.jpeg){kind=logo}
The Cyber Security Bill 2024 was tabled in Parliament by Digital Minister Gobind Singh Deo on 25 March 2024 and has since been passed by the Legislative body and accordingly, being made into law following the Government Gazette on 26 June. In a statement, the Prime Minister’s Office (PMO) announced that Prime Minister Datuk Seri Anwar Ibrahim, as the minister responsible for cyber security, had set the date for the Cyber Security Act 2024 to come into force on 26 August after obtaining the Royal Assent from His Majesty Sultan Ibrahim, King of Malaysia on 18 June.
Furthermore, the regulations under the Act have also come into force after being published in the Government Gazette on 22 August, which include:
- Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024
- Cyber Security (Notification of Cybersecurity Incidents) Regulations 2024.
- Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024
- Cyber Security (Compounding of Offences) Regulations 2024
So, what does the new law and regulations entail and how would it impact Malaysians? Well, join us as we delve into the Cyber Security Act 2024 below.
Before that, if you’re interested in more insights into the Malaysian legal system like this, do follow ADIL Legal on Facebook and Instagram or visit our official website. You can also read our articles on the popular Malaysian news aggregator app Newswav here.
Cyber Security Act 2024 and its objectives
According to the Cyber Security Bill 2024 that was tabled in Parliament, the Act is meant to enhance Malaysia’s national cyber security through these means:
- Establishing the National Cyber Security Committee
- Prescribing the powers and duties of the Chief Executive of the National Cyber Security Agency (NACSA)
- Prescribing the functions and duties of the national critical information infrastructure (NCII) sector leads, as well as national critical information infrastructure entities. NCIIs include any computer or computer system when disrupted may impact national security, economy, public health, public safety or even government functionality
- Managing cyber security threats and cyber security incidents to national critical information infrastructures
- Regulating the cyber security service providers via licensing
Everything to know about the National Critical Information Infrastructure (NCII)
For NCIIs, the Cyber Security Act prescribed the following as NCII sectors:
- Government
- Banking and Finance
- Transportation, defence, and national security
- Information, communication, and digital
- Healthcare services
- Water, sewerage, and waste management
- Energy
- Agriculture and plantation
- Trade, industry, and economy
- Science, technology, and innovation
Moreover, government entities or persons who own or operate NCIIs in the above sectors are considered NCII sector leads, the names of which will be published on NACSA’s website.
Each NCII sector lead will be responsible for designating NCII entities and formulating sector-specific codes of practice. These establish the measures, standards and processes regarding cyber security management.
Accordingly, NCC entities are government entities or persons appointed by an NCII sector lead as the entity or person which owns or operates an NCII. These entities are responsible for:
- Providing their NCII’s information to the NCII sector leads upon request and notifying them of any change, acquisition or disposal of such NCIIs. Furthermore, any material change relating to the NCII must be notified to the relevant NCII sector lead within 30 days
- Implementing the codes of practice issued by the relevant NCII sector lead
- Conducting cyber security risk assessments to ensure compliance with the codes of practice and arranging for external audits to verify their adherence to the Cyber Security Act
- Reporting incidents or potential incidents in respect of their NCIIs to NACSA's Chief Executive and NCII sector leads promptly
Licensing of Cyber Security Service Providers
As mentioned earlier, the Cyber Security Act 2024 through the Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024 also introduces a licensing framework for cyber security service providers. Accordingly, no entity or person can offer any cyber security service or advertise itself as a cyber security service provider without holding a valid licence.
This is meant to ensure cyber security services, especially those offered by NCIIs, are up to par with international standards. The Act also makes it an offence to provide a cyber security service without a licence, with offenders facing a fine of up to RM500,000, imprisonment of up to 10 years, or both.
Other penalties for offences under the Cyber Security Act 2024
Besides the penalty for providing cyber security services without a licence, the Act also established other penalties for non-compliance, which vary based on the type and severity of the offence.
For NCII entities’ general non-compliance, the penalties include a fine of up to RM100,000 or RM200,000 depending on the offence, imprisonment of up to 3 years or both. These include failing to conduct additional cyber security risk assessments, failing to rectify audit reports upon NACSA Chief Executive's request, or failing to notify NCII sector leads of any material changes relating to the NCII.
Besides that, serious violations of the Cyber Security Act may incur fines of up to RM500,000. up to 10 years in jail or both. These are for offences such as failing to implement the applicable codes of practice, failing to notify a cyber security incident or non-compliance with the licensing requirements.
Do note that liabilities under the Cyber Security Act also extend to the employees and agents of an offending entity.
The Cyber Security Act 2024 has extra-territorial powers
The Act is empowered with extra-territorial effect and can be applied to any person, regardless of nationality or citizenship, and shall have effect within and outside of Malaysia. Furthermore, offences related to an NCII that is wholly or partly located in Malaysia are within the Act’s scope.
However, while the Federal Government and State Governments are also subject to the Act, no prosecution action can be taken against them for any failure to comply with the provisions of this law within this legislation. It was provided that in terms of government administration, the government will take all necessary steps to ensure that the provisions of this legislation are fully complied with by agencies under the Federal Government and also agencies under the State Governments.
Moving forward, let’s hope that the Cyber Security Act 2024 will stay true to its objectives and provide for better cyber security and resilience for all Malaysians.
About us
Ahmad Danial Iswatt & Luqman is an esteemed law firm that delivers best-in-class legal solutions to individuals, businesses and legal entities in Malaysia and beyond. We offer ease of mind to our wide range of clients by dismantling complex legal challenges with novel solutions through exceptional legal advisory and representation.
Our distinguished partners of diverse backgrounds and expertise have achieved significantly favourable results in all levels of courts in Malaysia, from high-profile civil and criminal litigation proceedings to complex cases in which the outcomes have become binding precedents for the laws of the country. Backed by a growing team of exceptional lawyers and capable support staff, we aspire to be at the forefront of the legal sphere to satisfy our clients’ dynamic demands and ever-increasing complexity.
ADIL Legal is a content creator under the Newswav Creator programme, where you get to express yourself, be a citizen journalist, and at the same time monetize your content & reach millions of users on Newswav. Log in to creator.newswav.com and become a Newswav Creator now!
The User Content (as defined on Newswav Terms of Use) above including the views expressed and media (pictures, videos, citations etc) were submitted & posted by the author. Newswav is solely an aggregation platform that hosts the User Content. If you have any questions about the content, copyright or other issues of the work, please contact Newswav.
