Malaysia: Cyber security law updates

In brief

Since the coming into force of Malaysia Cyber Security Act 2024 ("CSA") on 26 August 2024 (please see our client alerts on these here and here), there have been substantial developments in the landscape in the past few months. In this update, we summarize the following key developments:

  1. The announcement of National Critical Information Infrastructure Sector Leads (“NCII Sector Leads”)
  2. The Cyber Security Service Providers (CSSP) licensing portal has gone live and has started accepting  applications commencing from 1 October 2024
  3. Obligations on designated National Critical Information Infrastructure Entities (“NCII Entities”) to complete the National Cyber Security Baseline Self-Assessment within 14 days of designation
  4. Clarification on the scope, steps and processes to be adopted by NCII Entities when undertaking cyber security risk assessments under Section 22(1) of the CSA

Contents

In more detail

NCII Sector Leads announced

On 11 September 2024, the National Cyber Security Agency (NACSA) announced the full list of NCII Sector Leads appointed by the Prime Minister under Section 15 of the CSA for the 11 NCII Sectors.

The full list of NCII Sector Leads can be accessed here.

CSSP license application formally begins on 1 October 2024

The licensing application for CSSP has formally begun on 1 October 2024 via  the licensing portal here. There will be a grace period up until 31 December 2024 for CSSPs to apply for their licenses. Any individual or entity providing, advertising itself or holding himself out as a provider of cyber security service, will be required to obtain a licence.

Obligations of NCII Entities to complete National Cyber Security Baseline Self-Assessment

Following the designation of NCII Entities, the Chief Executive of NACSA also issued Directive No. 4/2024 on the National Cyber Security Baseline (NCSB), which requires all designated NCII Entities to complete the National Cyber Security Baseline Self-Assessment (“NCSB Self-Assessment”) (“Directive”).

According to the Directive which came into effect on 1 October 2024, the NCSB is a set of minimum cyber security controls and best practices to be implemented by the NCII Entities as their blueprint to ensure a basic level of cyber security protection. The NCSB encompasses six (6) key main domains, which branches into 15 essential cyber security categories / aspects and further distributed into 33 specific elements of cyber security. This structure is designed to enable NCII Entities to manage their cyber security efforts in a layered, structured manner, with an ultimate aim to safeguard national critical information infrastructure from a wide range of cyber security threats. 

All NCII Entities are required to complete the NCSB Self-Assessment within two (2) weeks from the date of being designated as an NCII Entity. The NCII Entity is then required to return the completed NCSB Self-Assessment to the Chief Executive of NACSA via email and their respective national critical information infrastructure sector leads.  

Scope, process and reporting of Cyber Security Risk Assessments

Under Section 22(1) of the CSA (read together with the Cyber Security (Period For Cyber Security Risk Assessment and Audit) Regulations 2024), NCII Entities are required to undertake cyber security risk assessments on the national critical information infrastructure which it owns or operates, annually ("Annual Risk Reports"). 

A Directive No. 5/2024 on the Cyber Security Risk Assessment was issued by NACSA (taking effect on 10 October 2024) to clarify the scope, steps and processes to be undertaken by the NCII Entity when assessing cyber security risk for purposes of the Annual Risk Reports. Among others, the steps to be taken should include:

  1. Identifying (to the extent reasonably possible), each cyber security risk faced by the NCII Entity. This may include conducting an inventory of all assets connected to the national critical information infrastructure owned or operated by the NCII Entity which may be exposed to cyber security risk and assessing vulnerabilities of the computer or computer system which can be exploited by one or more cyber security threats
  2. Analysing the probability of and impact of an identified cyber security risk to the NCII Entity; and
  3. Assess and identify actions to be taken by the NCII Entity in respect of each cyber security risk identified

The outcome of each of the above steps will need to be documented in the Annual Risk Reports, and sent to the Chief Executive of NACSA via e-mail and the relevant national critical information infrastructure sector leads.

* * * * *

Kean Lynn Tai, Associate, has contributed to this legal update.

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.