Indonesia’s financial sector is processing more digital transactions now than at any point in its history, and threat actors know it. Bank Indonesia recorded over 370 million attempted cyber threats in 2024 alone, alongside a 25% year-on-year rise in anomalous cyber traffic. For institutions managing payment rails, settlement networks, and mobile banking platforms, that figure is the operating environment.
Cyber in banking has moved beyond IT governance into enterprise risk management, directly influencing regulatory standing and long-term institutional credibility. Financial leaders who treat cybersecurity as a compliance checkbox are, at this point, actively accepting risk.
Digital payment transactions in Indonesia reached 14.82 billion in the first quarter of 2026, up 37.69% from the same period the previous year. QRIS adoption has deepened across urban and semi-urban markets, while mobile wallets have displaced cash for a growing share of retail transactions, and real-time interbank transfers have become a baseline expectation rather than a premium feature.
Indonesia’s digital economy was valued at $130 billion in 2025 and is projected to reach $360 billion by 2030, making the financial sector’s digital infrastructure a nationally significant asset.
Behind every transaction sits a chain of interdependent systems: payment gateways, core banking platforms, API integrations with third-party fintechs, and interbank settlement networks.
Each layer expands the potential attack surface. As transaction volumes scale, so does the consequence of any single point of failure, whether that failure originates from an external intrusion, a misconfigured API, or a compromised vendor credential.
Kaspersky reported over 20 million cyber attacks targeting Indonesia in a single year, spanning phishing, insider threats, remote desktop protocol exploitation, and ransomware. Phishing remains the highest-volume entry point, but its sophistication has increased considerably. Attackers now deploy personalised lures derived from publicly available employee data, making generic awareness training insufficient for frontline banking staff.
Privileged access remains one of the most underestimated risks in financial institutions. Staff with access to core systems, customer records, and transaction data present an exposure that perimeter controls cannot fully address. Weak identity governance, infrequent access reviews, and poorly defined offboarding procedures routinely leave residual access active well beyond its legitimate purpose.
Indonesia’s National Cyber and Crypto Agency recorded 5.2 billion internet traffic incidents in 2025, 94% of which involved high-risk malware capable of evolving into ransomware attacks. Criminals are increasingly using AI to launch more sophisticated and harder-to-detect attacks. Supply chain intrusions, where adversaries compromise third-party vendors to reach financial institutions indirectly, are now a documented pattern rather than a theoretical concern across the region.
Indonesia’s financial cybersecurity regulation has become meaningfully specific. Bank Indonesia’s Regulation 2/2024 mandates that payment system operators, money market participants, and foreign exchange businesses implement formal information system security and cyber resilience programmes. OJK’s POJK No. 11/POJK.03/2022 requires financial institutions to build a comprehensive cybersecurity framework, with annual maturity evaluations covering governance, operational monitoring, training, resilience, and data protection.
SEOJK No. 29/SEOJK.03/2022 covers end-to-end cybersecurity topics structured to help each bank understand its inherent cyber risk and prioritise the controls required to manage it accordingly. These domestic regulations align closely with ISO/IEC 27001, the NIST Cybersecurity Framework, and the Basel Committee’s operational resilience principles, providing institutions with regional operations and a workable compliance baseline across jurisdictions.
To address Indonesia-specific financial sector attack patterns, prioritise these security investments:
Systemic cyber threats in Indonesia require a response that extends beyond individual institutions. Bank Indonesia developed the Indonesian Payment System Blueprint 2030 to strengthen institutional collaboration and reinforce the security of the national payment system. Structured threat intelligence sharing between banks, fintech operators, and BSSN creates collective early warning capability that no single organisation can replicate independently. When institutions coordinate on incident response frameworks and share indicators of compromise in near real time, they shift the asymmetry of the threat landscape in favour of defenders rather than attackers.
IndoSec 2026, one of Indonesia’s leading cybersecurity summits, returns to Jakarta on 15–16 September 2026 at The Ritz-Carlton, Pacific Place — bringing together cybersecurity experts, government officials, industry leaders, and technology innovators for two days of substantive discussion, networking, and solution showcases.
With over 2,000 cybersecurity professionals expected, including senior officials from BSSN and KOMDIGI, and C-level executives from Indonesia’s leading enterprises, the summit is where the country’s security agenda takes shape.
For those responsible for protecting financial infrastructure, this is the room to be in. Register today!
Why is Indonesia’s financial sector a primary cyber target?
Rapid growth in digital payments, expanding API ecosystems, and large retail user bases create an extensive attack surface for financially motivated actors.
What regulations govern Indonesian banking cybersecurity?
OJK’s POJK No. 11/POJK.03/2022 and SEOJK No. 29/SEOJK.03/2022, plus Bank Indonesia’s Regulation 2/2024, set the compliance standards.
How do attacks impact digital payments?
They disrupt processing, expose data, cause regulatory penalties, and erode public trust.
What is the role of Zero Trust?
It mandates continuous verification for all users and devices, preventing lateral movement within networks.
Who should attend IndoSec 2026?
CISOs, compliance officers, digital banking heads, and leaders responsible for payment security and regulatory obligations.