Malaysia’s Cyber Security Act 2024 (Act 854) (“CSA”), which came into force on 26 August 2024, sets out the national cyber security compliance framework involving the newly established National cybersecurity Security Committee (“NCSC”), the Chief Executive of the National Cyber Security Agency (“Chief Executive”), national critical information infrastructure entities (“NCII Entities”) and cyber security service providers (“CSSPs”).
Various regulations have been published alongside the CSA, including the following:
- Cyber Security (Compounding of Offences) Regulations 2024
- Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024
- Cyber Security (Notification of Cyber Security Incident) Regulations 2024
- Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024
A. Overview of the CSA
The CSA has extraterritorial application. It applies to actions by any person outside Malaysia in relation to national critical information infrastructure (“NCII”) that is wholly or partly in Malaysia.
B. NCII Sectors
The CSA identifies the following sectors as NCII sectors:
- Government
- Banking and Finance
- Transportation
- Defence and National Security
- Information, Communication and Digital
- Healthcare Services
- Water, Sewerage and Waste Management
- Energy
- Agriculture and Plantation
- Trade, Industry and Economy
- Science, Technology and Innovation
NCII sector leads will be appointed under the new law and are tasked with duties including designating entities as NCII Entities and preparing codes of practice detailing the cyber security measures, standards and processes in relation to NCII for NCII Entities to follow.
C. Duties of NCII Entities
NCII Entities have duties which include:
- providing information relating to owned NCII to their respective NCII sector leads;
- adhering to the applicable codes of practice;
- conducting cyber security risk assessments and audits;
- adhering to directions issued by the Chief Executive in relation to cyber security exercises; and
- notifying their respective NCII Sector Leads and the Chief Executive of a cyber security incident (“Notification”).
Regulations prescribe that NCII entities must conduct:
- A cyber security risk assessment at least once a year; and
- An audit at least once every two years (or such higher frequency as the Chief Executive may direct).
The cyber security risk assessment is an assessment to determine and address the risks that a vulnerability in the cyber security of the NCII may be exploited by a cyber security threat or cyber security incident.
Regulations also prescribe the requirements for NCII Entities to make an initial Notification immediately after the NCII Entity becomes aware of the cyber security incident. Supplementary information to the initial Notification must be submitted within 6 hours and within 14 days after the initial Notification.
D. CSSPs
A person who wishes to (a) provide any cyber security service or (b) advertise, or in any way hold himself/herself out as a provider of a cyber security service, must hold a relevant license.
Regulations prescribe that licensable cyber security services include (a) managed security operation centre monitoring services and (b) penetration testing services.
Click here for a copy of the CSA and its regulations.
The information provided above does not, and is not intended to, constitute legal advice pertaining to the CSA and its regulations; information, content, and materials stipulated above is based on our reading of the CSA and its regulations and are for general informational purposes only.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.