The Malaysian Cyber Security Act 2024 officially gazetted on June 26 2024, by the Attorney General’s Chambers, brings about sweeping changes to Malaysia's cybersecurity landscape. It outlines new requirements for businesses, introduces regulations for cybersecurity service providers, and establishes guidelines for cybersecurity audits and penetration testing.
This article will look at why Malaysia introduced the Cybersecurity Act, the key provisions of the act, its impact on businesses, the importance of cybersecurity risk management, and the cross-border implications for international companies.
Current cybersecurity landscape
Malaysia's digital landscape has been evolving rapidly, and the government has recognised the need for a comprehensive cybersecurity framework to safeguard its digital infrastructure. Prior to the introduction of the Cybersecurity Act 2024, cybersecurity requirements were scattered across multiple legislations, including the Personal Data Protection Act 2010, the Communications and Multimedia Act 1998, and the Computer Crimes Act 1997. This fragmented approach left gaps in the nation's cyber defences, making it vulnerable to sophisticated attacks.
In 2023, the Malaysia Digital Economy Corporation (MDEC) allocated RM238 million for the 2023-2025 period to support new initiatives under the Program Mangkin Malaysia Digital (Pemangkin), with RM45 million specifically earmarked for tech enablers, including cybersecurity, demonstrating Malaysia’s commitment to building a robust digital ecosystem.
Increasing cyber threats
The urgency for a comprehensive cybersecurity bill has been underscored by the alarming rise in cyber incidents. In 2022, CyberSecurity Malaysia (CSM) reported 4,741 cyber threats, with the situation worsening to 5,917 cyber incidents in 2023.
Ransomware attacks have emerged as a particularly pressing concern. In 2023, ransomware incidents doubled from the previous year with attacks becoming increasingly sophisticated, incorporating advanced functionalities such as data infiltration, deployment of additional malware delivery systems, and business email compromise.
Establishment of the National Cyber Security Committee
The Cybersecurity Act 2024 establishes a 13-member National Cyber Security Committee, chaired by the Prime Minister. Its primary functions include advising and providing recommendations to the Federal Government on cybersecurity matters, overseeing the implementation of the Act, and giving directions to the Chief Executive of the National Cyber Security Agency (NACSA) and national critical information infrastructure sector leads on issues related to national cybersecurity.
Role of NACSA
The Chief Executive of NACSA has been empowered with significant responsibilities under the Act. These include establishing the National Cyber Coordination and Command Center system to deal with cybersecurity threats and incidents. The Chief Executive also has the authority to issue directives necessary for ensuring compliance with the Act.
NACSA's role extends beyond these immediate responsibilities, encompassing a wide range of strategic functions. These include developing and implementing national-level cybersecurity policies and strategies, protecting National Critical Information Infrastructures (NCII), undertaking strategic measures to counter cyber threats, and spearheading cybersecurity awareness and capacity-building programs.
Designation of NCII sectors
A key provision of the Act is the designation of National Critical Information Infrastructure (NCII) sectors. The Act defines NCIIs as any computer or computer system which, if disrupted, would impact national security, economy, public health, public safety, or government functionality.
The Act specifically outlines ten NCII sectors:
For each NCII sector, a sector lead will be appointed by the Minister responsible for cybersecurity, based on recommendations from the Chief Executive of NACSA. Their responsibilities include designating entities that own or operate NCIIs within their respective sectors, known as NCII Entities.
The Cybersecurity Act 2024 introduces significant changes that will have far-reaching implications for businesses operating in Malaysia, particularly those designated as National Critical Information Infrastructure (NCII) entities. These impacts span across compliance requirements, cost implications, and operational changes.
Compliance Requirements
The Cybersecurity Act mandates stringent compliance measures for NCII entities. These organizations are required to conduct cybersecurity risk assessments at least once a year, in accordance with the applicable code of practice and directives. Additionally, NCII entities must undergo an audit at least once every two years to determine their compliance with the Act. These audits may be more frequent if directed by the Chief Executive of the National Cyber Security Agency (NACSA).
