Around June 2024, we were shocked to hear the news regarding data breach in our national data center. In the subsequent weeks, we continued to hear updates about mitigation efforts, government action and eventually the so-called conclusion of the case. However, while the incident was relatively settled, we believe that the event presents a niche opportunity for us to revisit relevant regulations with respect to the required actions to mitigate or remedy the failure to protect personal data.
As an overall regulatory framework, regulations pertaining to personal data protection are mainly governed under Law No. 27 of 2022 on Personal Data Protection. Other aspects of the regulations are dispersed in the ITE Law, government regulations and ministerial/institutional regulations.
In this alert, we would like to focus on regulations issued by Indonesia’s Cyber and Crypto Agency (Badan Siber dan Sandi Negara, or “BSSN”). As the institution tasked with national’s cyber security and protection through President Regulation No. 28 of 2021 on BSSN, the regulations issued by BSSN are particularly relevant when discussing data breach.
Earlier in 2024, BSSN issued two regulations, namely BSSN Regulation No. 1 of 2024 on Cyber Incident Management (“Reg 1/2024”) and BSSN Regulation No. 2 of 2024 on Cyber Crisis Management (“Reg 2/2024”). Both regulations primarily mandate the establishment of mechanism to manage cyber incident and cyber crisis by among others forming a Cyber Incident Response Team (Tim Tanggap Insiden Siber, or “TTIS”) in each national, sectoral and organizational levels.
Applicability
Although mainly attributed to government institutions, Reg 1/2024 and Reg 2/2024 also apply to private sector to a certain extent. It is stipulated that if a cyber crisis extends to the breach of data managed or held by private electronic system provider (Penyelenggara Sistem Elektronik, or “PSE”) the regulations extend to require that the PSE also maintain an internal mechanism and TTIS.
Fundamental Terms
Reg 1/2024 and Reg 2/2024 introduce two main terms respectively, namely Cyber Incident and Cyber Crisis. A Cyber Incident refer to individual or a series of events that disrupt or threaten the operation of electronic systems. In contrast, a Cyber Crisis pertains to emergency situations resulting from national- level Cyber Incidents that impact the country’s overall safety, integrity and sovereignty. The latter requires a higher threshold to be established. The distinction pertains to the measures that must be undertaken to manage each type of event.
Cyber Incident Management
TTIS is tasked to take measures when Cyber Incident arises, which mainly consist of:
1. Reporting Cyber Incident
Every Cyber Incident must be reported by the organization's TTIS to the sectoral TTIS with a copy to the national TTIS. The determination of a Cyber Incident is based on the detection results of the TTIS, analysis of Cyber Incidents based on reports from system owners or the public, and/or alerts issued by the national TTIS upon confirmation as a Cyber Incident. Reported Cyber Incidents must have at least a high-risk level
2. Handling Cyber Incident
a. Severity Assessment
The severity of the Cyber Incident will first be assessed, considering factors such as the number of affected organizations or sectors and its impact on Vital Information Infrastructure (IIV). Disruptions to this electronic system infrastructure have profound implications for public interests, public services, defense, security and the national economy. The assessment of the incident's magnitude will then dictate which TTIS oversees its management.
b. Implementation of Measures
Once the severity has been determined, the designated TTIS will implement at least the following measures:
i. Formulating Cyber Incident response and recovery plans;
ii. Analyzing and reporting on Cyber Incidents;
iii. Implementing Cyber Incident response and recovery actions; and
iv. Enhancing security measures post Cyber Incident.
c. Communication and Information Distribution
After the Cyber Incident has been contained, the TTIS is required to distribute information to affected parties concerning various aspects of the Cyber Incident. This information includes the types of Cyber Incident indications, information distribution codes and the affected systems or assets.
Cyber Crisis Management
Cyber Crisis management is conducted in three stages: pre-crisis, during crisis and post-crisis. This protocol applies to TTIS at each respective level.
1. Pre-Cyber Crisis Measures
a. Cyber Incident response
b. Early warning of Cyber Crisis
i. Based on the criteria for declaring a Cyber Crisis, the national TTIS will assess the potential for a Cyber Crisis and report its findings to the Head of BSSN.
ii. The national TTIS will issue warnings to PSE (including private PSE) regarding the escalation of Cyber Incident that could lead to a Cyber Crisis. These warnings may be delivered in various forms such as notifications, security advisory documents or other media.
iii. PSE is required to act on these warnings and periodically report their actions to the national
c. Declaration of Cyber Crisis status
After the Head of BSSN submits the proposal, the President will declare the Cyber Crisis status and establish a Cyber Crisis task force.
2. Measures During Cyber-Crisis
a. Cyber Crisis Mitigation Measure
The affected PSE (including private PSE) must carry out countermeasure activities, which include:
i. Identifying and analyzing of the scope of electronic systems affected by Cyber Crisis;
ii. Isolating electronic systems affected by Cyber Crisis;
iii. Collecting and preserving evidence from electronic systems affected by Cyber Crisis;
iv. Investigating and eradicating of the cause of the Cyber Crisis;
v. Strengthening systems that are not affected by the Cyber Crisis; and
vi. Coordinating with stakeholders to implement Cyber Crisis communication protocols and control information released to the public.
b. Cyber Crisis Recovery
PSE facilitate the recovery of affected electronic systems by restoring data and systems or utilizing backups and/or alternative resources. Following recovery efforts, PSE conduct retesting of vital and supporting functions based on the goals outlined in the Cyber Crisis Contingency Plan, including recovery time, amount of recovered data and the restoration of vital and supporting functions. To ensure recovery objectives are met, the Cyber Crisis task force must supervise and coordinate with PSE.
c. Cyber Crisis Mitigation Report
The Cyber Crisis task force then compiles periodic and final reports on Cyber Crisis management, which are subsequently submitted to the President. The final report must include an analysis discussing the achievements of Cyber Crisis management and recommendations for follow-up actions.
d. Termination of Cyber Crisis Status
Based on the Cyber Crisis task force's report, the President will terminate the Cyber Crisis status.
3. Post-Cyber Crisis Measures
a. Estimation of damage and losses
This includes evaluating asset damage, calculating economic losses due to asset damage and assessing reputational decline.
i. Asset damage assessment will adhere to asset management provisions applicable to affected PSE or compare the value of damaged assets with their pre-Cyber Crisis worth.
ii. Economic losses from asset damage will be quantified by assessing the economic benefits that would have been realized if the electronic system had been functioning properly.
iii. Reputational decline will be determined by public perception.
b. Estimation of recovery costs
This includes estimating the costs required to restore electronic systems to their pre-Cyber Crisis condition.
c. Calculation of casualties, missing and injured
This includes calculating the total number of casualties, missing persons and injured individuals.
d. Evaluation of Cyber Crisis management efforts
The evaluation results will serve as the basis for improving the Cyber Crisis Contingency Plan and as considerations for making cybersecurity policy decisions.
Comments
Post a Comment