Indonesia's Financial Services Authority issues cybersecurity guidelines for digital financial asset trading providers

Indonesia's Financial Services Authority (OJK) published cybersecurity guidelines for digital financial asset (AKD) trading providers in Indonesia, positioning the document as a living reference built on secure-by-design and resilience-by-architecture principles. The guidance is intended to improve firms’ cybersecurity awareness and strengthen the integrity and resilience of the digital asset trading ecosystem, in the context of Law No. 4/2023 (P2SK), which mandates OJK to regulate and supervise the financial sector technology innovation, digital financial asset and crypto-asset sector (IAKD) from January 2025. The guidelines set out strategic expectations including adoption of a zero-trust approach with layered authentication, device management and dynamic access policies, and cyber risk management aligned with frameworks such as ISO, NIST, CSMA, Indonesia’s National Cyber and Crypto Agency (BSSN) and CREST. They also emphasise data and wallet protections, including the use of cold wallets for the majority of consumer assets and end-to-end encryption using industry-standard cryptography, alongside incident response planning with coordinated recovery and integrated reporting with OJK and other stakeholders, and ongoing technical competency development through training, professional certifications (including CISA, CISSP and CISM) and incident simulations.