The Cyber Security Act 2024 (“Act”) came into effect on 26 August 2024, heralding a new era in Malaysia’s cyber security regulation.
To complement the Act, four (4) crucial regulations have been introduced, each providing specific guidelines and obligations for entities owning or managing national critical information infrastructures (“NCII”):
- (i) Cyber Security (Notification of Cyber Security Incident) Regulations 2024;
- (ii) Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024;
- (iii) Cyber Security (Compounding of Offences) Regulations 2024; and
- (iv) Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024.
The newly introduced regulations have provided further details regarding some of the key elements under the Act, which we have summarised in this article:
- 1. Notification of Cyber Security Incidents
- The Act imposes certain obligations on the NCII entity to notify the Chief Executive of NACSA and the relevant NCII sector lead(s) upon the happening or suspicion of a cyber security incident. With the introduction of the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, there is now clarify in terms of the procedure and timeline for such cyber security incident notification:
-
- • Immediate Notification
- Upon discovering a cyber security incident or potential incident, the NCII entity must notify the Chief Executive of NACSA and its NCII sector lead immediately via electronic means. It is unclear what does “electronic means” entail, but this could be either via e-mail or a dedicated online portal.
- .
- • Within 6 Hours
- Within 6 hours of discovering the incident, the NCII entity must provide a detailed report which must at the minimum include:
-
-
- • Particulars of the person submitting the notification on the entity’s behalf;
- • Particulars of the NCII entity concerned, the relevant NCII sector and sector lead(s);
- • Information concerning the cyber security incident, which would include its severity (this is typically rated using the Common Vulnerability Scoring System, also known as “CVSS”), method of discovery, etc.
- .
- • Within 14 Days
- A more comprehensive report must be submitted within 14 days from initial notification, which, to the fullest extent practicable, must include:
-
-
-
- • Particulars of the NCII impacted;
- • Scope of Impact (estimated number of hosts affected);
- • Particulars of the cyber security threat actor (if known);
- • Incident Artifacts – Relevant logs, code snippets, or malicious files.
- • Information on any related incidents and their connection to the current cyber security incident;
- • Tactics, Techniques, and Procedures employed or exploited by the threat actors;
- • The incident’s impact on the NCII or interconnected computer systems;
- • Details of any actions taken to contain or mitigate the effect of the cyber security incident.
-
- 2. Period for Cyber Security Risk Assessment and Audit
- To maintain robust cyber security practices and readiness, NCII entities are required under the Act to perform regular assessments and audits to ensure ongoing compliance and security.
- The Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 has now provided clarity on the frequency of cyber security risk assessment and audit:
- .
- • Annual Risk Assessments
- NCII Entity is to conduct cyber security risk assessment at least once a year to identify and address potential vulnerabilities.
- .
- • Biannual Audits
- Cyber security audit on the other hand is supposed to be carried out once every 2 years, or more frequently if directed by the Chief Executive of NACSA, to ensure ongoing compliance and address emerging threats.
- .
- 3. Compounding of Offences
- The Cyber Security (Compounding of Offences) Regulations 2024 introduced a mechanism for compounding specific offences, offering an alternative to prosecution. This allows entities to resolve certain violations by paying a fine rather than facing court proceedings.
- .
- • Eligible Offences
- The following offences are eligible for compounding, subject to the Public Prosecutor’s consent.
No. |
Act |
Description of Offence |
Penalty |
1. |
Section 20(6) |
Non-compliance by a NCII entity with requests or requirements related to information disclosure, material changes, or reporting. |
Fine up to RM100,000 or imprisonment for up to 2 years, or both. |
2. |
Section 20(7) |
Non-compliance by a NCII sector lead with the requirement to notify the Chief Executive of NACSA about certain information. |
Fine up to RM100,000. |
3. |
Section 22(7) |
Failure of an NCII entity to conduct or submit required cyber security risk assessments or audits. |
Fine up to RM200,000 or imprisonment for up to 3 years, or both. |
4. |
Section 22(8) |
Failure to comply with directions from the Chief Executive regarding additional risk assessments or audits. |
Fine up to RM100,000. |
5. |
Section 24(4) |
Non-compliance with directions from the Chief Executive related to cyber security exercises. |
Fine up to RM100,000. |
6. |
Section 32(3) |
Failure by a licensee to maintain or provide records of cyber security services as required. |
Fine up to RM100,000 or imprisonment for up to 2 years, or both. |
-
- • Acceptance of Offer
- If the company is offered the opportunity to compound an offence, the offer must be accepted within 30 days, with payment made electronically.
- .
- • Consequences of Non-Payment
- Failure to pay the compounding fine within the specified period may result in prosecution, without further notice.
- .
- 4. Licensing of Cyber Security Service Providers
- The Act requires cyber security service providers to procure a license before they could offer cyber security services here in Malaysia.
- The Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 has made it clear that only companies providing managed security operation center (SOC) monitoring or penetration testing services would be subject to the licensing regime:
- .
- • Licensing Process
- Cyber security service providers must apply for the licence electronically, presumably through an online platform to be set up, which would require the applicants to fill in details of their companies and services. Each application and renewal is to be accompanied by the payment of non-refundable fee.
- .
- • Penalties for Misrepresentation
- Providing false or misleading information during the application process can lead to severe penalties, including fines and/or imprisonment.
- .
- • Exemptions
- Exemptions are provided for government entities, services provided by individuals to their related companies, and cyber security services for computers or systems located outside Malaysia.
- .
Conclusion
The Cyber Security Act 2024, along with its subsidiary regulations, impose significant new responsibilities on NCII entities. This framework requires meticulous compliance and proactive management.
For tailored advice and assistance in navigating this new framework, our TMT team is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
.
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
.
Nicole Shieh E-Lyn
Associate
Technology, Media & Telecommunications (“TMT”), TMT Disputes
nicole.shieh@hhq.com.my
More of our Tech articles that you should read: