Ministerial Decree SK-275: Strengthening Cybersecurity for Indonesia’s SOEs

THE GROWING CYBERSECURITY THREAT TO STATE-OWNED ENTERPRISES

With rapid digital transformation, Indonesia’s State-Owned Enterprises (SOEs) are increasingly vulnerable to cyber threats. Critical sectors like finance, energy, and telecommunications store vast amounts of sensitive data, making them prime targets for cyberattacks. The rise of ransomware, data breaches, and other cyber incidents highlights the need for a strong cybersecurity framework to protect national assets.

To address this, the Minister of SOEs has issued Decree SK-275/MBU/11/2024, mandating SOEs to implement cybersecurity measures that strengthen resilience and safeguard operations.

Key Directives of Ministerial Decree SK-275

The new regulation sets forth clear cybersecurity mandates for SOEs:

Implementation of 15 Essential Cybersecurity Controls

SOEs must integrate these controls across five key areas:

These controls ensure a layered defense against cyber threats and minimize operational disruptions.

Adoption of International Cybersecurity Standards

SOEs are encouraged to align security frameworks with internationally recognized standards, including:

• ISO 27001 (Information Security Management System)
• NIST Cybersecurity Framework (National Institute of Standards and Technology)
• CIS Controls (Center for Internet Security Best Practices)

Following these standards helps SOEs to benchmark security maturity and apply best practices.

Risk Assessment of Non-Implemented Controls

If certain security measures cannot be immediately implemented, SOEs must conduct risk assessments covering:

• Risk Appetite: Define acceptable risk levels.
• Risk Treatment Plans: Outline mitigation, transfer, or acceptance strategies.
• Risk Mitigation: Implement countermeasures to reduce cyber threats.

This ensures security strategies align with each SOE’s operational structure while maintaining compliance.

Strengthening Cyber Resilience Through Collaboration

The decree highlights:

• Cross-SOE Collaboration: Sharing threat intelligence and best practices.
• Annual Cybersecurity Reporting: Mandatory submission of security reports.
• Advanced Security Technologies: Encouraging tools like Security Information & Event Management (SIEM), Privileged Access Management (PAM), and Endpoint Detection & Response (EDR/XDR) solutions.

Integration with PER-2/MBU/03/2023: A Governance Perspective

Ministerial Decree PER-2/MBU/03/2023 establishes governance principles for SOEs, covering corporate governance, risk management, and IT governance.  This regulation aims to ensure structured risk management, transparency, and regulatory compliance, particularly in IT governance, which directly aligns with SK-275’s cybersecurity mandates.

Key alignments between PER-2/MBU/03/2023 and SK-275 include:

• Corporate Governance & Cybersecurity Integration: PER-2 mandates the establishment of governance structures, while SK-275 specifies how cybersecurity should be embedded into those structures.
• IT Risk Management: PER-2 emphasizes IT risk management as a critical corporate function, supporting SK-275’s risk assessment requirement for cybersecurity controls.
• Compliance with International Standards: PER-2 sets broad IT governance policies, while SK-275 translates these into actionable controls aligned with ISO 27001 and NIST CSF.

By ensuring cybersecurity is embedded within broader corporate governance policies, these regulations collectively enhance SOEs' resilience against evolving cyber threats.

Implications for SOEs

While compliance requires investment, it also presents opportunities. Key takeaways include:

• Cybersecurity as a Business Priority: Not just a compliance requirement but a fundamental risk management function.
• Investment in Cybersecurity Talent & Infrastructure: Building a skilled workforce and modernizing security infrastructure.
• Leveraging AI & Automation: Enhancing detection, incident response, and risk management with cutting-edge technology.
• Compliance as a Competitive Advantage: SOEs that implement these measures will lead to cybersecurity governance and stakeholder confidence.

Conclusion: Enhancing Cyber Resilience to Meet Regulatory Expectations

Ministerial Decree SK-275 is a pivotal step in strengthening cybersecurity for SOEs. To achieve compliance and long-term resilience, organizations should focus on:

• Cyber Risk Assessments & Gap Analysis: Identifying vulnerabilities and ensuring alignment with regulations.
• Implementing Global Cybersecurity Standards: Strengthening security posture with ISO 27001 and NIST frameworks.
• Incident Response & Crisis Management: Establishing robust mechanisms for rapid threat detection and response.
• Security Governance & Compliance Advisory: Developing policies that support long-term resilience.
• Penetration Testing & Threat Intelligence: Simulating cyber threats to uncover vulnerabilities.
• Employee Training & Awareness Programs: Fostering a cybersecurity-conscious culture.

By adopting these approaches, SOEs can not only meet regulatory requirements and build a resilient cybersecurity framework that protects national assets and business continuity.

By Erikman D Pardamean, Technology Risk Consulting Practice