One of the most impactful legislative developments in Malaysia this year is undoubtedly the Cyber Security Act 2024. With its official implementation on 26 August 2024, the cyber security regulatory framework has transitioned from being merely a buzzword to a crucial area of compliance that organizations must prioritize. This new regulatory layer introduces additional challenges for in-house legal departments, which require immediate and strategic attention.
While many general counsels and in-house legal teams are aware that the Cyber Security Act 2024 imposes stringent cyber security incident notification obligations on National Critical Information Infrastructure (“NCII”) entities, there remains some uncertainties regarding the precise steps to take when managing and responding to a cyber security incident. Therefore, the aim of this article is straightforward, which is to provide a practical and actionable guide for general counsels and in-house lawyers, outlining exactly how to act and respond in the event of a cyber security incident.
When Does the Cybersecurity Incident Notification Obligation Arise?
Before exploring the practical steps, it is essential to establish the circumstances under which the cyber security incident notification obligation arises and to understand what qualifies as a cyber security incident
Under the Cyber Security Act 2024, the cyber security notification obligation arises under two scenarios:
- 1. When it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred; or
- 2. When it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII might have occurred.
It is crucial to emphasize that in both cases—whether the cyber security incident has occurred or is merely suspected—the Cyber Security Act 2024 imposes a duty to notify. This reflects the proactive stance of the law in ensuring timely responses to potential cyber security incidents before it escalates further.
What Exactly Constitutes a Cyber Security Incident?
One of the most common questions that follows is: What exactly constitutes a cyber security incident? This is a crucial consideration, as it determines when the cyber security notification obligation is triggered.
The Cyber Security Act 2024 defines a cyber security incident as, “an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system.”
The key terms to note here are “jeopardize” and “adversely affects.” These words help determine the level of materiality and seriousness that will qualify an event as a cyber security incident. Simply put, the act or activity must be serious enough to jeopardize or adversely affect the cyber security of the system in question for it to meet the legal definition and necessitates a notification.
However, while the law does not provide detailed guidance on the exact threshold of jeopardy or adverse effect, a strict reading of the definition suggests that the activity must meet a certain level of seriousness to fall within the scope of the definition and trigger the notification requirement. A reasonable interpretation may indicate that minor attempts at unauthorized access to the IT environment, if detected, prevented, and flagged by routine firewall operations, might not trigger the obligation to notify. In contrast, any successful bypass of the firewall by threat actors—particularly if it jeopardizes or adversely affects cybersecurity—should trigger the notification requirement, regardless of whether the threat is subsequently neutralized, whether the critical IT environment is accessed, or whether disruptions occur. As the regulatory landscape evolves, future regulations or guidelines may offer clearer benchmarks on the level of seriousness or materiality required to qualify as a reportable cybersecurity incident.
3-Step Practical Steps for General Counsels in the Event of a Cybersecurity Incident
With a clear understanding of when the notification obligation will be triggered and what constitutes a cyber security incident, we now present a three-step guide for general counsels and in-house lawyers to follow in the event of such an incident.
Step 1: Immediate Notification Upon Discovery
Once the NCII Entity becomes aware that a cyber security incident has occurred or may have occurred, an authorised person must immediately notify the relevant authorities via electronic means. This first immediate official notification should be sent via email to cert@nc4.gov.my.
It is important to highlight that only an authorised person of the NCII Entity may issue the notification. But who qualifies as an authorised person? According to the Cyber Security Act 2024, an NCII Entity has 21 days from its designation as an NCII Entity to appoint and submit the details of three authorised persons. These individuals must include:
- • One management-level individual that is responsible for overseeing cyber security strategy, risk management, threat detection, and incident response and recovery.
- • Two operational-level individuals that are tasked with handling responses to cyber security incidents.
This means that in the event of a cyber security incident, one of these three authorised persons must promptly notify the authorities as soon as the incident is discovered.
Step 2: Submission of Initial Information within 6 Hours
Within 6 hours of the NCII Entity becoming aware of the cyber security incident, the authorised person must submit the following particulars of information:
- i. The particulars of the authorised person;
- ii. The particulars of the NCII Entity, the NCII sector and the NCII lead to which it relates; and
- iii. Information on the cyber security incident, including the type and description of the cyber security incident, the severity of the cyber security incident, the data and time of the occurrence of the cyber security incident is known, and the method of discovery of the cyber security incident.
Step 3: Supplementary Information within 14 Days
Within 14 days after the initial six-hour notification, the authorised person shall to the fullest extent practicable submit the following supplementary information:
- i. the particulars of the national critical information infrastructure affected by the cyber security incident
- ii. the estimated number of host affected by the cyber security incident;
- iii. the particulars of the cyber security threat actor;
- iv. the artifacts related to the cyber security incident;
- v. the information on any incident relating to, and the manner in which such incident relates to, the cyber security incident;
- vi. the particulars of the tactics, techniques and procedures of the cyber security incident
- vii. the impact of the cyber security incident on the national critical information infrastructure or any computer or interconnected computer system; and
- viii. the action taken.
Seriousness of the Cyber Security Incident Notification Obligation
NCII Entities must approach the cyber security incident notification obligation with utmost seriousness, as non-compliance carries severe penalties. Upon conviction, entities may face fines of up to RM500,000, imprisonment for up to 10 years, or both.
However, compliance with the notification requirement is more than a mere formality. The submission of the notification and incident report has far-reaching implications, as authorities could also scrutinize these reports to assess the NCII Entity’s overall compliance with the Cyber Security Act 2024, including adherence to the prescribed code of practice and best practice guidelines for managing cyber security, and a poorly prepared or mishandled incident report can expose the NCII Entity to deeper regulatory scrutiny, potentially uncovering additional compliance breaches beyond the initial incident. Therefore, these incident reports are not merely procedural requirements, but they carry significant legal and regulatory weight.
Given the complexity and importance of these obligations, NCII Entities are advised to work closely with external counsel familiar with cyber security law, particularly during a cyber security incident. Experienced external counsel can provide critical guidance, ensure the company navigates the notification process correctly, and safeguard the NCII Entity from potential legal and regulatory risks.
For tailored advice and assistance in navigating this new cyber security framework, our Technology Practice Group is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
.
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
.
Nicole Shieh E-Lyn
Associate
Technology, Media & Telecommunications (“TMT”), TMT Disputes
nicole.shieh@hhq.com.my
More of our Tech articles that you should read: