Learn about Malaysia’s Cyber Security Act 2024, its key provisions, and how businesses can comply with the regulations to safeguard critical infrastructure from cyber threats.
On June 26, 2024, the Cyber Security Act 2024 was officially gazetted by the Attorney General’s Chambers, marking a pivotal step in Malaysia’s efforts to strengthen its digital defenses. This comprehensive legislation provides a legal framework aimed at safeguarding the nation’s Critical Information Infrastructure (CII) from a rapidly evolving cyber threat landscape.
The Act introduces the National Cyber Security Committee, outlines the powers and responsibilities of the Chief Executive of the National Cyber Security Agency (NACSA), and specifies roles for CII sector leads and related entities. One key highlight is the introduction of a licensing regime for cybersecurity service providers, ensuring only authorized and qualified entities deliver these critical services.
Territorial Scope of the Cyber Security Act
The Cyber Security Act 2024 applies to offenses related to National Critical Information Infrastructure (NCII) that are located, fully or partially, within Malaysia. This wide jurisdiction is similar to Singapore’s Cybersecurity Act (CSA) prior to its 2024 amendments, which now regulate systems entirely outside Singapore if owned by Singapore-based entities and classified as CII.
Key Provisions of the Cyber Security Act 2024 and Its Impact on Businesses
1. Cybersecurity Risk Assessment and Audit Regulations
Entities classified as NCII must adhere to stringent regulations on risk assessment and audits. Each NCII entity is required to:
- Conduct an annual cybersecurity risk assessment to identify vulnerabilities that could be exploited by cyber threats.
- Undergo a comprehensive audit every two years (or more frequently if directed by NACSA).
The following sectors are classified as NCII:
- Government, Healthcare, Energy, Agriculture
- Science, Technology, Innovation, Trade, and Economy
- Information, Communication, and Digital
- Banking, Finance, Defense, National Security, and Transportation
- Water, Waste Management, and Sewage Treatment
2. Incident Notification Requirements
In the event of a cybersecurity incident, NCII entities must notify both NACSA and their respective sector leads immediately. Initial notifications must be submitted electronically upon detection, and detailed information about the incident must be provided through the National Cyber Coordination and Command Centre System (NC4S) within six hours. Follow-up details, including the incident’s impact and mitigation actions, must be submitted within 14 days.
3. Licensing for Cybersecurity Service Providers (CSSPs)
Under the Act, a licensing regime is introduced for any entity or individual providing cybersecurity services, such as managed security operations or penetration testing. Certain services, such as those provided by government entities or internal corporate services, are exempt from licensing.
Failure to comply with licensing requirements can result in penalties, including fines of up to 500,000 Ringgit (approx. US$106,000) or imprisonment of up to 10 years.
Offenses and Penalties Under the Cyber Security Act 2024
The Act introduces strict penalties for non-compliance. Offenses include failing to conduct required risk assessments, not notifying authorities of cybersecurity incidents, and violating licensing regulations. Penalties vary depending on the severity of the offense, ranging from:
- Fines of up to 200,000 Ringgit (approx. US$43,549) and imprisonment of up to 3 years for failure to meet basic compliance requirements.
- Fines of up to 500,000 ringgit (approx. US$106,000) and imprisonment of up to 10 years for more severe violations, such as failure to comply with licensing regulations or implement mandated cybersecurity practices.
The Act extends liability beyond organizations to their employees and agents, holding individuals responsible for compliance within their respective entities.
Preparing for the Cyber Security Act 2024
With the introduction of the Cyber Security Act 2024, businesses in Malaysia must take steps to strengthen their cybersecurity protocols and ensure full compliance with the new regulations. Whether it’s implementing regular risk assessments, securing proper licensing for cybersecurity services, or preparing to report incidents quickly and efficiently, the Act brings a heightened level of accountability and responsibility for safeguarding critical infrastructure.
By adhering to these regulations, businesses can not only avoid severe penalties but also protect their operations from the growing threat of cyberattacks.