Malaysia: The Cyber Security Bill 2024 - A new era for cyber security

In brief

The new Cyber Security Bill 2024 ("Bill") was tabled for first reading at the Malaysian Parliament on 25 March 2024. The Bill aims to provide a regulatory framework for the safeguarding of Malaysia's cyber security landscape by requiring national critical information infrastructure entities to comply with certain measures, standards and processes in the management of the cyber security threats and cyber security incidents. To achieve such objectives, the Bill provides for, among others, the establishment of the National Cyber Security Committee, the duties and powers of the Chief Executive, the appointment of national critical information infrastructure sector leads, the designation of national critical information infrastructure entities and the licensing of cyber security service providers.


Contents

In more detail

Who: Applicability of the Bill and governing bodies

Extra territoriality

The Bill is intended to have extra-territorial application and shall apply to any person, irrespective of nationality or citizenship, and shall have effect outside as well as within Malaysia. The Federal Government and State Governments are also subject to the Bill (although they will not be liable to prosecution for any offence under the Bill).

National Cyber Security Committee and Chief Executive's powers

The Bill establishes a 13 member National Cyber Security Committee which shall be chaired by the Prime Minister of Malaysia. Its primary function is to, among others, advise and provide recommendations to the Federal Government to strengthen cyber security, oversee implementation of the Bill (when it comes into force) and give directions to the Chief Executive of the National Cyber Security Agency  ("Chief Executive") and national critical information infrastructure sector leads on matters relating to national cyber security.

The Chief Executive, in turn, is empowered under the Bill to, among others, establish the National Cyber Coordination and Command Centre system for the purpose of dealing with cyber security threats and cyber security incidents and issue directives as necessary for the purpose of ensuring compliance with the Bill.

What and how: National Critical Information Infrastructure, NCII Sectors, NCII Sector Leads and NCII entities  

NCII

In seeking to protect against cyber security threats and incidents in Malaysia, the Bill seeks to impose specific requirements on entities that own or operate national critical information infrastructure (NCII). Specifically, NCII is defined as "a computer or computer system which the disruption or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia or on the ability of the Federal Government or any State Government to carry out its functions effectively".

NCII Sectors

The Bill complements the NCII definition with a list of certain sectors regarded as NCII sectors as follows;  (a) the government: (b) banking and finance; (c) transportation, defence and national security; (d) information, communication, and digital; (e) healthcare services; (f) water, sewerage, and waste management; (g) energy; (h) agriculture and plantation; (i) trade, industry, and economy; (j)  science, technology, and innovation (each and collectively, "NCII Sector(s)").

NCII Sector Leads

A sector lead (which can be a government entity or a private entity) for each of the NCII Sectors ("NCII Sector Lead") will be appointed by the Minister responsible for cyber security ("Minister") (at the recommendation of the Chief Executive), and such NCII Sector Lead is thereafter tasked with the responsibility of:

  1. Designating any government entity or person as an entity which owns or operates NCII in respect of its appointed sector ("NCII Entity")

If so designated, an NCII Entity will be subject to various requirements (discussed further below).

  1. Preparing a code of practice, containing measures, standards and processes in ensuring the cyber security of an NCII within the NCII Sector for which it is appointed ("Codes of Practice")

NCII Entities  

A NCII Entity then has the obligation of among others, implementing measures, standards and processes as specified in the Code of Practice for the purposes of ensuring the cyber security of its NCII, conducting a cyber security risk assessment in accordance with the Code of Practice, and cause to be carried out an audit to determine the compliance of the NCII Entity with the Cyber Security Act 2024 ("Audit Report"). This Audit Report will need to be submitted to the Chief Executive within the prescribed periods.

Specifically, the NCII Entity will also need to notify the Chief Executive and its NCII Sector Lead of any cyber security incident ("Incident") which has or might have occured in respect of itself ("Incident Reporting"). Upon receipt of the Incident Reporting, the Chief Executive is obligated to investigate the Incident to ascertain if it in fact occurred and determine rectification and preventative measures to prevent the Incident from occurring in the future. The timelines and scope of information required to be provided in respect of the Incident Reporting is not provided for in the Bill; we expect that these will be dealt with by the Minister under directives or regulations once the Bill comes into force.

Others: Cyber Security Service Provider License

The Bill also mandates that any person providing or advertising (or holding himself out) as a provider of cyber security service, shall obtain a licence ("Cyber Security Service Provider Licence"). Similarly, the definition and scope of a "cyber security service" is as yet, defined in the Bill and is instead, left to the determination of the Minister.

Key takeaways

While not dissimilar to cyber security legislations in other Commonwealth jurisdictions, such as the Singapore Cybersecurity Act 2018, (i.e. both are intended to enhance the cyber security of critical national information infrastructure and regulates the licencing of cyber security service providers), the Bill introduces distinctive roles such as the Chief Executive and the NCII Sector Lead to ensure a more industry-specific focus on cyber security governance in Malaysia.

With the prevalence of cyber breach incidents in Malaysia accompanying the extensive use of information and communications technology systems and devices in the public sectors and private sectors, the Bill is a significant stride forward in Malaysia’s journey towards a secured digital future. The proposed measures, standards, and processes under the Bill underscores the nation’s commitment to protecting its national critical information infrastructures. As we move forward, it will be crucial to monitor the implementation and impact of this legislation, ensuring it effectively addresses the evolving landscape of cyber threats.

* * * * *

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.