Incident Management Framework dalam Peraturan PBI 23/2021
PBI 23/2021 mengakui bahwa disruptions dalam payment services dapat mengakibatkan significant financial dan operational impact kepada nasabah dan ecosystem secara luas. Oleh karena itu, PBI 23/2021 menetapkan comprehensive incident management framework yang mengharuskan PJP untuk: (1) Classify incidents berdasarkan severity dan impact, (2) Report incidents kepada Bank Indonesia sesuai dengan mandatory timelines, (3) Communicate dengan affected nasabah secara transparent, (4) Document semua incident details untuk investigation dan learning, (5) Implement corrective measures untuk prevent recurrence.
Framework incident management ini didasarkan pada best practices dari international standards seperti ISO 27035 (Incident Management) dan ITIL (Information Technology Infrastructure Library). Bank Indonesia juga coordinate dengan BSSN (Badan Siber dan Sandi Negara - Indonesian Cyber Security Agency) untuk cyber incidents yang signifikan. Incident management bukan hanya reactive response tetapi juga proactive prevention dan continuous improvement.
| KONSEP KUNCI | Incident management lifecycle mencakup lima phases: (1) Detection - mengidentifikasi bahwa incident telah terjadi, (2) Initial Response - contain impact dan mobilize response team, (3) Investigation - determine root cause dan scope of impact, (4) Remediation - fix underlying issue dan restore normal operations, (5) Post-Incident Review - document lessons learned dan implement preventive measures. |
Incident Classification dan Severity Assessment
PBI 23/2021 mengharuskan PJP untuk establish incident classification framework yang mengkategorisasi incidents berdasarkan severity dan impact. Framework umum menggunakan tiga tier classification:
SEVERITY 1 (Critical): Incidents yang directly impact customer transaction processing atau cause complete service unavailability. Examples: system outage yang prevent customers dari initiating payments, security breach yang expose customer data, fraud yang affect significant number of customers. SEVERITY 2 (High): Incidents yang significantly degrade service atau affect specific features tetapi not complete outage. Examples: slow transaction processing, partial system unavailability untuk specific customer segment, security vulnerability yang belum exploited. SEVERITY 3 (Medium/Low): Incidents dengan limited impact atau yang affect limited customers atau minor features. Examples: non-critical service degradation, minor usability issues, isolated transaction errors.
Mandatory Incident Reporting to Bank Indonesia
PJP wajib melaporkan incidents kepada Bank Indonesia sesuai dengan mandatory timelines berdasarkan severity level. Reporting requirements adalah:
Severity 1 Incidents: Initial notification kepada Bank Indonesia required dalam 1 jam dari incident detection. Notification dapat berupa simple alert bahwa incident telah terjadi tanpa detailed information. Full incident report yang mencakup root cause, impact scope, dan remediation timeline harus disubmit within 4 business hours atau on next business day jika incident terjadi di after-hours. Severity 2 Incidents: Initial notification diperlukan dalam 3 business hours. Full report harus disubmit dalam 1 business day. Severity 3 Incidents: Consolidated reporting melalui periodic incident reports, tidak diperlukan immediate notification kecuali jika aggregate impact menjadi significant.
Selain timeline reporting, PJP juga harus provide updates kepada Bank Indonesia tentang remediation progress dan provide incident closure notification saat incident telah sepenuhnya resolved dan normal operations restored. Bank Indonesia dapat request additional information atau conduct investigation jika incident signifikan atau jika PJP failure berkontribusi pada incident.
| PENTING | Delay dalam incident reporting atau failure untuk report dapat mengakibatkan: (1) Enforcement action dari Bank Indonesia termasuk written warnings atau denda, (2) Increased regulatory scrutiny dan potential audit, (3) Requirement untuk PJP submit incident management improvement plan, (4) Reputational damage jika incident reporting delay becomes public. Bank Indonesia takes incident reporting timelines seriously sebagai indicator dari PJP operational governance. |
Customer Communication dan Transparency
Setiap incident yang memiliki potential customer impact harus dikommunikasikan kepada affected customers secara transparent dan timely. Communication harus mencakup: (1) Acknowledgment bahwa incident telah terjadi, (2) Description of what services are affected, (3) Expected timeline untuk resolution, (4) Actions yang customers dapat take (e.g., use alternative channels, contact customer service), (5) Updates seiring dengan progress remediation, (6) Post-incident communication tentang root cause dan preventive measures.
Communication channels harus be accessible dan diverse untuk reach semua affected customers: in-app notifications, SMS alerts, email, social media, website banners, customer service hotline. PJP harus avoid minimize bahwa severity incident atau make excuses, dan instead provide honest assessment about situation. Untuk serious incidents (security breach, extended outages), PJP dapat need conduct press release atau media briefing untuk inform public beyond direct customers.
Incident Response Team dan Escalation Procedures
Butuh Bantuan dari Strategi sampai Implementasi?
Dari pemetaan kewajiban PBI 23 hingga penguatan governance, risk, dan security controls, Bitlion membantu perusahaan bergerak lebih cepat dengan pendekatan konsultatif dan praktis.
PJP harus establish dedicated incident response team dengan clear roles dan responsibilities. Team harus mencakup: (1) Incident Commander yang coordinate overall response, (2) Technical leads yang investigate technical aspects, (3) Customer service representatives yang handle customer communications, (4) Management representatives yang provide oversight dan approval untuk escalation decisions, (5) Communications/PR staff yang prepare external communications.
