Building on our last article on the key takeaways of the new Cyber Security Bill 2024, titled “Cyber Security Bill 2024 Decoded 5 Key Insights for Strategic Compliance”, this article sought to expound on some of the key considerations that soon-to-be national critical information infrastructure (“NCII”) entities (the “NCII Entities”) should pay attention to.
As we have covered in our previous article, any government entity or person (legal or natural) that owns or operates any NCII will highly likely be designated as an NCII Entity. Once an NCII Entity, it will have to, among other things, (i) take part in the preparation of the code of practice applicable to the NCII sector that the NCII Entity is in; (ii) provide information, particulars or document potentially relating to the function and design of the computer or computer system owned or operated by the NCII Entity; (iii) provide information relating to the NCII that the NCII Entity owns or operates; and (iv) conduct periodic cyber security assessment and audit and report the same to the Chief Executive of the National Cyber Security Agency (“NACSA”).
With this article, we hope that we could draw the attention of the NCII Entities to some of the points to take note of while complying with the obligations under the Cyber Security Act 2024 (the “Act”).
Disclosure Requirements
As explained earlier, NCII Entities have certain obligations under the Act to disclose certain information and documents to the corresponding NCII sector lead(s) upon request. Information and documents disclosure obligations are also relevant when an NCII Entity encounters cyber security incident and upon completion of cyber security risk assessment and audit. When fulfilling the obligations, it is crucial that the NCII Entities ensure that it does not disclose any information that would jeopardise its business interests or unknowingly translate into risk or liability to the organisations. Assessments should be made during each disclosure to ensure (i) confidential information and sensitive information of the organisation are not inadvertently included in the disclosure; (ii) when disclosing information relating to the computer system of the organisations, and especially where some of the computer systems are proprietary, their source code should not be disclosed unless strictly necessary; (iii) that personal data of data subjects being processed by the NCII Entities are not included or are at least anonymised to avoid potential non-compliance with the personal data protection law, and (iv) only relevant information are disclosed, by applying the principle of data minimisation – NCII Entities should only provide the minimal amount of data necessary for the compliance with regulatory requirements or for effective response to a cyber security incident, and not over share information just for the sake of getting through the regulatory obligations but undermine its business interests in the process.
Potential Centralisation Risk
By disclosing information requested by the NCII sector lead(s), especially those relating to the function and design of the computer or computer system owned or operated by the NCII Entities, has the potential of creating centralisation risk. To the extent that the information disclosed could potentially be used to better understand an NCII Entities’ computer’s or computer system’s architecture and design, and to find out the exact software and hardware used by the NCII Entities, it would undeniably become a treasure trove for cyber criminals and advanced persistent threat actors. Gathering these information at one single location, be it with the NCII sector lead(s) or the Chief Executive of NACSA, will draw the attention of malicious actors.
While technical measures will certainly be put in place to safeguard these information, NCII Entities should also consider, to the extent permissible, encrypting the information disclosed to the NCII sector lead(s) to better secure the information.
Coordinated Incident Response
Under the Act, the Chief Executive of NACSA has the power to direct the NCII Entities on how to respond to a cyber security incident, and indirectly, this may mean that an NCII Entity no longer has the full discretion to decide on its incident response measures. Decisions such as whether or not to make ransom payment, how to address the public, whether or not to temporarily shut down the network, negotiation with threat actors, etc., may potentially have to be cleared by the Chief Executive of NACSA before proceeding.
Incident response is always a race against time. As such, it is very common for organisations to call the shots quickly while in a war room when faced with cyber security incident to cut losses or to mitigate and contain risks. With the passing of the Act, it would be crucial for the NCII Entities to first communicate its action plan with the Chief Executive of NACSA prior to execution, so as not to attract additional liabilities.
Therefore, in addition to coordinating the incident response plans with the Chief Executive of NACSA, NCII Entities should work on establishing pre-defined communication protocols and contact points at NACSA. This preparation should include clear guidelines on how to quickly communicate and escalate incidents to the NACSA. Pre-established communication channels, such as dedicated hotlines, encrypted messaging systems, or secure email gateways, can significantly reduce the response time during a cyber security incident. By having these protocols in place, NCII Entities can ensure that they can swiftly reach the necessary contacts within NACSA and relay critical information without unnecessary delays, thus maintaining the pace needed for an effective response to cyber threats.
Closing Remarks
Given the importance of NCII to the economy of a country, it is expected that the Act when in force, will be actively enforced by the authorities. In case readers are unable to fully grasp the extent of disruption that can be caused by an NCII-targeted cyber security incident, the Colonial Pipeline ransomware attack that took place back in 2021 in the U.S. offers a good example. Colonial Pipeline, one of the largest and most vital oil pipelines in the U.S. was hit with a ransomware attack in May 2021, which forced Colonial Pipeline to shut down part of its network for several days to contain the incident. Colonial Pipeline eventually paid the ransom and resumed operation of the pipeline, but the damage of the incident was not limited to just monetary loss to Colonial Pipeline. The shutdown of the pipeline caused panic-buying of gas, disruption of the supply chain, as well as the increase of gas price to the highest level since 2014. Several states in the U.S. declared states of emergency due to this incident. No doubt the incident had a direct impact on the daily lives of U.S. citizens, which highlights the importance of NCII and the criticality of ensuring its cyber security preparedness.
The Act in itself is not sufficient to increase the cyber security preparedness and readiness of the NCII in Malaysia. It however provides an important framework for the establishment of codes of practice for each NCII sectors, the implementation and compliance of which would ensure certain minimum standards on cyber security are met. NCII Entities form the main line of defence against cyber threat actors from causing disruptions to Malaysia economy, and the stakes are definitely high should they fail to do so.
Navigating through compliance with new legislation is never an easy feat. Where there is any doubt or uncertainty as to the newly imposed obligations under the Cyber Security Act 2024, or to what extent must an organisation as the designated national critical information infrastructure entity comply with the provision of the legislation, please feel free to reach out to the partners at the Technology Practice Group of Halim Hong & Quek:
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.
Ong Johnson
Partner
Head of Technology Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my
More Tech articles: