Unveiling Malaysia’s Cyber Security Act 2024: Strengthening Our Digital Fortress!

On 26 August 2024, the Cyber Security Act 2024 (“CSA”) came into effect as Malaysia’s inaugural legislation aimed at strengthening the nation’s cybersecurity framework and safeguarding critical infrastructure. The implementation of the CSA reflects the Malaysian government’s commitment to enhancing and securing the country’s cybersecurity landscape.

This article aims to outline the essential requirements of the CSA that businesses and sectors affected by the legislation should be aware of.

A. Scope of the CSA

It is pertinent to note that the CSA binds the Federal Government and State Governments. However, the Federal Government and State Governments are not liable to prosecution for any offence under the CSA.

Furthermore, the CSA has extraterritorial application if an offence is committed in relation to a national critical information infrastructure that is wholly or partly in Malaysia.

B. National Critical Information Infrastructure

National critical information infrastructure (“NCII”) refers to essential systems and assets vital for a nation’s operations. It plays a crucial role in various sectors, including government, defence, finance, healthcare, energy, transportation, and communications. In essence, NCII is foundational to a nation’s well-being and can significantly impact its stability.

According to the CSA, NCII is defined as any computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.

The CSA identifies and designates 11 sectors as critical to the nation’s security and economic stability:

(1) Government;
(2) Banking and finance;
(3) Transportation;
(4) Defence and national security;
(5) Information, communication and digital;
(6) Healthcare services;
(7) Water, sewerage and waste management;
(8) Energy;
(9) Agriculture and plantation;
(10) Trade, industry and economy; and
(11) Science, technology and innovation.

C. NCII Sector Lead

Under the CSA, the Minister of Digital has the authority to appoint a government entity or individual as the NCII sector lead for each of the NCII sectors (“NCII Sector Leads”). This appointment is made based on the recommendation of the Chief Executive of the National Cyber Security Agency (“Chief Executive“).

Some of the key responsibilities of the NCII Sector Leads under the CSA include:  

• designating any government entity or individual that owns or operates NCII as a national critical information infrastructure entity (“NCII Entity”);
• developing a code of practice that outlines measures, standards and processes to ensure the cyber security of a NCII within their respective sectors;
• monitoring and ensuring that the required actions and duties imposed of NCII Entities are fulfilled;
• creating and maintaining guidelines on best practices for cyber security management; and
• preparing and submitting to the Chief Executive a situational report regarding any cyber security threats or incidents affecting NCII within their sector.

 D. Duties of NCII Entity

The CSA imposes several legal obligations on NCII Entities with significant penalties for non-compliance. For instance, NCII Entities are required to:

• implement the measures, standards and processes as specified in the code of practice to ensure the cyber security of the NCII owned or operated by the NCII Entity;
• conduct cyber security risk assessment and facilitating an audit by an approved auditor to evaluate the NCII Entity’s compliance with the CSA;
• notify the Chief Executive and the respective NCII Sector Lead if the NCII Entity becomes aware of a cyber security incident that has occurred or may have occurred regarding the NCII it owns or operates; and
• comply with the directions issued by the Chief Executive during the cyber security exercises carried out by the Chief Executive.

E. Licensing of cyber security service provider

The CSA also establishes a licensing framework for cyber security service providers. Pursuant to Section 27 of the CSA, any person who (i) provides any cyber security service; or (ii) advertises or holds himself out in any way as a cyber security service provider must obtain a licence to do so.

According to the Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 (“Regulations”), only two types of services will require a cyber security service licence:

• Managed security operation centre monitoring services: services that involves the monitoring of the level of cyber security of a computer or computer system to identify and detect any potential cyber security threats to the computer or computer system. This includes acquiring and analysing information to determine the necessary measures for responding to or recovering from cybersecurity incidents as well as preventing future incidents.
• Penetration testing services: services which involve the assessing, testing or evaluating the level of cyber security of a computer or computer system by searching for vulnerabilities on and compromising the cyber security defences of the computer or computer system.

Based on the information made available by the National Cyber Security Agency (“NACSA”), cyber security service providers will be able to apply for the cyber security service licence formally from 1 October 2024. A cyber security service licence will have a validity period of 1 year and cyber security service providers may apply to renew their licence at least 30 days before the expiration of the licence.

Any person providing a cyber security service without a licence commits an offence and will be liable upon conviction to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding 10 years or to both.

F. Liabilities under the CSA

The CSA outlines different liabilities and consequences based on the nature and severity of the violation. For example:

Where the offence is committed by a company, limited liability partnership, firm, society or other body of persons, the CSA provides that any person who is a director, compliance officer, partner, manager, secretary or other similar officer of the company at the time of the offence may also be made liable to the same penalties for such offence.

The CSA brings extensive and far-reaching impact to the cyber security landscape in Malaysia given that the digital world has been burgeoning and in turn, creating room for increasing cyber threats. Overall, the CSA aims to create a safer digital environment, but it also necessitates proactive measures from businesses especially those within the NCII sectors to adapt to the new regulatory landscape. Companies operating in NCII sectors and their management must understand and comply with the CSA to effectively mitigate these risks.

This article is intended to provide general information only and does not constitute any legal opinion or professional advice. For further information and advice on this article and/or on any areas of Corporate and Commercial law, please contact Hoong Wei En at weien.hoong@taypartners.com.my.

Hoong Wei En
Partner
T: +603 2050 1838
weien.hoong@taypartners.com.my

Trisha Lim
Associate
trisha.lim@taypartners.com.my