The Cyber Security Act 2024 is now enforced but what exactly is it & how will it impact Malaysians?
The Cyber Security Bill 2024 was tabled in Parliament by Digital Minister Gobind Singh Deo on 25 March 2024 and has since been passed by the Legislative body and accordingly, being made into law following the Government Gazette on 26 June. In a statement, the Prime Minister’s Office (PMO) announced that Prime Minister Datuk Seri Anwar Ibrahim, as the minister responsible for cyber security, had set the date for the Cyber Security Act 2024 to come into force on 26 August after obtaining the Royal Assent from His Majesty Sultan Ibrahim, King of Malaysia on 18 June.
Furthermore, the regulations under the Act have also come into force after being published in the Government Gazette on 22 August, which include:
Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024
Cyber Security (Notification of Cybersecurity Incidents) Regulations 2024.
Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024
Cyber Security (Compounding of Offences) Regulations 2024
So, what does the new law and regulations entail and how would it impact Malaysians? Well, join us as we delve into the Cyber Security Act 2024 below.
Before that, if you’re interested in more insights into the Malaysian legal system like this, do follow ADIL Legal on Facebook and Instagram or visit our official website. You can also read our articles on the popular Malaysian news aggregator app Newswav here.
Cyber Security Act 2024 and its objectives
According to the Cyber Security Bill 2024 that was tabled in Parliament, the Act is meant to enhance Malaysia’s national cyber security through these means:
Establishing the National Cyber Security Committee
Prescribing the powers and duties of the Chief Executive of the National Cyber Security Agency (NACSA)
Prescribing the functions and duties of the national critical information infrastructure (NCII) sector leads, as well as national critical information infrastructure entities. NCIIs include any computer or computer system when disrupted may impact national security, economy, public health, public safety or even government functionality
Managing cyber security threats and cyber security incidents to national critical information infrastructures
Regulating the cyber security service providers via licensing
Everything to know about the National Critical Information Infrastructure (NCII)
For NCIIs, the Cyber Security Act prescribed the following as NCII sectors:
Government
Banking and Finance
Transportation, defence, and national security
Information, communication, and digital
Healthcare services
Water, sewerage, and waste management
Energy
Agriculture and plantation
Trade, industry, and economy
Science, technology, and innovation
Moreover, government entities or persons who own or operate NCIIs in the above sectors are considered NCII sector leads, the names of which will be published on NACSA’s website.
Each NCII sector lead will be responsible for designating NCII entities and formulating sector-specific codes of practice. These establish the measures, standards and processes regarding cyber security management.
Accordingly, NCC entities are government entities or persons appointed by an NCII sector lead as the entity or person which owns or operates an NCII. These entities are responsible for:
Providing their NCII’s information to the NCII sector leads upon request and notifying them of any change, acquisition or disposal of such NCIIs. Furthermore, any material change relating to the NCII must be notified to the relevant NCII sector lead within 30 days
Implementing the codes of practice issued by the relevant NCII sector lead
Conducting cyber security risk assessments to ensure compliance with the codes of practice and arranging for external audits to verify their adherence to the Cyber Security Act
Reporting incidents or potential incidents in respect of their NCIIs to NACSA’s Chief Executive and NCII sector leads promptly
Licensing of Cyber Security Service Providers
As mentioned earlier, the Cyber Security Act 2024 through the Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024 also introduces a licensing framework for cyber security service providers. Accordingly, no entity or person can offer any cyber security service or advertise itself as a cyber security service provider without holding a valid licence.
This is meant to ensure cyber security services, especially those offered by NCIIs, are up to par with international standards. The Act also makes it an offence to provide a cyber security service without a licence, with offenders facing a fine of up to RM500,000, imprisonment of up to 10 years, or both.
Other penalties for offences under the Cyber Security Act 2024
Besides the penalty for providing cyber security services without a licence, the Act also established other penalties for non-compliance, which vary based on the type and severity of the offence.
For NCII entities’ general non-compliance, the penalties include a fine of up to RM100,000 or RM200,000 depending on the offence, imprisonment of up to 3 years or both. These include failing to conduct additional cyber security risk assessments, failing to rectify audit reports upon NACSA Chief Executive’s request, or failing to notify NCII sector leads of any material changes relating to the NCII.
Besides that, serious violations of the Cyber Security Act may incur fines of up to RM500,000. up to 10 years in jail or both. These are for offences such as failing to implement the applicable codes of practice, failing to notify a cyber security incident or non-compliance with the licensing requirements.
Do note that liabilities under the Cyber Security Act also extend to the employees and agents of an offending entity.
The Cyber Security Act 2024 has extra-territorial powers
The Act is empowered with extra-territorial effect and can be applied to any person, regardless of nationality or citizenship, and shall have effect within and outside of Malaysia. Furthermore, offences related to an NCII that is wholly or partly located in Malaysia are within the Act’s scope.
However, while the Federal Government and State Governments are also subject to the Act, no prosecution action can be taken against them for any failure to comply with the provisions of this law within this legislation. It was provided that in terms of government administration, the government will take all necessary steps to ensure that the provisions of this legislation are fully complied with by agencies under the Federal Government and also agencies under the State Governments.
Moving forward, let’s hope that the Cyber Security Act 2024 will stay true to its objectives and provide for better cyber security and resilience for all Malaysians.