Cyber Security Act Malaysia : What Businesses Need To Know

Malaysia’s Cyber Security Act 2024, which came into force on 26 August 2024, is a highly anticipated advancement in Malaysia’s cyber security legal landscape in further fortifying digital defenses. This legislative development set the comprehensive regulatory framework which is designed to protect the National Critical Information Infrastructure (NCII) in the nation against continuously evolving cyber threats.

In this article, we will provide an overview of Cyber Security Act 2024 for the businesses and general public, where we outline the key elements in the Act that include particular focus on the NCII sectors, the roles and responsibilities of the NCII Leads, NCII Entities identified under the Act, and the licensing requirements for cyber security service providers.

What is the focus of Cyber Security Act 2024?

Cyber Security Act 2024 establishes the National Cyber Security Committee and grants authority to the Chief Executive of National Cyber Security Agency (NACSA) to implement and enforce the policies involved within the act. The Act and the regulations focuses on governing four aspects of Malaysia’s cyber security framework which involves : 

1. Classifying Entities In 11 Sectors As NCII Sectors 

2. Designating The Duties And Responsibilities Of NCII Leads

3. Designating The Obligations Of NCII Entities

4. Licensing Requirements For Cyber Security Service Providers.

What Is NCII and What Are Its Sectors?

Based on explanation laid out by NACSA, NCII, or National Critical Information Infrastructure, is defined as ‘critical system that includes information assets (electronic), networks, functions, processes, facilities and services in an information and communications technology (ICT) environment that is important to the country where any disruption or destruction to it can have an impact on national defense and security, national economic stability, national image, the Government’s ability to function, public health and safety as well as individual privacy.’

NCII Sectors are made up of 11 individual sectors namely:

1. Government
2. Banking and finance
3. Transportation
4. Defence and national security
5. Information, communication and digital
6. Healthcare services
7. Water, sewerage and waste management
8. Energy
9. Agriculture and plantation
10. Trade, industry and economy
11. Science, technology and innovation

Who Is NCII Lead?

NCII Lead are government entities or persons that are appointed by the Minister through the Act for each of the sectors designated as NCII sectors. The Act allows appointment of more than one NCII Leads for each of the sectors, which helps with tackling the needs and complexities of each of the sectors. The NCII Leads are responsible for:

1. Identifying NCII Entities: The NCII Leads for each NCII sector will be responsible in identifying the NCII Entities within that sector. This ensures these entities that are vital to the sectors are recognized and subjected to the Cyber Security Act.

2. Setting Security Standards: Each NCII Lead is tasked in preparing a set of rules, or a Code of Practice, that must be approved by the Chief Executive of NACSA. This code will outline the necessary steps and standards for protecting critical entities in their sector.

3. Establishing Best Practices Guidelines: NCII Leads are also tasked with developing and maintaining guidelines on the best ways to manage cybersecurity for their sectors.

4. Overseeing Compliance: NCII Leads are responsible for making sure the designated NCII Entities are actually following the rules and best practices. They’ll check for compliance with the Code of Practice and other regulations, ensuring the entities follow their obligations outlined in the Act.

5. Reporting Threats and Incidents: NCII Leads are tasked with preparing and submitting a report of any cyber security threats or attacks affecting their sector’s NCII to the Chief Executive of NACSA. This is an important responsibility as it helps keep the government informed and able to effectively respond to potential risks.

The names of the appointed NCII Leads are published on NACSA website, promoting full transparency and awareness to the public.

Key Provisions And Regulations In Cyber Security Act 2024 

The Cyber Security Act 2024 introduces several key provisions and regulations that focus on strengthening the digital security framework across Malaysia. They are:

• Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024
• Cyber Security (Notification of Cyber Security Incident) Regulations 2024
• Cyber Security (Compounding of Offences) Regulations 2024
• Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024

Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 

Following Section 22 of the Cyber Security Act 2024, entities that are classified under NCII sectors are subjected to strict risk assessment and audit regulations. The NCII Entity will need to conduct:

• A thorough cyber security risk assessment involves evaluating potential risks and vulnerabilities that could be exploited by cyber security threat or incident at least once a year
• An audit at least once every two years, or more frequently if directed by the Chief Executive of NACSA.

