A System Failure, Not Just a Glitch
When Bank DKI’s systems failed right before Eid celebrations, it wasn’t just a bad day at work — it was a systemic failure.
From frozen mobile apps to interrupted QRIS services, Bank DKI showed just how vulnerable a major regional bank could be in the digital age. Worse, this wasn’t their first rodeo. In fact, three major outages in last 6 months — culminating in the firing of their IT Director — expose deeper cracks than what press releases admit.
OJK tried to soften the blow, saying Bank DKI’s data and customer funds were still “safe,” but for IT professionals, the real question isn’t about what was saved, it’s about what almost broke.
If a “minor” internal maintenance misfire can disable an entire banking system for over a week, imagine the impact of a real cyberattack.
The Leadership Gap in IT Risk Management
Indonesia’s public sector, including many regional banks (BPDs), still treats IT as a cost center, not a strategic asset. At Bank DKI, top management only responded with drastic action — firing the IT Director — after disaster struck. There was no visible culture of continuous resilience testing, penetration testing, or disaster recovery drills.
For a bank that’s flirting with an IPO dream, that’s unacceptable.
Strong IT governance isn’t a luxury; it’s a listing requirement.
Without top-down commitment to cybersecurity, patchwork IT budgets and overworked sysadmins are left trying to hold together fragile systems with duct tape and hope.
Indonesia’s Cybersecurity Problem is Budgetary, Not Technical
Let’s be real: Indonesian IT professionals aren’t lacking skills.
Many can build world-class security architectures — if given proper budgets and support.
But year after year, especially in government-related institutions, cybersecurity gets token funding.
- Comprehensive audits? “Terlalu mahal.”
- Penetration tests? “Nanti saja kalau mau IPO.”
- 24/7 Security Operations Center (SOC)? “Tidak urgent sekarang.”
And so the cycle continues, until the inevitable happens: critical failures, public outrage, resignations.
Bank DKI’s experience shows what happens when cybersecurity is left undervalued and reactive. And unless something changes, dozens of other BPDs are sitting on the exact same ticking time bomb.
Predictions: The Road Ahead for BPDs
Here’s the harsh forecast:
- IPO dreams will be delayed unless operational risks (especially IT risks) are demonstrably controlled.
- Cyberattacks targeting weak BPDs will rise. Opportunistic attackers will exploit outdated systems, seeing them as low-hanging fruit.
- Public trust erosion will accelerate every time a “small” IT incident turns into a week-long operational shutdown.
- OJK’s audits will tighten, forcing BPDs to either invest or risk severe regulatory penalties.
The market will start favoring banks — even smaller ones — that can prove their IT resilience, not just promise it in press conferences.
Recommendations: What Needs to Happen (Now, Not Later)
For Bank DKI and other public-sector banks eyeing survival in the digital economy, here’s a non-negotiable checklist:
- Budget Realignment
Minimum 10–15% of annual IT budget should go to security and resilience initiatives, including mandatory incident response drills. - Independent Cyber Risk Audits
No more in-house-only reviews. External, brutal audits must be routine — with results reported directly to top leadership and OJK. - 24/7 SOC Deployment
A modern SOC with threat intelligence capabilities must be in place, capable of real-time detection and response. - Board-Level Cyber Literacy
Directors must understand cyber risks, not just leave it to “the IT guys.” Cybersecurity needs to be a boardroom conversation every quarter. - Business Continuity and Disaster Recovery (BCP/DRP) Drills
Test them before disasters happen. Simulate outages, ransomware attacks, insider threats — and measure response times. - Public Transparency
If an incident happens, communicate early, clearly, and honestly. Half-truths or delays only worsen public perception and regulatory scrutiny.
Final Words
Bank DKI’s failure was not an isolated freak event. It’s a warning shot for every regional bank, and frankly, for every government agency flirting with digital transformation without taking cybersecurity seriously.
The real question is: will Indonesia’s leaders listen before the next disaster strikes?
Terjemahan Bahasa Indonesia
Jebolnya Sistem Bank DKI: Alarm Besar untuk Sektor Perbankan Publik Indonesia
Bukan Sekadar Error, Ini Kegagalan Sistemik
Ketika sistem Bank DKI tumbang menjelang malam takbiran, ini bukan sekadar “gangguan kecil” — ini adalah kegagalan sistemik.
Mulai dari aplikasi mobile yang freeze, QRIS yang lumpuh, hingga ATM yang error, Bank DKI memperlihatkan betapa rentannya bank daerah besar di era digital.
Yang lebih parah, ini bukan kejadian pertama. Tiga kali layanan bermasalah dalam 6 bulan terakhir — dan akhirnya berujung pada pemecatan Direktur IT mereka — menunjukkan keretakan lebih dalam daripada sekadar “human error”.
OJK memang berusaha menenangkan publik, bilang bahwa data dan dana nasabah tetap “aman”, tapi buat profesional IT, pertanyaan pentingnya bukan apa yang selamat, melainkan seberapa dekat bank ini nyaris kolaps total.
