Shortly after the alleged incident, a bank representative explained that the bank was currently undergoing normalization with a primary focus on ensuring the safety of customers' funds and data.

While data breaches can occur in both private and public sectors, when a bank is hit by a cyberattack, it can send shockwaves rippling through the industry. Consumers might feel vulnerable as they question the security of their financial information and the banking industry's capacity to protect their data.

Recognizing the vital importance of trust in the banking sector, banks must take strategic measures promptly and implement a proper plan to restore trust. These moments of crisis present an opportunity for banks to demonstrate unwavering commitment to their customers and their dedication to cybersecurity.

There are several crucial steps banks must take to restore customer trust.

The first step is for banks to demonstrate their unwavering commitment to data privacy and to ensure their compliance with all provisions pertaining to cyber resilience and cybersecurity. In this regard, the Financial Services Authority (OJK) has issued a new regulation, namely POJK No. 11/2022, which addresses the implementation of information technology in commercial banks. It emphasizes the utmost importance of banks to strengthen their governance over implementation of information technology to effectively optimize resources and mitigate risks.

The regulation mandates banks to uphold cyber resilience by implementing specific processes to protect assets, detect cyber incidents and set response and recovery measures. Moreover, banks are required to conduct self-assessments to evaluate the maturity of their cybersecurity and report their results to the OJK. Additionally, banks must conduct cybersecurity testing and establish a dedicated unit to manage cyber resilience and security.

The regulation shows progress in existing regulations on cyber resilience in Indonesia, particularly in the banking sector. In the absence of a much-needed national cyber law, it provides a crucial measure for banks to enhance their preparedness in effectively tackling challenges in cyberspace.

The second step is for banks to demonstrate their capacity to contain and overcome the issues that have arisen. To achieve this, banks must first identify the root causes and factors, both internal and external, that contributed to the cyberattack.

Internally, one major issue could be weak cyber resilience. Inadequate security networks, outdated software and systems and insufficient protection against malware and other cyber threats can pose serious problems. Similarly, a shortage of skilled personnel or cybersecurity professionals can significantly impede a bank’s ability to safeguard their systems, data and confidential information from malicious cyber activities.

Externally, the prevalence of cybercrime is a growing concern in Indonesia, despite the government’s ongoing efforts. Cybercriminals employ various tactics to unlawfully obtain sensitive information and financial details.

Unfortunately, many people are still unaware of the risks associated with internet use, leading to a lack of caution in their online behavior. Individuals and untrained employees might engage in risky online practices, such as using weak passwords or sharing confidential information with unverified contacts. This leaves both individuals and businesses vulnerable to cyberattacks.

Once the causes are identified, the bank must assess the impacts. Cybercrimes can result in both direct and indirect losses for banks, either quantifiable or nonquantifiable. Direct losses may include investing in enhanced information security and costs related to replacing compromised systems. Indirect losses can materialize as missed business opportunities, legal costs and regulatory penalties. In addition, there are intangible losses, such as reputational damage and erosion of customer trust.

After determining the causes and impacts, the bank must initiate the recovery process following its established disaster recovery plan. A disaster recovery plan is a document outlining the procedures and steps for restoring essential data, hardware and software to enable it to resume critical business operations after disruption or disaster.

As stipulated in POJK No. 11/2022, banks must develop and implement a robust disaster recovery plan that ensures their operational continuity bank in the event of a disaster or disruption to the information technology facilities they use.

The third crucial step to restoring customer trust involves providing exceptional customer support and assistance to all affected customers. The Personal Data Protection (PDP) Law mandates that, in the event of a failure to protect customers’ personal data, a data controller must provide written notification within 3 x 24 hours to the data owners and relevant authorities.

This written notification should at least include the personal data that was disclosed, when and how the data was disclosed and the measures taken by the data controller to handle and recover the disclosed personal data.

Nevertheless, cyberattacks can leave customers feeling helpless and uncertain about the appropriate course of action. Therefore, banks must establish dedicated customer support channels to address their concerns, provide guidance and offer reassurances. A timely and empathetic response plays a pivotal role in restoring customers’ trust in banks and reaffirming banks’ commitment to customer satisfaction.

The road to overcoming cyber adversity is not without obstacles, but businesses that succeed in recovering their customers’ trust will ultimately thrive. Banks may rebuild their customers' trust and forge new bonds by openly acknowledging the incident and working with the authorities. They can achieve this by adopting further security measures, implementing proactive cybersecurity policies and improving customer care and literacy.

Restoring customer trust in the aftermath of a cyberattack involves more than simply mitigating the damage: It entails transforming adversity into a catalyst for growth. It presents an opportunity to show resilience, determination and a commitment to customer satisfaction.

By triumphing over cyber adversity, a bank can emerge as a beacon of trust, setting new standards for cybersecurity and inspiring confidence in consumers across the industry.

***

The writer is Legal and Corporate Secretary at Bank DBS Indonesia. The views expressed are personal.