Cyber Security (Notification of Cyber Security Incident) Regulations 2024

According to Section 23 of the Cyber Securiy Act 2024, NCII entities are mandated to inform both their NCII Leads and Chief of NACSA of any cyber security incident that occurred to them. The entities are required to inform them:

• First Notification: As soon as a cyber security incident is discovered, an authorized person of the NCII Entity must notify both the NCII Leads and Chief of NACSA immediately.
• First Notification + 6 Hours: The entity must then provide further details of the incident through National Cyber Coordination and Command Centre System (NC4S) within the first 6 hours of detection. The details must include information such as the nature of the incident, the severity, and how it was discovered. 
• First Notification + 14 days: Supplementary details that cover aspects like the impact, the threat actor, and action taken must then be submitted within 14 days of the first notification.

Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024

Under Section 27, the Cyber Security Act 2024 introduces licensing requirements for Cyber Security Service Providers (CSSP) applicable to any entity or individual that offers cyber security services. This requirements is not applicable when the services are:

1. Provided by a government entity.
2. Provided by a person or subsidiaries, other than another company, to its related company.
3. Provided in respect of computers or systems located outside of Malaysia.

The licensing requirements are applicable to entities or person that offer these services:

1. Managed Security Operation Centre (SOC) monitoring services

• Managed Security Operation Centre service monitors another entity’s computer or systems to find potential cyber threats. It does this by collecting, analyzing, and scanning the data stored, processed, or transmitted by those systems.
• This service determines the necessary measures for responding or recovering from a cyber security incident and preventing such incidents from occurring in the future.

2. Penetration Testing service

Penetration Testing service checks the cybersecurity strength of a computer or system by looking for weaknesses and attempting to bypass its defenses. It includes: 

• Identifying weaknesses in a computer or system’s cyber security and showing how those weaknesses could be used to attack it.
• Testing how well an organization can detect and respond to cyber attacks by simulating attempts to penetrate into their computer or systems.
• Finding and evaluating cybersecurity vulnerabilities in a computer system, indicate those vulnerabilities, and creating plans to fix them or reduce the risk they pose to an acceptable level.
• Using social engineering tactics to test how vulnerable an organization is to cyber threats.

Cyber Security (Compounding of Offences) Regulations 2024

In accordance with Section 60 of the Cyber Security Act, the Minister of Digital can make regulations that prescribe any offence under the Act as an offence which may be compounded, and the method and procedure for compounding the offence.

The Compounding of Offences Regulations listed out the 6 offences under the Act which are capable of being compounded:

1. Section 20(6): NCII Entity’s failure to provide information relating to its NCII.
2. Section 20(7): NCII Lead’s failure to provide information to Chief Executive of NACSA
3. Sections 22(7): NCII Entity’s failure to conduct cyber security risk assessment and audit, and subsequent failure to submit the reports to the Chief Executive of NACSA.
4. Section 22(8): NCII Entity’s failure to comply with directions that arises from the findings in such reports.
5. Section 24(4): NCII Entity’s failure to comply with the directions of the Chief Executive of NACSA in relation to cyber security.
6. Section 32(3): Failure by licensee to keep and maintain records in the manner determined by the Chief Executive of NACSA.

Conclusion

The Malaysia Cyber Security Act 2024 represents a significant step forward in protecting critical digital infrastructure in the country. By establishing clear roles and responsibilities for NCII Leads and Entities, and licensing cyber security service providers, the Act creates a comprehensive framework that solidifies cyber defenses. Businesses, particularly those that operate within the 11 NCII sectors, will have to be familiar with the Act’s regulations to maintain compliance and contribute to a more secure digital infrastructure in Malaysia.

If you wish to know how you can implement changes to your IT infrastructure to comply with the Cyber Security Act, please don’t hesitate to contact us for more information.