The acceleration of technology is no longer theoretical, it is a lived reality. What once felt futuristic five years ago is now part of daily life: artificial intelligence, quantum experimentation, and advanced automation are reshaping economies and societies. Yet every powerful wave brings undercurrents. For financial systems, the promise of broader inclusion rides beside the peril of increasingly sophisticated cybercrime. How nations navigate that tension will determine whether technology becomes an engine of shared prosperity or a force that erodes trust and stability.
The scale of the threat is stark. Recent global analyses show ransomware now figures in a substantial share of data breaches, signaling a maturation of criminal tools and business models built around extortion. In the 2025 Data Breach Investigations Report, ransomware was implicated in roughly 44 percent of the incidents analyzed, a reminder that attackers are weaponizing innovation at speed. At the same time, the direct financial impact is material: the 2025 Cost of a Data Breach report estimates the global average cost of a breach at about US$4.4 million per incident. In Indonesia, national monitoring also records an alarming rise in malicious activity, with hundreds of millions of anomalous events recorded in recent reporting periods. These figures are not abstractions; they translate into drained accounts, interrupted services, reputational damage, and, ultimately, a setback for inclusive finance if unaddressed.
Governments and regulators are not standing still. Indonesia’s financial and cybersecurity authorities have rolled out frameworks and operational measures that reflect a strategic pivot to defense. The Financial Services Authority (OJK) has issued explicit governance guidance for the use of AI in banking, while Bank Indonesia and other agencies have advanced early warning and rapid-response systems that apply machine learning to detect and block illicit flows. Regulatory instruments from licensing rules to consumer protection mandates — provide essential legal scaffolding. Yet rules alone are insufficient: enforcement, technical capacity, and cross-sector coordination are the levers that turn policy into protection.
If technology is the arena of risk, it must also be the primary means of defense. A layered approach is nonnegotiable. At the architectural level, modern cryptographic techniques, including end-to-end encryption and zero-knowledge proofs. Should be built into payment rails and identity systems, ensuring that verification does not require exposing sensitive data unnecessarily. Multi-factor authentication, hardened cloud deployment, API protection, and continuous anomaly monitoring driven by machine learning are equally fundamental. These capabilities are not hypothetical: they are the practical tools that allow institutions to detect, contain, and recover from attacks more quickly. Stanford cryptographers and practitioners have long urged that security be baked into system design rather than bolted on after compromise, a lesson the industry must heed.
Adoption, however, is uneven. Regional surveys indicate a surge in cyber budgets across Asia Pacific. Roughly 84 percent of organizations reported increased cyber spending in recent years, yet capability gaps remain, particularly outside major urban centers. Large banks and fintech incumbents often lead in implementation, while smaller banks, rural branches, and nascent startups can lag due to constrained budgets, talent shortages, or legacy systems. That unevenness creates systemic vulnerability: attackers can shift to weaker nodes, and contagion risk rises. Closing this gap requires targeted policies that pair technical standards with fiscal and capacity support.
Practical policy design must therefore combine four mutually reinforcing pillars. First, set clear, measurable security standards and compliance timelines for all regulated financial entities, not only large banks but also rural cooperatives and licensed fintechs. These standards should mandate baseline controls (encryption, MFA, secure API practices) and progressive requirements such as zero-trust segmentation and privacy-preserving analytics. Second, provide fiscal incentives and blended financing to underwrite upgrades: tax credits, matching grants, or concessional loan facilities can lower the barrier for community banks and small fintechs to modernize. Third, scale human capital programs: national cybersecurity fellowships, vocational tracks for SOC analysts and incident responders, and mandated continuing education for IT staff will grow the talent pipeline. Fourth, expand national operational capacity: consolidated threat-sharing platforms, a well-resourced national CERT, and cross-border intelligence cooperation will raise the cost of attack and shorten response windows.
These pillars are complementary. For example, a regulatory requirement that a bank implement anomaly detection is far more effective if that bank can access subsidized cloud infrastructure and train engineers through accredited programs. Similarly, a national blacklist or automated reporting protocol is useful only if law enforcement and interagency partners can act on leads promptly and internationally. Effective practice blends carrots and sticks: enforceable rules and penalties should coexist with technical assistance and financing to ensure compliance is feasible, not merely punitive.
Consumer empowerment is another essential ingredient. Governments, industry bodies, and civil society must run sustained literacy campaigns so that users recognize phishing, understand fraud reporting channels, and demand accountability when breaches occur. The most advanced technical stack cannot defend well against social engineering if end users are entirely unprepared. Public campaigns should be straightforward, multilingual, and delivered through trusted community channels and telecom partners to reach rural populations.
Importantly, policy must preserve room for innovation. Regulatory sandboxes that allow startups and incumbent institutions to trial secure new technologies from secure multiparty computation to distributed ledger reconciliation, under supervised conditions can accelerate useful advances without exposing the system to unchecked risk. Such experimentation, combined with transparent evaluation and time-bound authorizations, will help scale promising approaches safely.
International cooperation amplifies national defenses. Cyber threats do not respect borders; intelligence sharing, joint exercises, and harmonized technical standards across regional partners increase deterrence and interoperability. Indonesia’s participation in regional cybersecurity forums and bilateral exchanges can facilitate rapid threat identification and collective mitigation, benefiting the entire region’s financial stability. Finally, governance must be measurable. Authorities should publish a straightforward scorecard: percentage of institutions with MFA implemented, proportion of payment traffic encrypted end-to-end, average detection time for incidents, and recovery targets. Concrete KPIs create accountability, guide investment, and help the public gauge progress.
Technology is not destiny in itself; it is a set of capabilities that must be steered by sound policy, technical rigor, and broad social investment. As economist Amartya Sen has argued, economic growth that ignores human development is brittle and unjust; likewise, digital progress that neglects protection undermines its own gains. When regulators, industry, academia, and citizens align, the tech wave can be ridden for shared benefit: a more inclusive, resilient financial system that extends opportunity without sacrificing safety.