Malaysia Cyber Security Act 2024 and subsidiary regulations - in force on 26 August 2024

26 Aug 2024   7 minute read

In brief

Since our earlier client alert on Malaysia's Cyber Security Bill 2024 ("Bill"), the Bill was passed by both houses of the Malaysian Parliament on 27 March 2024 (Dewan Rakyat) and 3 April 2024 (Dewan Negara) respectively. Subsequent to its Royal Assent on 18 June 2024 and publication in the Official Gazette on 26 June 2024, the Malaysia Cyber Security Act 2024 ("CSA"), together with four subsidiary regulations, will come into force on 26 August 2024.

The regulations are:

  1. Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024
  2. Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024
  3. Cyber Security (Notification of Cyber Security Incident) Regulations 2024
  4. Cyber Security (Compounding of Offences) Regulations 2024

(collectively, "Regulations"). 

Contents

  1. In more detail
    1. NCII Entity: Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024 ("Risk Assessment and Audit Regulations")
    2. NCII Entity: Cyber Security (Notification of Cyber Security Incident) Regulations 2024 ("Incident Notification Regulations")
    3. NCII Entity and CSSP: Cyber Security (Compounding of Offences) Regulations 2024 ("Compounding Regulations")
    4. CSSP: Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 ("CSSP Regulations")
  2. Key Takeaways

In more detail

We had in our earlier client alert, highlighted who will be impacted by (i.e., entities who are owners and operators of national critical information infrastructure1 ("NCII") (such entities, a "NCII Entity") and cyber security service providers ("CSSP"), and the obligations brought about by, the CSA.

Coming into force on 26 August 2024 together with the principal act, the Regulations sheds more light on the various compliance requirements imposed on a NCII Entity, provides a list of compoundable offences under the CSA and clarifies the type of CSSP who will require a licence. Set out below is a high level summary of the subject matter of each of the Regulations.

NCII Entity: Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024 ("Risk Assessment and Audit Regulations")

Section 22 of the CSA mandates a NCII Entity to (among others) conduct a cyber security risk assessement in accordance with the code of practice and directives applicable to the NCII Entity and cause to be carried out an audit to determine the compliance by the NCII Entity with the CSA.

Under the Risk Assessment and Audit Regulations, a NCII Entity will need to conduct:

  1. A cyber security risk assessment (i.e., assessment of risks that a vulnerability in the cyber security of the NCII may be exploited by a cyber security threat or cyber security incident) at least once a year; and
  2. An audit at least once in every two years (or at such higher frequency as may be directed by the Chief Executive of the National Cyber Security Agency Malaysia (NACSA).

NCII Entity: Cyber Security (Notification of Cyber Security Incident) Regulations 2024 ("Incident Notification Regulations")

Section 23 of the CSA mandates a NCII Entity to notify each, the Chief Executive of NACSA and a NCII Sector Lead2 of any "cyber security incident" which has or might have occurred in respect of its NCII ("Notifications"). The Incident Notification Regulations goes on to prescribe the frequency, timelines and substance of the Notifications required.

Specifically:

  1. Immediately on T: An authorized person of a NCII Entity must immediately provide the Notifications (electronically) of a cyber security incident that has or might have occurred ("First Notification"), when the cyber security incident comes to the knowledge of the NCII Entity ("T").
  2. T + 6 hours: Within 6 hours from the time the cyber security incident comes to the knowledge of the NCII Entity, the authorized person shall submit further particulars on the cyber security incident to the National Cyber Coordination and Command Centre System ("NC4S")3.

Such further particulars include, information on the NCII Entity (including its sector and sector lead) and information on the cyber security incident (including the type and description of the cyber security incident, the severity of the cyber security incident and the method of discovery of the cyber security incident).

  1. First Notification + 14 days: Within 14 days from the First Notification, the authorized person of the NCII Entity shall provide (to the fullest extent practicable) additional supplementary information to the NC4S. Such supplementary information includes the particulars of the NCII affected by the cyber security incident, the estimated number of host affected by the cyber security incident, particulars of the cyber security threat actor, impact of the cyber security incident on the NCII or any computer or interconnected computer system and any action taken.

