GUIDE ON MALAYSIA’S CYBER SECURITY ACT 2024

Introduction to the Digital Era

The rapid evolution of Information and Communications Technology (ICT) has propelled the world into a digital age where technologies such as mobile, social media, Big Data, Internet of Things (IoT), Artificial Intelligence (AI), and cloud computing are integral to global operations across government and business sectors. While these advancements have brought unprecedented connectivity and efficiency, they have also exposed societies and economies to new vulnerabilities in the form of cyber threats.

 

Incidents such as the 2012 Shamoon malware attack on Saudi Aramco[1], the 2021 Colonial Pipeline ransomware attack[2], and the 2024 CrowdStrike incident[3] underscore the critical importance of robust cyber security frameworks. In Malaysia, reports have shown a significant increase in cyber-attacks across various sectors from 2016 to 2018[4], emphasizing the urgent need for comprehensive cyber security measures that safeguard public interests, cross-sector operations, and international relations.

National Cyber Security Policy (NCSP) 2006

As early as the 2000s, cyber security challenges arise due to the advancement of technologies. In response to these challenges, Malaysia formulated the National Cyber Security Policy (NCSP) in 2006. This policy aimed to protect Critical National Information Infrastructure (CNII) across ten key sectors, including national defense, banking and finance, energy, transportation, and healthcare. The NCSP laid a foundational framework for Malaysia’s approach to cyber security, adapting over time to encompass the evolving digital landscape and information infrastructure of the nation[5].

Malaysia’s National Cyber Security Agency

To further strengthen cyber security efforts, Malaysia established the National Cyber Security Agency (NACSA) in February 2017. NACSA serves as the nation’s principal authority on cyber security, coordinating national efforts and implementing strategies outlined in directives such as National Security Council Directive No. 26. This agency plays a pivotal role in ensuring a cohesive and effective defense against cyber threats[6].

The Cyber Security Act 2024

In June 2024, Malaysia introduced the Cyber Security Act 2024 (“Act”), a landmark legislation aimed at enhancing the country’s cyber security framework. This act introduces several key provisions:

  1. Establishment of National Cyber Security Committee: The Act establishes the National Cyber Security Committee (“Committee”) to formulate policies, strategies, and directives related to national cyber It oversees the implementation of the Act and advises the federal government on strengthening cyber security measures[7];

 

  1. Empowerment of NACSA’s Roles: NACSA’s role is bolstered under the Act, empowering its Chief Executive with significant duties such as implementing cyber security policies[8], issuing directives[9], and maintaining a National Cyber Coordination and Command Centre System to manage cyber security threats[10]. Throughout the Act, the Chief Executive roles and duties are expressly stated in which the management of NCII Sector Leads and the management of cyber incidents are to be overseen by the Chief Executive;

 

  1. Definition of Cyber Security Incident And Cyber Security Threat: Pursuant to Section 4 of the Act, a “cyber security incident” means an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cyber security of that computer or computer system or another computer or computer system.

While a “cyber security threat” means an act or activity carried out on or through a computer or computer system, without lawful authority, that may imminently jeopardize or may adversely affect the cyber security of that computer or computer system or another computer or computer system.

  1. Protection of National Critical Information Infrastructure: The Act has specifically define National Critical Information Infrastructure (“NCII”) as a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.[11]

With this definition, the Act further identifies the sectors that are related to the NCII in the Schedule of the Act. These sectors are Government; Banking and Finance; Transportation; Defence and National Security; Information, Communication and Digital; Healthcare Services; Water, Sewerage and Waste Management; Energy; Agriculture and Plantation; Trade, Industry and Economy; Science, Technology and Innovation. (“NCII Sectors”)

  1. NCII Sector Lead: The Minister on the advice of the Chief Executive will appoint a Government Entity or a person for each NCII Sector as the NCII Sector Lead. These NCII Sector Leads are responsible for the following: –
    • Designation of a NCII Entity[12]: NCII Sector Leads may designate any Government Entity or person as NCII Entity if it is satisfied that said Government Entity or person owns or operates a NCII[13]. The said NCII Sector Lead may require the Government Entity of person produce any information, particulars or document relating to the design of the computer or computer system owned or operated by the Government Entity of person[14];
    • Preparation of Code of Practice[15]: A NCII Sector Lead shall prepare a code of practice containing the measures, standard and processes to ensure the cyber security of the NCII within the NCII Sector that it is The factors and considerations in preparing this code of practice are listed in Section 25(2) of the Act;
    • Implementing The Decisions of the Committee And Monitoring The Actions Of The NCII Entities: NCII Lead Sectors have the responsibility to implement the Committee’s decisions[16] and to monitor the actions required of and imposed on the NCII Entities[17].
    • Prepare And Submit Situational Report To The Chief Executive[18]: The NCII Sector Lead shall prepare and submit a situational report to the Chief Executive if there is a cyber security threat or cyber security incident that has affected the NCII within its NCII Sector.

