Responsibilities of Boards of Directors and Commissioners After a Cyberattack: Fiduciary Duty and the Business Judgment Rule
Main Article Content
Abstract
Digital transformation positions cyberattacks as a critical business risk, raising accountability questions at the board level. This article aims to (i) map the synergy between the legal frameworks of the Limited Liability Company Law (UU PT), the Personal Data Protection Law (UU PDP), and the Electronic Information and Transactions Law (UU ITE) and sectoral regulations in dividing the obligations for preventing, monitoring, and reporting cyber incidents; (ii) formulate operational parameters for when negligence in cybersecurity governance can be qualified as a breach of fiduciary duty (specifically the duty of care) to the point of implicating the personal liability of company organs and, in certain circumstances, the penetration of limited liability; and (iii) assess the limits of the applicability of the Business Judgment Rule (BJR) as a post-incident safe harbor through process-based evidence. This research uses a normative juridical method with three approaches: legislation (Law 40/2007 concerning Limited Liability Companies, Law 27/2022 concerning Personal Data Protection, the ITE Law and its amendments, and sectoral regulations), doctrinal (fiduciary duty and BJR), and limited comparative (GDPR and the Caremark doctrine regarding the duty of oversight). The research findings indicate that: (i) failure to establish and oversee an adequate cybersecurity system can be viewed as a breach of duty of care, and if accompanied by circumstances indicating abuse or bad faith can strengthen the basis for attribution of personal responsibility and open up the possibility of assessing the penetration of limited liability; (ii) BJR only protects decisions/supervision made in good faith, based on adequate information, free from conflicts of interest, and accompanied by proportional preventive measures; (iii) documented and deadline-sensitive compliance—including notification of data protection failures no later than 3x24 hours, reporting of financial services sector incidents, and disclosure of information to issuers regarding material facts—is a key evidentiary element for assessing the fairness of the process and the enforceability of BJR; and (iv) the NIST Cybersecurity Framework and ISO/IEC 27001 can be positioned as objective benchmarks for assessing compliance with prudential standards. These findings offer a simple supervisory adequacy test for courts and process documentation guidelines (process dossiers) for Directors and Boards of Commissioners to strengthen the defensibility of post-incident decisions and supervision.
Article Details
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
References
Anindya Wijayanti, Rheva, dan Monica Christy Natalia. “Analisis Kemampuan Security Incident Response PT XXX dalam Mengelola Insiden Siber.” Info Kripto 18, no. 1 (2024): 31–38. https://doi.org/10.56706/ik.v18i1.98.
Arafat, Muhammad, dan Alexander Tito Enggar Wirasto. “Kebijakan Kriminal dalam Penanganan Siber di Era Digital: Studi Kasus di Indonesia.” Equality : Journal of Law and Justice 1, no. 2 (30 November 2024): 220–41. https://doi.org/10.69836/equality-jlj.v1i2.170.
Balboni, Prof. Dr. Paolo, dan Kate Elizabeth Francis. “Data ethics and digital sustainability: Bridging legal data protection compliance and ESG for a responsible data-driven future.” Journal of Responsible Technology 22 (Juni 2025): 100099. https://doi.org/10.1016/j.jrt.2024.100099.
Butler, Georgia. “Ransomware Incident Shuts Down Indonesian Gov’t Data Center.” Data Center Dynamics, 2024. https://www.datacenterdynamics.com/en/news/ransomware-incident-shuts-down-indonesian-govt-data-center/%0A.
Chakravarti, Jayant. “LockBit Leaks 1.5 TB of Data Stolen From Indonesia’s BSI Bank.” BankInfoSecurity (Information Security Media Group), 2023. https://www.bankinfosecurity.com/lockbit-leaks-15tb-data-stolen-from-indonesias-bsi-bank-a-22110%0A.
Chotimah, Hidayat Chusnul. “Tata Kelola Keamanan Siber dan Diplomasi Siber Indonesia di Bawah Kelembagaan Badan Siber dan Sandi Negara [Cyber Security Governance and Indonesian Cyber Diplomacy by National Cyber and Encryption Agency].” Jurnal Politica Dinamika Masalah Politik Dalam Negeri dan Hubungan Internasional 10, no. 2 (25 November 2019): 113–28. https://doi.org/10.22212/jp.v10i2.1447.
Harel, Yaniv, dan Abraham Carmeli. “A strategic cybersecurity oversight framework: a board’s imperative.” Journal of Cybersecurity 11, no. 1 (17 Januari 2025). https://doi.org/10.1093/cybsec/tyaf021.