Escalation procedures harus define at what point incident diperlukan escalate ke higher management dan to Bank Indonesia. Clear decision points harus ditetapkan: jika initial response tidak stabilize situation dalam timeframe tertentu, incident should escalate; jika impact scope menjadi larger dari initial assessment, escalation harus occur; jika incident indikator dari security breach atau systemic issue, escalation to Board level dan to Bank Indonesia harus occur.
Service Restoration dan Recovery Time Objectives
PJP harus establish Service Level Agreements (SLAs) untuk incident resolution yang define Recovery Time Objectives (RTO) dan Recovery Point Objectives (RPO). RTO mengacu pada maksimal acceptable downtime sebelum service harus restored (e.g., 4 hours untuk critical systems). RPO mengacu pada maksimal acceptable data loss (e.g., no more than 1 hour of transactions).
Service restoration procedures harus be clearly documented dan tested regularly. Procedures harus include: (1) Prioritization of recovery actions (restore critical services first, then non-critical), (2) Validation procedures untuk confirm service restored correctly (no data corruption), (3) Customer notification tentang restoration, (4) Monitoring untuk ensure recovered systems stable. PJP juga harus maintain disaster recovery sites dan backup systems untuk support rapid recovery dalam event of primary system failure.
| Severity Level | Characteristics | Initial Report Requirement | Full Report Requirement |
|---|---|---|---|
| Severity 1 (Critical) | Complete outage atau major degradation affecting payments | Within 1 hour of detection | Within 4 hours atau next business day |
| Severity 2 (High) | Significant service degradation atau security vulnerability | Within 3 business hours | Within 1 business day |
| Severity 3 (Medium) | Limited impact incidents affecting few customers or minor features | No immediate reporting required | Consolidated dalam periodic incident reports |
| Severity 4 (Low) | Minimal impact incidents atau non-critical issues | No reporting required | For information only dalam periodic reports if tracked |
Root Cause Analysis dan Post-Incident Review
Setelah incident telah diresolved, PJP wajib melakukan thorough root cause analysis (RCA) untuk determine underlying causes dan contributing factors. RCA harus menggunakan systematic methodology seperti "Five Whys" technique atau fishbone analysis untuk trace back dari observed symptoms ke root causes. Root causes dapat termasuk: technical failures (bugs dalam code, hardware failures), operational failures (misconfiguration, inadequate procedures), human factors (training gaps, fatigue), atau external factors (third-party system failures).
Post-incident review harus dilakukan dalam reasonable timeframe (typically within 5-10 business days untuk significant incidents) dan harus involve relevant stakeholders dari technical teams, operations, management. Review harus produce detailed incident report yang documents: (1) Timeline of events, (2) Impact assessment, (3) Root cause findings, (4) Corrective action items, (5) Prevention measures untuk prevent similar incidents. PJP harus track corrective actions hingga completion dan validate effectiveness.
Cyber Incident Coordination dengan BSSN
Untuk incidents yang melibatkan cyber attacks atau security breaches, PJP harus coordinate dengan BSSN sebagai Indonesian Cyber Security Agency. BSSN memiliki national mandate untuk protect critical infrastructure termasuk payment systems. Untuk serious cyber incidents, BSSN dapat provide incident investigation support dan threat intelligence sharing. PJP harus report significant cyber incidents kepada BSSN sesuai dengan requirement yang ditetapkan oleh BSSN.
Coordination dengan BSSN juga mencakup participation dalam national incident response exercises dan threat intelligence sharing forums. PJPs encouraged untuk implement cybersecurity standards yang ditetapkan oleh BSSN (e.g., SNI ISO/IEC 27001) dan participate dalam BSSN managed security services jika available.
Incident Trend Analysis dan Continuous Improvement
PJP harus maintain comprehensive incident tracking system yang capture semua incidents dan enable trend analysis. Regular analysis dari incident data dapat reveal patterns seperti: recurring incidents yang suggest systematic issues, seasonal incidents yang relate to specific business cycles, atau emerging threats yang suggest new vulnerabilities. Incident data harus be reviewed quarterly atau semi-annually untuk identify improvement opportunities.
Continuous improvement initiatives berdasarkan incident analysis dapat include: (1) Infrastructure upgrades untuk improve reliability, (2) Process improvements untuk reduce human error, (3) Enhanced monitoring untuk detect issues earlier, (4) Training untuk address skill gaps, (5) Vendor management improvements jika incidents related to third-party systems. PJP harus communicate findings dan improvement initiatives kepada Bank Indonesia melalui incident reports dan periodic governance discussions.
| Fase Incident Management | Key Activities | Responsible Party | Timeline |
|---|---|---|---|
| Detection | Identify incident, activate incident response, notify management | Monitoring team / Operations team | Immediate |
| Initial Response | Assess impact, contain situation, notify Bank Indonesia (if required) | Incident Commander / Technical Leads | Within 1-3 hours depending on severity |
| Investigation | Determine root cause, assess scope of impact, evaluate financial impact | Technical team with specialist support | Within hours to few days |
| Remediation | Implement fixes, restore services, validate restoration, notify customers | Technical team with management oversight | Based on RTO targets (typically 4-24 hours) |
| Post-Incident | Conduct RCA, document lessons learned, implement corrective actions | Management team with full staff input | Within 5-10 business days for major incidents |
| Prevention | Track corrective actions, monitor effectiveness, communication updates | Designated management owner | Ongoing until closure confirmed |