˂  Back

Top 10 FAQs on Licensing for Cyber Security Service Providers Under the Cyber Security Act 2024

With the enforcement of the Cyber Security Act 2024, one of the key concerns is the licensing requirements for cyber security service providers.

According to the latest information published by the National Cyber Security Agency (“NACSA”), licensing applications for cyber security service providers will officially commence on 1 October 2024, which is just around the corner. Despite the urgency and tight deadlines, confusion persists in the market about who needs to apply for a license, what is actually defined as cyber security service, and the consequences of non-compliance.

Therefore, this article seeks to address the top 10 most frequently asked concerns regarding the cyber security service provider licensing requirement.

1. When Can Cyber Security Service Providers Apply for a License, and Is There a Grace Period?

The first question on the minds of many in the industry is when exactly they can apply for the license and whether there is a grace period for obtaining one. The licensing application will formally begin on 1 October 2024, and there will indeed be a three-month grace period ending on 31 December 2024.

During this grace period until 31 December 2024, cyber security service providers may continue to operate without a license. However, once the grace period lapses on 1 January 2025, it will be unlawful to offer cyber security services without the necessary licensing in place.

2. Who Needs to Apply for the Cyber Security Service Provider License?

The next question is: “Who exactly needs to apply for a cyber security service provider license?” The Cyber Security Act 2024 is unequivocally clear on this matter—any company that intends to (i) provide any cyber security service or (ii) advertise itself as a cyber security service provider is required to obtain a cyber security service provider license.

This straightforward provision ensures that there is no ambiguity and leaves little room for interpretation—whether you are actively delivering cyber security services or merely advertising that you are providing cyber security services, a license will be mandatory.

3. What Exactly Constitutes a “Cyber Security Service”?

A natural follow-up question is what exactly constitutes a “cyber security service.”

The term “cyber security service” can be broad, and therefore, the Cyber Security Act 2024 narrows down the focus, making it clear that the cyber security service license is applicable only to two specific types of services:

  1. 1. Managed Security Operation Centre Monitoring Services, and
  2. 2. Penetration Testing Services.

Managed Security Operation Centre Monitoring Service

Managed security operation centre monitoring service refers to the monitoring of cyber security levels to identify or detect cyber security threats, determine the necessary measures to respond to or recover from any cyber security incidents, and prevent such incidents from occurring in the future.

Penetration Testing Service

Penetration testing service involves assessing, testing, or evaluating the level of cyber security. It includes the following activities:

  1. Determining cyber security vulnerabilities and demonstrating how these vulnerabilities may be exploited;
  2. Testing the organization’s ability to identify and respond to cyber security incidents through simulated attempts to penetrate its cyber security defenses;
  • Identifying and measuring cyber security vulnerabilities, preparing appropriate mitigation procedures to eliminate or reduce these vulnerabilities to an acceptable level of risk; orUtilizing social engineering techniques to assess the level of an organization’s vulnerability to cyber security threats.

In essence, any company that provides either managed security operation centre monitoring services or penetration testing services, as described above, will need to obtain a cyber security service provider license.

4. Can a Cyber Security Service Provider Offer Both Services? Do They Need Separate Licenses?

The fourth question often posed is whether a cyber security service provider can offer both managed security operation centre monitoring services and penetration testing services, and whether separate licenses are required for each.

The answer is yes. A cyber security service provider can concurrently offer both managed security operation centre monitoring services and penetration testing services, and only one license is necessary for both services. However, if the initial application covers only one type of cyber security service—say, managed security operation centre monitoring services—then the company would need to apply for another license if it later intends to offer penetration testing services.

Hence, if a company plans to provide both types of services, it is advisable to apply for both in the same license to avoid unnecessary complications down the line.

5. Do Subcontractors or Third-Party Providers to the Main Contractor Require an Independent License?

A common scenario in the cyber security sector involves service providers fulfilling their contractual obligations through subcontractors or third parties. This raises a critical question: Do subcontractors or third parties providing cyber security services on behalf of a main contractor also need to be licensed?

The answer is yes. If a subcontractor or third-party provider delivers cyber security services on behalf of a main contractor, they are required to obtain an independent license. This requirement ensures that all entities directly involved in the provision of cybersecurity services are appropriately regulated, maintaining the integrity and security standards envisioned by the Act.

6. Is a License Required if the Cyber Security Service is Only Provided to Related Companies?

Another area of concern is whether a company providing cyber security services exclusively to its related companies is required to obtain a license.

The answer depends on the nature of the service provision. If the company offers cyber security services solely to its related companies, such as its holding company, subsidiaries, or fellow subsidiaries under the same holding company, it is not required to obtain a license. However, if the company intends to extend its services beyond this intra-group structure to other companies, a license becomes mandatory.

Typically, the term “related company” refers to companies within the same corporate group, including the holding company, any subsidiary, or a subsidiary of the holding company.

7. Is a License Required if the Cyber Security Service is Only Provided to Overseas Companies?

The next question is whether a cyber security service provider needs a license if it only provides services to companies located outside Malaysia.

The licensing requirement hinges on the location of the service recipients. If the cybersecurity service provider exclusively serves companies located overseas, there is no need to apply for a license. However, if the service provider offers cyber security services to companies located both overseas and within Malaysia, a license will be required.

8. Do Foreign Cyber Security Service Providers Require a License if They Have Already Obtained a License from a Different Jurisdiction?

Another frequently asked question is whether foreign companies that have already obtained a cybersecurity license from another jurisdiction need to apply for a Malaysian license.

The simple answer is yes—if a foreign company intends to provide cyber security services to companies in Malaysia, it must obtain a local license, regardless of whether it already holds a license in another jurisdiction. However, there is an exception: If the foreign company provides cyber security services solely to its related company registered in Malaysia, it would not require a separate license, as it is only serving its intra-group counterpart.

9. How Will Companies Know if a Cyber Security Service Provider is Licensed?

To facilitate transparency and compliance, NACSA will publish a list of licensed cyber security service providers on its licensing portal once the approval process is completed. This list will serve as a reference for companies seeking to engage legitimate and authorized service providers.

It is advisable for companies to verify the licensing status of their potential cyber security partners to mitigate any risks associated with engaging unlicensed providers.

10. What are the Consequences of Non-Compliance for Providing Cyber Security Services Without a License?

The consequences of non-compliance with the licensing requirements under the Cyber Security Act 2024 are severe. Any person found providing cybersecurity services without the required license may, upon conviction, be liable to a fine not exceeding RM500,000, imprisonment for a term not exceeding 10 years, or both.

Such stringent penalties highlight the critical importance of adhering to the licensing requirements and should serve as a wake-up call for all cyber security service providers to ensure compliance.

Conclusion

The message is clear and loud that all cyber security service providers must comply with the Cyber Security Act 2024 and its licensing requirements. With the application process set to begin on 1 October 2024 and a three-month grace period provided, it is imperative that all cyber security service providers familiarize themselves with the application procedures.

For those who require assistance with the application process or have questions about the new regulatory landscape, our Technology Practice Group is ready to provide the necessary support and guidance to ensure compliance. Please do not hesitate to reach out to us should you require assistance with the application process or need further advice on compliance with the Cyber Security Act 2024.


About the authors

Ong Johnson
Partner
Head of Technology Practice Group

Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.


More of our Tech articles that you should read:

Our Services