It has been more than a month since the passing of the Cyber Security Bill 2024, and many are eagerly waiting for the list of the national critical information infrastructure sector leads (“NCII Leads”) to be published, which is the very first step before a series of implementation under the Cyber Security Act 2024 can be rolled out.
That being said, we believe that many of the stakeholders who own or operate national critical information infrastructure (“NCII”) from the eleven (11) NCII sectors (“NCII Sectors”) would already have some idea as to whether they will be designated as NCII entities (“NCII Entities”). Our article this week seeks to assist soon-to-be NCII Entities to understand better what are the statutory obligations under the Cyber Security Act 2024 that will be imposed upon them once the designation as NCII Entities is finalised, as well as the exposure that the NCII Entities may face for non-compliance with these statutory obligations.
Statutory Obligations of NCII Entities
If the Cyber Security Act 2024 is to be described as a screenplay, then the NCII Entity no doubt is the most important role with the most screentime for this play. A quick count of the Cyber Security Act 2024 and one will see that NCII Entities have a total of 13 distinct statutory obligations imposed upon them, and this is not including any additional obligations that they may have under the codes of practice that are to be drawn up for each NCII Sectors. The attention given to the NCII Entities under the Cyber Security Act 2024 is understandable, as they are the ones that either own or actively operating the NCIIs.
To simplify things, the statutory obligations of the NCII Entities can be categorised into four (4) broad categories as follows:
- 1. Information Disclosure Obligation
- Upon being designated as an NCII Entity, the NCII Entity will have to provide information relating to the NCII owned or operated by it to the NCII Leads upon request. The objective of this obligation would appear to be so that the relevant NCII Leads would have a clear picture of the type and nature of NCIIs owned or operated by each NCII Entities. To ensure that the information is up to date, NCII Entities will also have a continuing obligation to notify the NCII Leads when the NCII Entities procure or come into possession or control of additional computer or computer system which are believed to be NCIIs, as well as when there are material changes to these NCIIs owned or operated by the NCII Entities.
- The NCII Entities also have an obligation to notify the NCII Leads when the computer or computer system owned or operated by the NCII Entities cease to be NCII or when they no longer own or operate any NCII.
- 2. Codes of Practice Implementation
- One of the most critical statutory obligations of NCII Entities is the requirement to implement the Codes of Practice put in place for each NCII Sectors. The Codes of Practice will presumably contain the minimum standards and requirements for the NCII Entities to comply with in order to strengthen the cyber security of the NCIIs owned or operated by the NCII Entities.
- The Codes of Practice are to be prepared by the NCII Leads appointed for each NCII Sectors. Given that the list of NCII Leads has yet to be finalised, it may still be some time before any Codes of Practice will see the light of day. That said, we believe that the Codes of Practice to be drawn up will likely contain provisions or requirements pertaining to Business Continuity Management and preparation of disaster recovery plan, which are essential for the mitigation of any impact that a cyber security incident may have towards NCIIs.
- 3. Cyber Security Risk Assessment and Preparation
- NCII Entities will also be required to conduct cyber security risk assessment from time to time in respect of the NCII owned or operated by them to ensure that appropriate cyber security safeguards are in place as per the requirement of the Codes of Practice and any directives as may be prescribed. Additionally, NCII Entities will also have to allow external auditor to audit their compliance with the Cyber Security Act 2024 from time to time. Reports will have to be drawn up following the conduct of cyber security risk assessment and/or audit and be submitted to the Chief Executive of the National Cyber Security Agency (“Chief Executive”). If the Chief Executive is not satisfied with the result of the cyber security assessment or is of the view that the audit report provided pursuant to an audit is insufficient, it may require the carry out of further cyber security assessment or the rectification of the audit report. NCII Entities may also be required by the Chief Executive to carry out additional cyber security risk assessments or audit where there have been material changes to the design, configuration, security, or operation of the NCIIs owned or operated by the NCII Entities. In addition to the above, NCII Entities will also be required to participate and cooperate with the Chief Executive in any cyber security exercise that the Chief Executive elects to conduct.