Kalau sekadar kesalahan internal maintenance saja bisa melumpuhkan layanan selama lebih dari seminggu, bayangkan apa yang bisa dilakukan oleh serangan siber sungguhan.
Kepemimpinan Lemah dalam Manajemen Risiko IT
Masalah utamanya bukan di teknis semata, melainkan di budaya manajemen.
Bank DKI — dan banyak BPD lain — masih menganggap IT sebagai biaya, bukan aset strategis. Di Bank DKI, manajemen baru bereaksi serius — dengan memecat Direktur IT — setelah insiden besar terjadi. Tidak ada tanda-tanda budaya resilience testing berkala, penetration testing serius, atau disaster recovery drill yang rutin.
Kalau Bank DKI serius mau IPO, cara berpikir seperti ini harus berubah total.
IT Governance itu bukan pelengkap, tapi syarat utama untuk bisa bersaing dan dipercaya pasar.
Masalah Utama Cybersecurity Indonesia: Anggaran, Bukan Skill
Realitanya: profesional IT Indonesia tidak kalah pintar dari negara maju.
Kita bisa membangun sistem keamanan kelas dunia — asal diberikan anggaran dan dukungan yang serius.
Tapi kenyataannya, terutama di sektor publik:
- Audit keamanan lengkap? “Mahal, nanti saja.”
- Penetration test? “Belum perlu, tunggu dekat IPO.”
- Bangun SOC 24/7? “Nggak urgent sekarang.”
Akhirnya, siklusnya selalu berulang: insiden besar → panik → mencari kambing hitam → ganti orang → lalu lupa lagi.
Kasus Bank DKI ini membuktikan satu hal: ketidakseriusan dalam cybersecurity itu bukan cuma berisiko, tapi pasti berakibat.
Kalau pola ini tidak berubah, banyak BPD lain yang sebenarnya sudah duduk di atas bom waktu yang tinggal tunggu meledak.
Prediksi: Apa yang Akan Terjadi Selanjutnya
Sedikit prediksi realistis:
- IPO Bank DKI kemungkinan akan tertunda sampai mereka bisa membuktikan kendali risiko operasional yang lebih baik.
- Serangan siber ke BPD akan meningkat — hacker tahu bank-bank daerah ini sistemnya banyak yang jadul dan minim proteksi.
- Kepercayaan publik akan terus turun tiap kali ada insiden yang ditangani setengah hati.
- Audit OJK akan makin ketat, memaksa BPD untuk mau tidak mau memperbaiki sistem, atau bersiap kena sanksi.
Kedepannya, hanya bank yang bisa membuktikan ketahanan IT mereka yang akan bertahan, bukan yang sekadar jualan “komitmen” di konferensi pers.
Rekomendasi: Yang Harus Dilakukan (Sekarang, Bukan Nanti)
Untuk Bank DKI dan semua bank publik lainnya, berikut daftar tugas wajib:
- Realokasi Anggaran
Minimal 10–15% dari total belanja IT harus dialokasikan khusus untuk cybersecurity dan business resilience. - Audit Cyber Risk Independen
Audit internal tidak cukup. Harus rutin mengundang pihak eksternal untuk menguji sistem secara brutal dan jujur. - Bangun SOC 24/7
Security Operations Center modern dengan deteksi real-time adalah harga mati, bukan opsional. - Literasi Cybersecurity di Level Direksi
Risiko siber harus dibahas di rapat Direksi, minimal setiap kuartal, bukan cuma dilempar ke “anak IT.” - Latihan BCP/DRP Rutin
Uji kemampuan pulih dari bencana siber lewat simulasi nyata — ransomware, outage massal, insider threat, dan lainnya. - Transparansi ke Publik
Kalau ada insiden, jangan nunggu viral baru bereaksi. Sampaikan dengan cepat, jujur, dan jelas.
Penutup
Kasus Bank DKI bukan kecelakaan satu kali. Ini adalah alarm keras untuk seluruh BPD dan instansi pemerintah yang mau go-digital tapi malas investasi di keamanan.
Pertanyaannya sekarang: Apakah para pemimpin di Indonesia mau mendengar sebelum bencana berikutnya terjadi?
References:
OJK Statement Regarding the Incident
OJK emphasized that all regional banks are required to implement IT risk management in accordance with the applicable POJK and SEOJK ( Regarding Bank DKI System Disruption, OJK Says This | Infobanknews ). OJK’s Head of Banking Supervision Dian Ediana Rae even said that her party routinely checks the resilience of BPD’s IT system to ensure that this is implemented ( Regarding Bank DKI System Disruption, OJK Says This | Infobanknews ). Even so, OJK Chairman Mahendra Siregar said that there had been no official submission for Bank DKI’s IPO, but OJK supports the plan to strengthen capital through the IPO ( OJK Boss Encourages Bank DKI to IPO Immediately ). OJK’s statement also highlights that the digitalization of regional banks must be balanced with a reliable and secure system.