A crucial aspect of compliance is the obligation to report cybersecurity incidents. NCII entities must immediately notify both the Chief Executive of NACSA and their respective NCII Sector Lead when they become aware of a cybersecurity incident that has occurred or might have occurred in respect of their NCII. This initial notification must be followed by more detailed information within specific timeframes:
Cost Implications
The implementation of the Cybersecurity Act will likely result in increased costs for businesses, particularly in the areas of cybersecurity infrastructure, personnel, and potential penalties for non-compliance.
Businesses may need to invest in enhanced cybersecurity measures to meet the Act's requirements. This could involve upgrading existing systems, implementing new security protocols, and potentially hiring additional cybersecurity professionals. The requirement for regular risk assessments and audits will also incur ongoing costs.
Non-compliance with the Act can result in significant financial penalties. For instance, failing to conduct required risk assessments and audits can lead to fines of up to RM200,000 or imprisonment for up to three years, or both. More severe violations, such as non-compliance with licensing requirements, can attract fines of up to RM500,000 or imprisonment for up to ten years, or both.
To mitigate financial risks, businesses should consider obtaining cyber insurance. While this represents an additional cost, it can provide protection against the financial consequences of cybersecurity breaches or non-compliance with the Act.
Operational Changes
The Act necessitates several operational changes for businesses:
To prepare for these changes, organizations should proactively review and update their current cybersecurity policies and procedures.
The Cybersecurity Act 2024 places a strong emphasis on proactive risk management for National Critical Information Infrastructure (NCII) entities. This approach aims to ensure that organizations maintain robust cybersecurity practices and remain prepared to face evolving digital threats. The Act outlines specific requirements for risk assessments, audits, and the implementation of security measures.
Annual Risk Assessments
NCII entities are required to conduct cybersecurity risk assessments at least once a year. These assessments serve a crucial purpose in identifying and addressing potential vulnerabilities within an organization's digital infrastructure.
The annual risk assessment process involves:
1. Identifying potential vulnerabilities in the NCII systems.
2. Evaluating the likelihood and potential impact of various cyber threats
3. Assessing the effectiveness of existing security controls
4. Developing strategies to mitigate identified risks
Audits Every 2 Years
In addition to annual risk assessments, the Cybersecurity Act 2024 mandates that NCII entities undergo cybersecurity audits once every two years. These audits serve as an external verification of an organization's adherence to the Act's requirements and help ensure ongoing compliance with established security standards.
Key aspects of the biennial audit process include:
1. Verification of compliance with the Cybersecurity Act 2024
2. Assessment of the effectiveness of implemented security measures
3. Identification of areas for improvement in the organization's cybersecurity posture
4. Recommendations for enhancing overall security practices
The Chief Executive of the National Cyber Security Agency (NACSA) has the authority to direct more frequent audits if deemed necessary.
Implementation of Security Measures
To comply with the Cybersecurity Act 2024, NCII entities are responsible for implementing a range of security measures and practices. These include:
1. Providing information about their NCIIs to sector leads upon request
2. Notifying sector leads of any changes, acquisitions, or disposals of NCIIs within 30 days
3. Implementing codes of practice issued by relevant NCII sector leads
4. Conducting cybersecurity risk assessments to ensure compliance with codes of practice
5. Arranging external audits to verify adherence to the Cybersecurity Act
By implementing these measures, organizations can enhance their overall security posture and contribute to the protection of Malaysia's critical digital infrastructure.
The Cybersecurity Act 2024 extends its jurisdiction beyond Malaysia's borders, encompassing offenses related to National Critical Information Infrastructure (NCII) that are either fully or partially situated within the country. This broad extraterritorial reach mirrors the initial scope of Singapore's Cybersecurity Act (CSA) before its revisions in early 2024. The Act applies not only to individuals within Malaysia but also to those outside the country, regardless of the offender's physical location.
Failure to comply with the Act can have serious consequences for foreign companies. In addition to fines and potential imprisonment in severe cases, non-compliance may result in restricted market access or exclusion from critical sectors.
Malaysia's Cybersecurity Act 2024 marks a significant step forward in strengthening the nation's digital defences. It impacts businesses across various sectors, particularly those designated as National Critical Information Infrastructure entities. The act introduces new requirements for risk assessments, audits, and incident reporting, aiming to create a more secure digital environment for both local and international companies operating in Malaysia.
Looking to improve your cybersecurity posture? Get in touch to see how we can help.