Malaysia’s Cyber Security Act 2024: What Businesses Need to Know
The Cyber Security Act 2024, officially gazetted on June 26, 2024, by the Attorney General’s Chambers, marks a significant advancement in Malaysia’s efforts to fortify its digital defenses. This legislation represents a comprehensive legal framework designed to safeguard the nation’s critical information infrastructure (CII) against an increasingly complex landscape of cyber threats.
The Act establishes the National Cyber Security Committee and delineates the responsibilities and authority of the Chief Executive of the National Cyber Security Agency (NACSA). It also sets out specific roles for CII sector leads and entities.
A notable feature of the Act is its focus on cybersecurity service providers, mandating a licensing regime to ensure that only qualified entities are authorized to deliver cybersecurity services.
Territorial scope of the Cyber Security Act
The Cyber Security Act extends its reach beyond Malaysia’s borders, encompassing offenses related to National Critical Information Infrastructure (NCII) that are either fully or partially situated within Malaysia. This broad jurisdiction mirrors the initial scope of Singapore’s Cybersecurity Act (CSA) before its revisions in early 2024.
Singapore’s amendments now include regulation of computer systems entirely outside its territory if the system’s owner is based in Singapore and if those systems would have been classified as Critical Information Infrastructure (CII) had they been located within the country.Key provisions and regulations: How the Cyber Security Act 2024 affects businesses
The Cyber Security Act 2024 introduces several key provisions and regulations aimed at strengthening the security framework across the nation.
Cyber security (Risk Assessment and Audit) regulations
Under the Cyber Security Act 2024, entities classified as National Critical Information Infrastructure are subject to stringent risk assessment and audit regulations. These entities are required to conduct a comprehensive cybersecurity risk assessment at least once annually. This process involves evaluating potential vulnerabilities within the NCII that could be exploited by cyber threats or incidents.
Additionally, NCII entities must undergo an audit every two years, or more frequently if directed by the Chief Executive of the National Cyber Security Agency (NACSA).
The government has designated the following sectors as NCII sectors:
- Government;
- Healthcare;
- Energy;
- Agriculture;
- Science, technology, and innovation;
- Trade, industry, and economy;
- Information, communication, and digital;
- Banking and finance;
- Defense, national security, and transportation; and
- Water, waste management, and sewage treatment
Incident notification
NCII entities are mandated to immediately notify both the Chief Executive of NACSA and their respective NCII Sector Leads upon discovering a cybersecurity incident. This initial notification must be submitted electronically as soon as the incident is identified. Within six hours of detection, the entity is required to provide further details of the incident through the National Cyber Coordination and Command Centre System (NC4S). This includes information such as the nature of the incident, its severity, and how it was discovered.
Within 14 days of the initial notification, supplementary details must be submitted, covering aspects like the impact on the NCII and actions taken in response to the incident.
Licensing and compliance for Cyber Security Service Providers
The Cyber Security Act 2024 introduces a licensing regime for Cyber Security Service Providers (CSSPs). Any entity or individual offering cybersecurity services, such as managed security operation center monitoring or penetration testing, must obtain a license from the authorities. The Act exempts certain services, such as those provided by government entities or within a company and its subsidiaries, from the licensing requirements.
Non-compliance with these licensing regulations can result in severe penalties, including fines of up to 500,000 ringgit US$106,000 and imprisonment of up to ten years.
Offenses and penalties under the Act
Offenses under the Act range from failing to conduct required risk assessments and audits to not notifying relevant authorities about cybersecurity incidents. Penalties for such offenses can include fines up to 200,000 ringgit US$43,549, imprisonment for up to three years, or both. More severe violations, such as non-compliance with licensing requirements or failure to implement mandated cybersecurity practices, can attract fines of up to 500,000 ringgit and imprisonment for up to ten years. Additionally, the Act holds not just organizations but also their employees and agents accountable, extending liability to individuals responsible for compliance within the entity.
About Us
ASEAN Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia and maintains offices throughout ASEAN, including in Singapore, Hanoi, Ho Chi Minh City, and Da Nang in Vietnam, in addition to Jakarta, in Indonesia. We also have partner firms in Malaysia, the Philippines, and Thailand as well as our practices in China and India. Please contact us at asean@dezshira.com or visit our website at www.dezshira.com.
- Previous Article Mandatory E-invoicing in Malaysia: A Guide for Businesses
- Next Article Singapore and EU Conclude Digital Trade Agreement