Bank DKI’s Actions After the Disturbance
( After Disruption, Interbank Transactions via Bank DKI Return to Normal ) Bank DKI responded quickly to this situation by issuing an official apology to customers and opening a complaint channel through the call center and branch offices to accommodate complaints ( There is System Maintenance, Bank DKI Operates Branch Offices to Call Centers Page all – Kompas.com ). The management confirmed that customer funds and data remain safe ( There is System Maintenance, Bank DKI Operates Branch Offices to Call Centers Page all – Kompas.com ) ( Bank DKI Ensures Customer Data and Funds Are Safe After System Disruption ) and has accelerated system repairs. President Director Agus H. Widodo stated that Bank DKI will strengthen the quality and security of its system, conduct a thorough audit and intensive coordination with authorities such as OJK and BI in the recovery process ( After Disruption, Interbank Transactions via Bank DKI Return to Normal ) ( After Disruption Since Takbiran Night, Bank DKI Interbank Transfer Services Can Now Be Accessed at ATMs ). He also appreciated the patience of customers during the maintenance process, while ensuring that IT system monitoring was running continuously.
Chronology of Disturbances and Dismissals
( Interbank Transactions at Bank DKI ATMs Back in Action Page all – Kompas.com ) Several complaints point to the night of takbiran on March 30, 2025, when customers were unable to make cross-bank transfers via the JakOne application or QRIS payments ( There is System Maintenance, Bank DKI Operates Branch Offices to Call Centers Page all – Kompas.com ) ( After Being Disrupted Since Takbiran Night, Bank DKI’s Interbank Transfer Service Can Now Be Accessed at ATMs ). A similar situation continued during the Eid holiday, sparking public anger and prompting DKI Governor Pramono Anung to summon the board of directors of Bank DKI to find a solution on April 8 ( Aftermath of Bank DKI’s System Disruption, Pramono Summons Directors ). The next day, Pramono officially fired Bank DKI’s Director of Information Technology, Amirul Wicaksono, saying that the incident had occurred three times and indicated poor IT management ( Pramono Fires Amirul Wicaksono from the Position of IT Director of Bank DKI, What’s the Reason? Page all – Kompas.com ). This incident was in the spotlight especially because the repair process took more than a week before all services were restored.
Bank DKI IPO Plan Status
Meanwhile, Bank DKI’s IPO plan is still hanging. OJK said that there has been no official submission from Bank DKI for an IPO to date ( OJK Has Not Received Bank DKI’s IPO Submission ), although the regulator is encouraging efforts to strengthen the capital. Governor Pramono Anung urged that Bank DKI’s digital system be immediately fixed so that the IPO is not hampered by service disruptions like this ( OJK Boss Encourages Bank DKI to IPO Immediately ). Previously, President Director Agus Widodo also stated that Bank DKI was conducting a fundamental assessment of the company, but had not yet set a definite schedule for the IPO ( OJK Has Not Received Bank DKI’s IPO Submission ). With system problems that have not been fully resolved, the IPO process—which was initially targeted to help Bank DKI’s capital—seems uncertain.
Bank DKI Service Disruption Track Record
The history of similar system disruptions is not new to Bank DKI. Kompas reported that Bank DKI has experienced at least three major disruptions in recent years, including the most recent case during Eid al-Fitr 2025 ( Three Times Bank DKI Falls into the Same Hole ). This disruption even caused a ‘leakage of company funds’ (not customer funds), so the DKI Provincial Government involved an independent auditor and reported the case to the National Police Criminal Investigation Unit ( Three Times Bank DKI Falls into the Same Hole ) ( Three Times Bank DKI Falls into the Same Hole ). The provincial government’s statement, which continues to emphasize that customers are not harmed ( Aftermath of Bank DKI System Disruption, Pramono Summons Directors ) ( Three Times Bank DKI Falls into the Same Hole ) is important to calm the public, but the frequency of repeated incidents raises big questions about the competence of Bank DKI’s IT team and internal supervision.
Cyber Security Notes and Implications
The repeated incidents at Bank DKI show the weak points of IT governance in regional banks. The OJK has indeed emphasized that BPDs are required to manage IT risks in accordance with POJK and SEOJK ( Regarding Bank DKI System Disruptions, OJK Says This | Infobanknews ), but real practice shows that implementation in the field is not optimal. Bank DKI itself said that the last disruption occurred due to the ‘automatic security maintenance feature’ which was activated as protection against service stability ( Three Times Bank DKI Fell into the Same Hole ), but this explanation actually indicates that their infrastructure is still fragile. For IT professionals, this case is like an alarm: without a strong budget commitment and policy for cybersecurity, similar problems could recur in other public institutions. The Indonesian government needs to increase attention and budget for critical IT infrastructure — including regional banks — because the reliability of the public banking system is crucial to public trust and the stability of the national financial system.