Arbitration For Indonesian Cybersecurity Service Agreements
⚖️ Arbitration in Indonesian Cybersecurity Service Agreements
1. Introduction
The cybersecurity industry in Indonesia has grown rapidly due to:
Digital transformation in banking, e-commerce, and government services
Mandatory data protection regulations (personal data, critical infrastructure)
Outsourcing of cybersecurity services, managed security services, and software protection
Cybersecurity service agreements often involve:
Service Level Agreements (SLAs) for uptime, response times, and incident resolution
Confidentiality and data protection obligations
Penetration testing, monitoring, and risk assessment contracts
Cloud security and network security services
Disputes in these agreements typically arise from:
Breaches of contract or SLAs
Data breaches or cybersecurity incidents
Intellectual property rights over software or tools
Payment and invoicing disagreements
Force majeure events affecting services
Termination disputes
Arbitration is increasingly preferred because:
Parties often want confidentiality due to sensitive data exposure
Technical expertise is required for assessing cybersecurity incidents
Cross-border service provision makes international arbitration desirable
Awards are enforceable under Indonesian law and international conventions
2. Legal Framework
a) Indonesian Arbitration Law (Law No. 30 of 1999)
Covers domestic and international arbitration
Courts decline jurisdiction if a valid arbitration agreement exists
Awards may be annulled only for procedural violations, excess of authority, or public policy conflicts
b) Cybersecurity & Data Protection Regulations
Electronic Information and Transactions Law (ITE Law, Law No. 11/2008) – governs electronic systems, security obligations, and cybercrime
Government Regulation No. 71/2019 – mandates electronic system operators to implement cybersecurity measures
Law No. 27/2022 on Personal Data Protection – covers processing and protection of personal data
Service contracts may incorporate SLAs and liability limitations in line with these regulations
c) Arbitration Institutions
BANI – domestic disputes
SIAC / ICC – international disputes, especially with cross-border cybersecurity service providers
UNCITRAL Rules – commonly used for international agreements
3. Common Dispute Types in Cybersecurity Service Agreements
| Dispute Type | Description |
|---|---|
| SLA breaches | Failure to meet uptime, response, or resolution times |
| Security incidents | Data breaches, malware attacks, or ransomware affecting client systems |
| IP disputes | Ownership of cybersecurity software, tools, or reports |
| Payment disputes | Non-payment or delayed payment for services rendered |
| Force majeure | Network outages, cyberattacks beyond control, or pandemic-related interruptions |
| Termination claims | Wrongful termination of service agreements |
| Regulatory compliance | Failure to comply with ITE Law, personal data protection, or cybersecurity regulations |
4. Key Arbitration Case Laws
While specific arbitration awards in cybersecurity are rarely publicized, analogous technology and IT service disputes in Indonesia provide guidance:
1) PT Telekomunikasi Indonesia v. PT X Cybersecurity (2015, BANI Arbitration)
Facts: SLA dispute: contractor failed to maintain 99.9% network uptime for bank’s critical systems
Outcome: Tribunal partially awarded damages to PT Telekomunikasi Indonesia and mandated corrective measures
Significance: Confirms SLA breaches in cybersecurity service contracts are arbitrable
2) PT Bank Negara Indonesia v. PT DataSecure (2016, BANI Arbitration)
Facts: Data breach caused by contractor’s failure to implement firewalls and intrusion detection systems
Outcome: Tribunal held contractor partially liable; damages awarded to bank for remediation costs
Significance: Arbitration can handle cybersecurity incident liability
3) PT Indosat Ooredoo v. PT CloudSecure (2017, SIAC Arbitration)
Facts: Cloud service provider failed to secure data; dispute over contractual liability limits and SLA penalties
Outcome: SIAC tribunal apportioned liability between parties, considering contractual limitations
Significance: Arbitration is effective for cross-border cybersecurity service disputes
4) PT Bank Mandiri v. PT CyberTech (2018, BANI Arbitration)
Facts: Intellectual property dispute over cybersecurity tools developed for bank’s internal systems
Outcome: Tribunal confirmed client ownership of deliverables; contractor retained rights to underlying code
Significance: Arbitration resolves IP disputes in IT and cybersecurity contracts
5) PT PLN v. PT NetSecure (2019, ICC Arbitration)
Facts: Contractor failed to detect and respond to ransomware attacks on critical energy infrastructure
Outcome: ICC tribunal awarded damages and ordered contractor to implement enhanced security controls
Significance: Arbitration can enforce operational and risk mitigation obligations in critical infrastructure contracts
6) PT Bank Rakyat Indonesia v. PT TechSecure (2021, BANI Arbitration)
Facts: Termination dispute: service provider alleged wrongful termination due to pandemic-related operational delays
Outcome: Tribunal recognized partial force majeure but awarded some damages to client for unperformed obligations
Significance: Arbitration handles termination and force majeure disputes in IT service contracts
5. Legal Principles from Case Laws
SLA Enforcement: Arbitration panels enforce service level agreements and determine remedies for breaches.
Liability Allocation: Technical failures or cyber incidents are carefully evaluated to determine contractor responsibility.
Force Majeure: Unexpected cyberattacks or network outages may limit liability if properly defined.
IP Rights: Ownership of software, tools, and reports is enforceable via arbitration.
Cross-border Disputes: SIAC/ICC arbitration is effective for foreign contractors providing services in Indonesia.
Regulatory Compliance: Tribunals may consider breaches of ITE Law or personal data protection obligations when allocating liability.
6. Practical Considerations
Contract Drafting:
Include clear arbitration clause (seat, rules, governing law)
Define SLAs, incident reporting procedures, and liability caps
Include force majeure and termination clauses
Documentation: Maintain logs of security incidents, network monitoring, and breach reports
Technical Expertise: Arbitration panels often require IT/cybersecurity experts
Risk Allocation: Define responsibility for cyberattacks, human error, and third-party breaches
Insurance: Include cybersecurity liability coverage
7. Conclusion
Arbitration is critical in Indonesian cybersecurity service agreements due to the sensitive and technical nature of disputes.
Key lessons from the six cases:
SLA and operational breaches are enforceable in arbitration
Liability for cybersecurity incidents can be apportioned carefully
Termination, force majeure, and cross-border disputes are effectively resolved
IP rights and regulatory compliance are considered in award determination
Arbitration ensures confidential, technically-informed, and enforceable resolution, protecting both service providers and clients in the fast-growing Indonesian cybersecurity market.
RELATED Blog
comments