law Enforcement?
9 Agustus 2025
Indonesia recorded 3.64 billion cyberattacks from January to July 2025. Expert blamed weak laws, poor coordination, and ineffective sanctions.
Indonesia Eyes Cybersecurity Cooperation with Singapore's Military
22 Juli 2025
The Indonesian Defense Ministry is interested in exchanging knowledge with Singapore regarding the development of cybersecurity.
The 'Scamdemic' Affecting Everyone
20 Juli 2025
Cyber scams are rising globally, targeting the vulnerable, especially youth. Understanding tactics and regional efforts is key to a safer cyberspace.
France Probes X for Alleged Algorithm Manipulation in Foreign Influence Efforts
17 Juli 2025
The Paris Prosecutor's Office stated that the national gendarmerie unit is investigating X.
Top 10 Highest-Paid Apprenticeship Programs in 2025
4 Juli 2025
Earning while learning is a smart path to financial freedom and a lasting, successful career. Explore the highest-paid apprenticeship programs here.