- The obligations of NCII Entities pertaining to risk assessments, audits and cyber security exercises are important to ensure that the cyber security measures in place appropriately and sufficiently account for all possible cyber security risks out there. As technology advances, threat actors will continuously innovate and deploy new ways and new technologies to breach the cyber security of NCIIs. As such, it is important that the cyber security measures are updated constantly to address any new threats that malicious actors will take advantage of, thereby enhance the cyber security readiness and preparedness of the NCII Entities.
- 4. Cyber Security Incident Notification and Response
- Apart from enhancing the cyber security of NCIIs, the Cyber Security Act 2024 also seeks to establish a cyber security incident notification and response regime. Upon detecting a cyber security incident or potential cyber security incident in respect of the NCII owned or operated, an NCII Entity will have an obligation to report the same to the Chief Executive and the NCII Leads within a prescribed period. If further investigation confirms that the relevant NCII(s) has indeed suffered a cyber security incident, any response to the cyber security incident and measures to be taken by the relevant NCII Entity(ies) to recover from the incident, will have to be coordinated with the Chief Executive.
- Effectively, NCII Entities will no longer have the discretion to respond to any cyber security incidents without first consulting the Chief Executive, and any measures to be implemented in responding to, recovery from and the prevention of cyber security incident will have to be consistent with the directive given by the Chief Executive.
Exposures for Non-Compliance with Cyber Security Act 2024
Under the Cyber Security Act 2024, penalties for non-compliance vary depending on the type and severity of the violation.
For general non-compliance with the statutory obligations under the Cyber Security Act 2024 by NCII Entities, such as failure to conduct additional cyber security risk assessment or rectify an audit report upon request by the Chief Executive, or failure to notify the NCII Leads of any material changes to the NCII owned or operated, the penalties are generally as follows:
- 1. a fine of up to Ringgit Malaysia One Hundred Thousand (RM100,000) or Two Hundred Thousand (RM200,000), or
- 2. either no imprisonment or imprisonment up to three (3) years; or
- 3. both of the above.
However, for more serious violations involving critical statutory obligations, such as failure to implement the applicable Codes of Practice or failure to notify a cyber security incident, will carry a heavier penalty of fine not exceeding Ringgit Malaysia Five Hundred Thousand (RM500,000) or imprisonment for a term not exceeding ten (10) years or both, upon conviction.
To demonstrate the seriousness of an offence under the Cyber Security Act 2024, management personnel of an NCII Entity can also be made personally liable for any non-compliance by the NCII Entity. The Cyber Security Act 2024 also makes it clear that where an offence is committed by the employee, agent or employee of the agent of an NCII Entity, the NCII Entity will also be made liable to the same punishment or penalty of its employee, agent or employee of its agent.
Conclusion
Considering the impact of a cyber security incident in respect of an NCII, the dire need for a robust cyber security regime in respect of the NCIIs in the country and strict compliance and enforcement of the same are no laughing matters.
NCII Entities stand on the frontline of any cyber warfare that may be waged against our nation’s NCIIs, and expectation towards the NCII Entities to safeguard the NCIIs are definitely high. Given the key role that the NCII Entities play, it is advisable that the (soon to be) NCII Entities carefully consider their statutory obligations under the Cyber Security Act 2024 to better prepare for the eventualities. Upon the finalisation of the Codes of Practice for each NCII Sectors, the NCII Entities should consider working with cyber security professionals and legal professionals who are well-versed with technology and cyber security matters to assess their compliance readiness and to put in place internal policies and procedures to meet their obligations under the Cyber Security Act 2024.
Please contact the partners from our Technology Practice Group should you have any enquiries pertaining to the Cyber Security Act 2024 or if you would like to enquire more about the obligations of an NCII Entity under the Cyber Security Act 2024.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.
.
Ong Johnson
Partner
Head of Technology Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my