Indonesia. Undang-Undang Republik Indonesia Nomor 40 Tahun 2007 tentang Perseroan Terbatas. Lembaran Negara Republik Indonesia Tahun 2007 Nomor 106. https://peraturan.bpk.go.id/Details/39965
Indonesia. Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi. Lembaran Negara Republik Indonesia Tahun 2022 Nomor 196. https://peraturan.bpk.go.id/Details/229798
Indonesia. Undang-Undang Nomor 1 Tahun 2024 tentang Perubahan Kedua atas Undang-Undang Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik. Lembaran Negara Republik Indonesia Tahun 2024 Nomor 1. https://peraturan.bpk.go.id/Details/274494
Indonesia. Peraturan Otoritas Jasa Keuangan Nomor 11/POJK.03/2022 tentang Penyelenggaraan Teknologi Informasi oleh Bank Umum. Lembaran Negara Republik Indonesia Tahun 2022 Nomor 5/OJK. https://peraturan.bpk.go.id/Details/227376
Indonesia. Surat Edaran Otoritas Jasa Keuangan Nomor 29/SEOJK.03/2022 tentang Ketahanan dan Keamanan Siber bagi Bank Umum. Ditetapkan 27 Desember 2022. https://ojk.go.id/id/regulasi/Pages/Ketahanan-dan-Keamanan-Siber-Bagi-Bank-Umum.aspx
Indonesia. Peraturan Otoritas Jasa Keuangan Nomor 4/POJK.05/2021 tentang Penerapan Manajemen Risiko dalam Penggunaan Teknologi Informasi oleh Lembaga Jasa Keuangan Nonbank. Lembaran Negara Republik Indonesia Tahun 2021 Nomor 78, Tambahan Lembaran Negara Republik Indonesia Nomor 6668. https://peraturan.bpk.go.id/Details/227125
Indonesia. Peraturan Otoritas Jasa Keuangan Nomor 31/POJK.04/2015 tentang Keterbukaan atas Informasi atau Fakta Material oleh Emiten atau Perusahaan Publik. Lembaran Negara Republik Indonesia Tahun 2015 Nomor 306, Tambahan Lembaran Negara Republik Indonesia Nomor 5780. https://peraturan.bpk.go.id/Details/128835
Indonesia. Putusan Mahkamah Agung Nomor 121 K/Pid.Sus/2020. Putusan Kasasi tanggal 9 Maret 2020. Direktori Putusan Mahkamah Agung. https://putusan3.mahkamahagung.go.id/direktori/putusan/zaeb354ecfec9b009f5c313730333337.html
King, Katherine M. “Marchand v. Barnhill’s Impact on the Duty of Oversight: New Factors to Assess Directors’ Liability for Breaching the Duty of Oversight.” Boston College Law Review, 2021.
Lowry, Michelle R., Anthony Vance, dan Marshall D. Vance. “Inexpert Supervision: Field Evidence on Boards’ Oversight of Cybersecurity.” Management Science, 23 Mei 2025. https://doi.org/10.1287/mnsc.2023.04147.
Marchand v. Barnhill, 212 A.3d 805 (Del. 2019). https://law.justia.com/cases/delaware/supreme-court/2019/533-2018.html
Mariz, Frederic de, Laura Aristizábal, dan Daniela Andrade Álvarez. “Fiduciary duty for directors and managers in the light of anti-ESG sentiment: an analysis of Delaware Law.” Applied Economics 57, no. 30 (27 Juni 2025): 4309–20. https://doi.org/10.1080/00036846.2024.2356898.
Marzuki, Peter Mahmud. Penelitian Hukum. Jakarta: Prenada Media, 2005.
Matthew Perri and Sara Catherine Thompson. “Overseeing Cybersecurity Risk: Confirmation of Officer Oversight Duties Could Mean Increased Personal Risk for Data Privacy and Cybersecurity Breaches.” Business Law Today, March 9, 2023. https://www.americanbar.org/groups/business_law/resources/business-law-today/2023-march/overseeing-cybersecurity-risk-confirmation/
Maulana, Nicky, Tito Laurens, Hadrian Afzal Faiz, dan Tria Patrianti. “Manajemen Krisis PT. BSI Tbk Pasca Peretasan Data Nasabah.” INNOVATIVE: Journal Of Social Science Research 4 (2024): 8244–58.
Nurjanah, Indah, dan Didik Hariyanto. “Framing analysis of the hacking of Bank Syariah Indonesia by LockBit Ransomware on Republika.co.id and Idntimes.com.” COMMICAST 5, no. 3 (28 Desember 2024): 1–20. https://doi.org/10.12928/commicast.v5i3.11663.
Proudfoot, Jeffrey G., W. Alec Cram, Stuart Madnick, dan Michael Coden. “The Importance of Board Member Actions for Cybersecurity Governance and Risk Management.” MIS Quarterly Executive 22, no. 4 (2023): 235–50. https://doi.org/10.17705/2msqe.00084.
Soekanto, Soerjono, dan Sri Mamudji. Penelitian Hukum Normatif: Suatu Tinjauan Singkat. Jakarta: Rajawali Pers, 2012.
Stone v. Ritter, 911 A.2d 362 (Del. 2006). https://law.justia.com/cases/delaware/supreme-court/2006/84060.html
Tambun, A.R.Y. Toronata, Gatot Yudoko, dan Leo Aldianto. “Strategy and Innovation in AI Oversight: Fiduciary Duties of Banking Boards.” SSRN Electronic Journal, 2025. https://doi.org/10.2139/ssrn.5403675.
Turava, Marika. “The Scope of the Business Judgment Rule and its Relation to the Fiduciary Duties of Company Directors.” Journal of Law, no. 1 (30 Juni 2023): 234–51. https://doi.org/10.60131/jlaw.1.2023.7073.
Valerie, Athalia De, dan Moody Rizqy Syailendra Putra. “Penerapan Asas Fiduciary Duty Dalam Tanggung Jawab Direksi pada Perseroan Terbatas.” JLEB: Journal of Law, Education and Business 2, no. 1 (2024): 373–79. https://doi.org/10.57235/jleb.v2i1.1670.
Warganegara, Doni Sagitarian, Norhayati Mohamed, dan Imbarine Bujang. “Regulatory Settings And Corporate Governance Of Indonesia’s Two-Tier Board System,” 823–36, 2023. https://doi.org/10.15405/epsbs.2023.11.68.
Wulandari, Lili, Utary Maharany Barus, dan Mahmul Siregar. “PT. Media Akademik Publisher Tanggung Jawab Direksi Dan Komisaris Yang Tidak Melaksanakan Rups Tahunan.” Jurnal Media Akademik (Jma) 2, no. 2 (2024): 3031–5220.
Yunia, Dabella, dan Siti Mutmainah. “Does Corporate Governance Matter?” KnE Social Sciences 2024 (2024): 337–57. https://doi.org/10.18502/kss.v9i21.16727.