NCII Entity and CSSP: Cyber Security (Compounding of Offences) Regulations 2024 ("Compounding Regulations")

Section 60 of the CSA provides that the Minister of Digital may make regulations prescribing any offence under the CSA as an offence which may be compounded, and the method and procedure for compounding such offence. 

The Compounding Regulations lists out the 6 offences under the CSA which are being capable of being compounded (if consented to by the Public Prosecutor in writing at the material time). These include:

  1. Section 20(6): NCII Entity's failure to provide information relating to its NCII.
  2. Sections 22(7) and 22(8): NCII Entity's failure to conduct cyber security risk assessment and audit (and subsequent failure to submit the reports to the Chief Executive of NACSA) as well as a NCII Entity's failure to comply with directions to the NCII Entity arising from the findings in such reports.
  3. Section 24(4): NCII Entity's failure to comply with the directions of the Chief Executive of NACSA in relation to cyber security exercises.

CSSP: Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 ("CSSP Regulations")

Under Section 27 of the CSA and save where it is provided by a company to its related company, any person providing or advertising (or holding himself out) as a provider of cyber security service, must be licensed.

To this end, the CSSP Regulations sets out the licensing procedures and fees applicable to a cyber security service relating to:

  1. Managed security operation centre monitoring services, i.e., a service for;
  1. Monitoring the level of cyber security of a computer or computer system of another person by acquiring, identifying or scanning information that is stored in, processed by or transmitted through, the computer or computer system for the purpose of identifying or detecting cyber security threats to the computer or computer system; or
  2. Determining the measures necessary to respond to or recover from any cyber security incident and to prevent such cyber security incident from occurring in the future.
  1. Penetration testing service, i.e., a service for assessing,testing or evaluating the level of cyber security of a computer or computer system, by searching for vulnerabilities4 on, and compromising, the cyber security defences of the computer or computer system, and includes:
  1. Determining the cyber security vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of;
  2. Determining or testing the organization's ability to identify and respond to cyber security incident through simulation of attempts to penetrate the cyber security defences of the computer or computer system;
  3. Identifying and measuring the cyber security vulnerabilities of a computer or computer system, indicating vulnerabilities and preparing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk; or
  4. Utilizing social engineering to assess the level of vulnerability of an organization to cyber security threats.

Where the above services are:

  1. Provided by a Government Entity;
  2. Provided by a person, other than a company, to its related company; or
  3. Provided in respect of computer or computer systems which are located outside Malaysia,

the CSSP Regulations (and therefore the licensing obligations attached to such services) will not apply.

Key Takeaways

The Regulations provide much-needed clarity to enable NCII Entities and affected CSSPs to navigate and adhere to the CSA. Organisations in Malaysia will need to now assess if there is a possibility of it being designated a NCII Entity. Such organisations will then need to review and consider its existing cyber security governance and data frameworks, against the requirements under the CSA and the Regulations, to ensure that these new requirements are addressed, to enable effective compliance by such organisations with the CSA and its new regulatory framework.

*Tai Kean Lynn, Associate, has contributed to this legal update.

1 Section 4 of the CSA defines a "national critical information infrastructure" to mean a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.

2 Section 4 of the CSA defines "NCII Sector Lead" to mean any government entity or person appointed as a national critical information infrastructure sector lead under section 15 of the CSA. The NCII Sector Leads will carry the functions as provided under Section 16 of the CSA.

3 The National Cyber Coordination and Command Centre (NC4) is a centre that deals with cyber threats and crises at the national level. The NC4 was developed under the purview of the NACSA as a central coordination and command facility responsible for managing cyber security at the national level. The National Cyber Coordination and Command Centre System (NC4S) on the other hand, is a national cyber security system established and maintained by the Chief Executive pursuant to Section 11 of the CSA.

4 The CSSP Regulations define "vulnerabilities" as " any vulnerability on a computer or computer system that can be exploited by one or more cyber security threats".

 

* * * * *

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.

Contact Information
Kherk Ying Chew
Partner
Kuala Lumpur
Read my Bio
Serene Kan
Partner
Kuala Lumpur