On 27 March 2024, the Cyber Security Bill 2024 (“Bill”) was passed by the Dewan Rakyat.
Malaysia does not currently have an all-encompassing cyber security legislation to safeguard digital infrastructure and the cyber domain. Cyber security requirements currently exist across multiple legislations, from the Personal Data Protection Act 2010, the Communications and Multimedia Act 1998, Computer Crimes Act 1997, and others. Regulated entities are also subject to cyber security standards prescribed by the regulating authority, e.g. the Securities Commission of Malaysia has issued the Guidelines on Management of Cyber Risk in October 2016 and the Guidelines on Technology Risk Management in August 2023.
A summary of the key provisions of the Bill is set out below:
1. Applicability
The Bill has extra-territorial effect and applies in relation to any person, regardless of nationality or citizenship, within as well as outside Malaysia where, for the offence in question, the national critical information infrastructure (“NCII”) is wholly or partly in Malaysia.
While the Federal Government and State Governments will be bound by the Bill when it comes into force, they are not liable to prosecution for any offence under it.
2. National Cyber Security Committee (“NCSC”)
The Bill establishes the NCSC which is tasked with the responsibility of, among others:
- planning, formulating and deciding on policies relating to national cyber security;
- deciding on strategies to address national cyber security matters as well as monitoring the implementation of such strategies;
- advising and making recommendations to the Federal Government on policies and measures to strengthen national cyber security;
- giving directions to the Chief Executive of the National Cyber Security Agency and NCII sector leads on national cyber security matters; and
- overseeing the effective implementation of the Bill when it comes into force.
3. Chief Executive of the National Cyber Security Agency (“Chief Executive”)
The National Cyber Security Agency (NACSA) was established in February 2017 as the national lead agency for cyber security matters. Under the Bill, the Chief Executive has, among others, the following duties:
- advising and making recommendations to the NCSC on policies and measures relating to national cyber security, implementing such policies and measures and monitoring the implementation of the foregoing;
- collecting, coordinating, evaluating and correlating data, information or intelligence relating to national cyber security and disseminating the foregoing to the NCII sector leads or NCII entities if deemed essential in the interest of national cyber security; and
- establishing and maintaining the “National Cyber Coordination and Command Centre System”, a national cyber security system for dealing with cyber security threats and cyber security incidents.
4. NCII Sectors
The following have been specified as NCII sectors under the Bill:
- the Government;
- banking and finance;
- transportation;
- defence and national security;
- information, communication and digital;
- healthcare services;
- water, sewerage and waste management;
- energy;
- agriculture and plantation;
- trade, industry and economy; and
- science, technology and innovation.
5. NCII Sector Lead(s)
Under the Bill, the Minister charged with the responsibility of cyber security (“Minister”), may, upon the recommendation of the Chief Executive, appoint any government entity or person to be the NCII sector lead(s) for each of the NCII sectors.
Functions of the NCII sector lead(s), in respect of the NCII sector for which it is appointed, include among others:
- designating any government entity or person as an NCII entity (further details below);
- preparing a code of practice (“Practice Codes”) and guidelines on best practices in relation to cyber security management;
- implementing the decisions of the NCSC and directives made under the Bill when it comes into force; and
- monitoring and ensuring that NCII entities carry out obligatory duties imposed upon them.
6. NCII Entities
Where an NCII sector lead is satisfied that a government entity or person owns or operates an NCII, such government entity or person may be designated as an NCII entity, provided that a government entity can only be designated as an NCII entity by an NCII sector lead which is itself a government entity. An NCII sector lead may also be designated as an NCII entity by the Chief Executive.
Under the Bill, “NCII” is defined as a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.
NCII entities may lose their designations as an NCII entity where the NCII sector lead or, in the case of an NCII sector lead which has been designated as an NCII entity, the Chief Executive is satisfied that the NCII entity no longer owns or operates any NCII.
7. Requirements of NCII Entities
Under the Bill, NCII entities are required to, among others:
- implement the measures, standards and processes as specified in the Practice Codes;
- conduct a cyber security risk assessment in respect of the NCII owned or operated;
- cause to be carried out an audit by an approved auditor to determine compliance with the Bill;
- submit the cyber security risk assessment or audit report to the Chief Executive within 30 days from completion of the assessment or audit;
- notify the Chief Executive and the relevant NCII sector lead(s) on any cyber security incident which has or might have occurred in respect of the NCII owned or operated; and
- provide information relating to NCII owned or operated upon a request by the NCII sector lead(s) or when the NCII entity procures or has come into possession or control of any additional computer or computer system which, in its opinion, is an NCII.
8. Cyber Security Incidents
Where a cyber security incident report has been made by an NCII entity, under the Bill, the Chief Executive is required to instruct an authorised officer to investigate the cyber security incident to determine if it has in fact occurred and, where it has, determine measures necessary to respond or recover from such incident and prevent a recurrence.
9. Licensing Requirement for Cyber Security Service Providers
Under the Bill, any person who provides a cyber security service or advertises, or in any way holds himself out as a cyber security service provider is required to hold a licence unless the service is being provided by a company to its related company.
The Bill does not specify what constitutes a “cyber security service”, the scope of which is left to the determination of the Minister.
Moving Forward
In compliance with the relevant regulatory guidelines, some regulated entities such as those regulated by the Bank Negara Malaysia, Securities Commission Malaysia, and the Labuan Financial Services Authority would already have cyber security policies, incident reporting obligations, business continuity systems, and emergency communications plans in place. The extension of such cyber security measures to the other identified NCII sectors where NCII sector lead(s) are empowered to issue industry-specific Practice Codes that are tailored to the nuances and unique risks of the industry will further strengthen Malaysia’s cyber security posture.
The establishment of the NCSC as a centralised authority to streamline efforts and ensure coordination among the different NCII sector lead(s) and industry stakeholders is crucial. Malaysia will undoubtedly benefit from a centralised committee to oversee cyber security threats and vulnerabilities of the Malaysian digital ecosystem, with a consolidated view and cohesive approach to identifying such threats and vulnerabilities, assessing cyber risks, and developing a national strategy to implement mitigation measures.
Cyber security has been identified as a tech enabler under the Program Mangkin Malaysia Digital (Pemangkin). In 2023, the Malaysia Digital Economy Corporation (MDEC) allocated RM238 million for the 2023-2025 period to support new initiatives under Pemangkin, including RM45 million for tech enablers. In light of these initiatives, cyber security service providers such as those in the business of penetration testing, independent cyber audits, and cloud security services will inevitably play an increasingly important role in the country’s digital scene. Through the Malaysia Digital initiative, cyber security providers may apply for the Malaysia Digital Status which offers tax incentives, foreign knowledge worker quota and passes, and community benefits such as business matching and partnerships.
The passing of the Bill is laudable and a timely step in the digital age where cyber attackers and defenders are drawn into a continuous cat-and-mouse game amidst the dynamic cyber threat landscape. It demonstrates the country’s commitment to building its digital infrastructure ecosystem to further spur the digital evolution in Malaysia. As Malaysia advances towards a tech-driven economy, bolstering the nation’s cyber security posture with a robust cyber security framework is likely to promote greater confidence among international partners and investors and bring the country closer towards becoming ASEAN’s digital capital.
The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.
Hui Lynn Tan, Partner, Malaysia