Each NCII Sector also may have two or more NCII Sector Leads[19]. This may be dependent on the complexity and the necessity of the sector as a single NCII sector will have multiple sectors under it. For example, the energy sector, in its generic term, involves several core industries such as electricity, oil and gas and renewable energy. It is also pertinent to note that a NCII Sector Lead may also be a NCII Entity in which the designation is carried out by the Chief Executive[20].

  1. NCII Entities: NCII Entities are designated by the NCII Sector Lead in any manner as determined by the Chief Executive, if the NCII Sector Lead is satisfied that the Government Entity or person owns or operates a NCII.

There are several duties imposed by the Act on the NCII Entities. The duties are: –

    • Duty To Provide Information When Requested: NCII Entities have the duty to provide information relating to NCII, if requested by the NCII Sector Lead[21];
    • Duty To Notify On Information Of Additional Computer Or Computer System: If a NCII Entity procures or has come into possession or control of any additional computer or computer system, which in the opinion of the NCII Entity the additional computer or computer system is a NCII where such information shall be provided to the respective NCII Sector Lead[22]. In respect of this duty, it is probable that each NCII Entity should have the procedures in place to ensure the duty is carried out as imposed by the Act;
    • Duty To Provide Information of Changes Made To The NCII: If there is a material change to the design, configuration, security or operation of the NCII owned or operated by the NCII Entity, the information of such material change shall be provided to the NCII Sector Lead within thirty (30) days from the date of the change was completed[23]. A change is considered as material if it affects or may affect the cyber security of the NCII or the ability of the NCII Entity to respond to a cyber security threat or cyber security incident[24];
    • Duty To Implement Code of Practice: A NCII Entity shall implement the measures, standard and processes as specified in the code of practice formulated by the NCII Sector Lead[25]. However, additional measures, standards or processes may be implemented with the condition that it must be able to provide an equal or a higher level of protection to the NCII owned or operated by the NCII Entity.
    • Duty To Conduct Cyber Security Risk Assessment And Audit: NCII Entity shall conduct cyber security risk assessments on its NCII in accordance with the code of practice and directives[26]. NCII Entity also shall cause to be carried out an audit by an auditor approved by the Chief Executive to determine the compliance with the Act[27]. These risk assessments and audits shall be reported to the Chief Executive within 30 days after its completion[28]; and
    • Duty To Notify On Cyber Security Incident: If it has come to the knowledge of a NCII Entity that cyber security incident has or might have occurred, the said NCII Entity shall notify the Chief Executive and its respective NCII Sector Lead of such information[29].
  1. Licensing Regimes for Cyber Security Services[30]: The Act now introduces licensing requirements for cyber security service providers to ensure competence and accountability in protecting NCII. Licensees must adhere to standards set by NACSA and maintain records of their services;
  2. Management of Cyber Security Incidents: The Chief Executive of NACSA has the authority to instruct an authorized officer to investigate cyber security incidents affecting NCII[31]. This includes issuing directives to NCII Entities to respond to incidents promptly and prevent future occurrences[32].

Conclusion

The Cyber Security Act 2024 represents a pivotal milestone in Malaysia’s efforts to fortify its cyber defenses amidst growing cyber threats globally. By establishing a robust legal framework, enhancing regulatory oversight, and empowering NACSA, Malaysia aims to safeguard its critical information infrastructures and ensure resilience in an increasingly digital world.

This legislation not only addresses the current cyber security challenges but also prepares Malaysia to adapt to future threats and technological advancements. As digital connectivity continues to expand, the implementation of the Cyber Security Act 2024 is crucial and is applauded in maintaining national security, economic stability, and public trust in the digital age.

For personalised legal and compliance support, please reach out to our Dispute Resolution Partner, Mr. Brandon Cheah (brandon@nzchambers.com) or Senior Associate, Mr. Azrul Haziq Khirullah (azrul@nzchambers.com). We are here to help you achieve compliance and manage these regulatory updates effectively.

Authors:

  1. Brandon Cheah
  2. Azrul Haziq Khairullah