Malaysia's Cyber Security Act 2024, which came into effect this past month on August 26, 2024, by way of Prime Minister Anwar Ibrahim, represents a significant shift in the nation's approach to cybersecurity. This comprehensive legislation, receiving Royal Assent on June 18, 2024, and published in the Official Gazette on June 26, 2024, aims to bolster protection for National Critical Information Infrastructure (NCII) and establish a robust framework for managing cyber threats.
Primary Goal and Key Definitions
The Cyber Security Act 2024 is primarily designed to safeguard Malaysia’s eleven NCII sectors, which can be thought of as the Malaysian government's defined categories of critical infrastructure. To protect essential services and ensure the stability of national infrastructure against cyber threats, organizations in the following industries must prioritize compliance with these new regulations to avoid penalties and enhance their cyber resilience:
- Agriculture & plantation
- Banking & finance
- Defense & national security
- Energy
- Government
- Healthcare services
- Information (communication & digital)
- Science, technology, & innovation
- Trade, industry, & economy
- Transportation
- Water, sewage, & waste management
Along with these eleven NCII sectors, the Act notably defines "cyber security services" as essential services for maintaining robust defenses against cyber threats, encompassing threat monitoring, incident response, and risk management, while "cyber security service providers" (CSSPs) are defined as the parties that provide such services.
Duties for Compliant NCII Entities
Understandably, the Act introduced four newly mandated duties for private and public organizations designated as NCII entities, which aim to create a proactive security posture and improve overall cyber resilience across all sectors. These include:
Duty to provide information relating to national critical information infrastructure to the relevant NCII sector lead.
NCII sector leads, officials appointed by the Chief Executive to oversee an assigned NCII sector, can request information from NCII entities about their critical infrastructure, and these entities must comply. NCII entities must also report the acquisition of new computer systems deemed "critical" along with any significant changes that affect cybersecurity, such as alterations to the design or security, to NCII sector leads.
Duty to implement the code of practice prepared by the relevant NCII sector lead.
NCII entities are obligated to follow the cybersecurity measures, standards, and processes specified in the code of practice to protect their critical infrastructure. However, they can adopt alternative measures that are proven to offer equal or better protection and can implement cybersecurity standards based on international frameworks, as long as they comply with the code of practice.
Duty to conduct cyber security risk assessment and audit.
NCII entities are required to conduct cybersecurity risk assessments and have audits performed by an approved auditor to ensure compliance with the Act and the code of practice. If the Chief Executive deems the risk assessment or audit report unsatisfactory, the entity may be directed to take corrective actions or perform additional assessments or audits, especially after significant changes to their infrastructure.
Duty to give notification on cyber security incident.
NCII entities must notify both the Chief Executive and their sector lead if they become aware of a cybersecurity incident or the potential for one affecting their infrastructure.
Requirements for Compliant Cyber Security Service Providers
Any CSSP offering cybersecurity services to NCII entities must obtain a license before offering or advertising their services. Applications for licenses are submitted to the Chief Executive, who reviews them based on the provider’s qualifications, past behavior, and compliance with specified standards. If and when a license is issued, with or without conditions, providers must maintain detailed records of their services, including client names, service dates, and types of services provided, and keep these records for at least six years. Licenses can also be renewed through an application process, but they cannot be transferred or assigned to others unless approved by the Chief Executive, ensuring that the new holder meets necessary financial and technical requirements. Non-compliance can result in the revocation of a license along with additional penalties.
Enforcement and Penalties for Non-Compliance
The Cyber Security Act 2024 grants authorities broad enforcement powers. Under the Act, a Magistrate may issue a warrant authorizing the inspection of individuals along with the search and seizure of various items related to suspected offenses, including documents, computerized data, and physical evidence. Authorized officers conducting such searches can also inspect individuals physically present. Moreover, officers have additional powers to demand document production and conduct inquiries, with penalties for non-compliance or obstruction. These enforcement powers apply to any individuals suspected of an offense under the Act regardless of their physical location.
The Cyber Security Act 2024 imposes penalties on NCII entities for failing to meet several key obligations. More specifically, entities that:
- Neglect to provide information, implement security measures, or report material changes could face fines up to RM 100,000 and/or imprisonment for up to two years.
- Fail to comply with directives from the Chief Executive related to security evaluations may face fines up to RM 200,000 and/or imprisonment up to 3 years.
- Fail to comply with risk assessment or audit requirements, or fail to notify the proper parties of cybersecurity incidents could face fines up to RM 500,000 and imprisonment for up to 10 years.
Similarly, in addition to the revocation of their license, CSSPs that:
- Fail to comply with directives from the Chief Executive may be fined up to RM 50,000 and/or face 6 months in prison.
- Tamper with or damage items seized during investigations, obstruct an authorized officer during investigations, or fail to comply with document or data requests may be fined up to RM 100,000 and/or face 2 years in prison.
- Provide services without a license or fail to fulfill licensing obligations may be fined up to RM 300,000 and/or face 3 years in prison.
Take Charge of Your Compliance Efforts
Ensuring compliance with the Cyber Security Act 2024 is essential for safeguarding your organization and the essential services it provides. When you’re prepared to face your compliance challenges head-on, reach out to our team of experts to discover how Fortra's Data Protection Solutions can help you meet your goals and enhance your cyber security posture effectively.