Who Should Read This: Cybersecurity service providers, NCII-designated companies, and businesses managing critical infrastructure or ICT systems need to understand the impact of Malaysia’s new Cyber Security Act 2024 and its regulations.
On 26 June 2024, the Cyber Security Act 2024 (“CSA“) was officially gazetted by the Attorney General’s Chambers. It came into force on 26 August 2024, accompanied by four subsidiary regulations to facilitate its implementation:
- Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024 (“Audit Regulation”);
- Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 (“Licensing Regulation”);
- Cyber Security (Notification of Cyber Security Incident) Regulations 2024 (“Incident Regulation”); and
- Cyber Security (Compounding of Offences) Regulations 2024 (“Offences Regulation”),
These regulations, collectively referred to as the “CSA Regulations,” play a crucial role in ensuring the effectiveness of the CSA.
Part 1 – Key Highlights of the CSA
The CSA introduces several significant measures aimed at enhancing national cybersecurity
- Extra-territorial reach: The CSA applies to anyone, regardless of nationality, citizenship, or the geographical location where an offence is committed. This broad scope ensures that cybercrimes affecting Malaysia can be prosecuted even if committed outside its borders;
- Public Licensing regime: Cybersecurity service providers are now required to obtain a license from the Chief Executive of the National Cyber Security Agency (NACSA). The scope of licensed services is determined by NACSA. During a public dialogue session on 24 November 2023, it was suggested that these services may include activities aimed at securing the cybersecurity of information and communications technology devices for others. The Licensing Regulation now provides further clarity on what these services entail (see Part 2 below);
- Establishment of the National Cyber Security Committee: A new committee, chaired by the Prime Minister, has been established to monitor the implementation of national cybersecurity policies. This committee will play a critical role in shaping and overseeing Malaysia’s cybersecurity strategy;
- Concept of National Critical Information Infrastructure (“NCII”): The CSA defines NCII as any computer or computer system whose disruption or destruction could negatively impact essential services related to Malaysia’s security, defence, foreign relations, economy, public health, public safety, or public order. It also covers systems critical to the functioning of the Federal or State Governments.
- Regulatory framework for NCII: Entities designated as part of the NCII are now subject to certain reporting and disclosure obligations, cybersecurity audits, risk assessments, and adherence to codes of practice outlined in the CSA.
Part 2 – Key Highlights of the CSA’s Regulations
The CSA Regulations provide further clarity on compliance requirements for NCII-designated entities and Cybersecurity Service Providers:
- Audit Regulation: NCII-designated entities must conduct cybersecurity assessments at least once a year and undergo a cybersecurity audit at least once every two years. The Chief Executive of NACSA may direct more frequent assessments in specific cases at its discretion;
- Licensing Regulation: This regulation outlines the procedures and application fees for obtaining a license to provide managed security operation centre monitoring services and penetration testing services. These entities are collectively referred to as “Cybersecurity Service Providers“.
- Incident Regulation: The regulation specifies the timeline within which NCII-designated entities must notify NACSA of any cybersecurity incidents. Reports must be made:
a. Immediately after discovering the incident;
b. Within 6 hours, providing information such as a description, severity, date, and method of discovery of the incident;
c. Within 14 days of the initial notification, with supplementary details such as the number of affected hosts, particulars of the threat, and actions taken. - Offences Regulation: This regulation outlines six compoundable offences with the consent of the Public Prosecutor. Examples include failure to provide requested information, failure to conduct risk assessments, failure to comply with NACSA’s directions, and failure to maintain proper records.
Impact on Businesses
The CSA and its accompanying regulations will significantly impact cybersecurity practices. Businesses must prepare for the following key changes:
- Licensing Requirements: All Cybersecurity Service Providers must obtain proper licensing from NACSA before promoting their services in Malaysia. Ensure that your service provider is compliant to avoid any disruptions.
- Obligations for Designated NCII Entities: Companies designated as NCII entities will face several mandatory obligations, including:
– Disclosing information as requested by the NCII Sector Lead
– Conducting cybersecurity risk assessments as per the Code of Practice set by the NCII Sector Lead;
– Reporting cybersecurity incidents to NACSA’s Chief Executive.
– Participating in cybersecurity exercises as directed; and
– Adhering to all other duties outlined by the CSA. - Penalties for Non-Compliance: Non-compliance with the CSA can result in severe penalties, including fines ranging from RM100,000 to RM500,000 or imprisonment for 2 to 10 years, depending on the severity of the offence.
With the implementation of the CSA and the accompanying regulations, NCII-designated entities and Cybersecurity Service Providers must stay ahead by thoroughly understanding these requirements and preparing their businesses accordingly. Proactive compliance is essential to avoid penalties and to contribute to strengthening Malaysia’s national cybersecurity framework.
***
This article was written by Sylvia Lock (Senior Associate) from Donovan & Ho’s corporate practice group.
Donovan & Ho is a law firm in Malaysia, and our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.