In more detail
Who: Applicability of the Bill and governing bodies
Extra territoriality
The Bill is intended to have extra-territorial application and shall apply to any person, irrespective of nationality or citizenship, and shall have effect outside as well as within Malaysia. The Federal Government and State Governments are also subject to the Bill (although they will not be liable to prosecution for any offence under the Bill).
National Cyber Security Committee and Chief Executive's powers
The Bill establishes a 13 member National Cyber Security Committee which shall be chaired by the Prime Minister of Malaysia. Its primary function is to, among others, advise and provide recommendations to the Federal Government to strengthen cyber security, oversee implementation of the Bill (when it comes into force) and give directions to the Chief Executive of the National Cyber Security Agency ("Chief Executive") and national critical information infrastructure sector leads on matters relating to national cyber security.
The Chief Executive, in turn, is empowered under the Bill to, among others, establish the National Cyber Coordination and Command Centre system for the purpose of dealing with cyber security threats and cyber security incidents and issue directives as necessary for the purpose of ensuring compliance with the Bill.
What and how: National Critical Information Infrastructure, NCII Sectors, NCII Sector Leads and NCII entities
NCII
In seeking to protect against cyber security threats and incidents in Malaysia, the Bill seeks to impose specific requirements on entities that own or operate national critical information infrastructure (NCII). Specifically, NCII is defined as "a computer or computer system which the disruption or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia or on the ability of the Federal Government or any State Government to carry out its functions effectively".
NCII Sectors
The Bill complements the NCII definition with a list of certain sectors regarded as NCII sectors as follows; (a) the government: (b) banking and finance; (c) transportation, defence and national security; (d) information, communication, and digital; (e) healthcare services; (f) water, sewerage, and waste management; (g) energy; (h) agriculture and plantation; (i) trade, industry, and economy; (j) science, technology, and innovation (each and collectively, "NCII Sector(s)").
NCII Sector Leads
A sector lead (which can be a government entity or a private entity) for each of the NCII Sectors ("NCII Sector Lead") will be appointed by the Minister responsible for cyber security ("Minister") (at the recommendation of the Chief Executive), and such NCII Sector Lead is thereafter tasked with the responsibility of:
- Designating any government entity or person as an entity which owns or operates NCII in respect of its appointed sector ("NCII Entity")
If so designated, an NCII Entity will be subject to various requirements (discussed further below).
- Preparing a code of practice, containing measures, standards and processes in ensuring the cyber security of an NCII within the NCII Sector for which it is appointed ("Codes of Practice")
NCII Entities
A NCII Entity then has the obligation of among others, implementing measures, standards and processes as specified in the Code of Practice for the purposes of ensuring the cyber security of its NCII, conducting a cyber security risk assessment in accordance with the Code of Practice, and cause to be carried out an audit to determine the compliance of the NCII Entity with the Cyber Security Act 2024 ("Audit Report"). This Audit Report will need to be submitted to the Chief Executive within the prescribed periods.
Specifically, the NCII Entity will also need to notify the Chief Executive and its NCII Sector Lead of any cyber security incident ("Incident") which has or might have occured in respect of itself ("Incident Reporting"). Upon receipt of the Incident Reporting, the Chief Executive is obligated to investigate the Incident to ascertain if it in fact occurred and determine rectification and preventative measures to prevent the Incident from occurring in the future. The timelines and scope of information required to be provided in respect of the Incident Reporting is not provided for in the Bill; we expect that these will be dealt with by the Minister under directives or regulations once the Bill comes into force.
Others: Cyber Security Service Provider License
The Bill also mandates that any person providing or advertising (or holding himself out) as a provider of cyber security service, shall obtain a licence ("Cyber Security Service Provider Licence"). Similarly, the definition and scope of a "cyber security service" is as yet, defined in the Bill and is instead, left to the determination of the Minister.
Key takeaways
While not dissimilar to cyber security legislations in other Commonwealth jurisdictions, such as the Singapore Cybersecurity Act 2018, (i.e. both are intended to enhance the cyber security of critical national information infrastructure and regulates the licencing of cyber security service providers), the Bill introduces distinctive roles such as the Chief Executive and the NCII Sector Lead to ensure a more industry-specific focus on cyber security governance in Malaysia.
With the prevalence of cyber breach incidents in Malaysia accompanying the extensive use of information and communications technology systems and devices in the public sectors and private sectors, the Bill is a significant stride forward in Malaysia’s journey towards a secured digital future. The proposed measures, standards, and processes under the Bill underscores the nation’s commitment to protecting its national critical information infrastructures. As we move forward, it will be crucial to monitor the implementation and impact of this legislation, ensuring it effectively addresses the evolving landscape of cyber threats.
* * * * *
© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.