How ESG and Data Governance are creating new legal exposure for Malaysian Corporations

INTRODUCTION

ESG (environmental, social and governance) and data governance are now hard expectations that shape how Malaysian companies are regulated, financed and perceived. As ESG disclosure, climate‑risk and data protection rules tighten, gaps in governance, especially around cybersecurity, third‑party data handling, AI use and board oversight can quickly lead to regulatory penalties, litigation, reputational harm and even derivative actions. The article will briefly map the Malaysian ESG and Personal Data Protection Act 2010 (Act 709), as amended by the Personal Data Protection (Amendment) Act 2024 (Act A1727) (collectively, “PDPA”) landscape, highlight key data and internal governance risks, and outline practical board‑level steps such as ESG disclosure audits, stronger data governance, third‑party risk controls, targeted training and crisis protocols to build more resilient and defensible corporate structures.

REGULATORY LANDSCAPE FOR ESG

The Securities Commission Malaysia (SC) embeds ESG expectations mainly through the Malaysian Code on Corporate Governance (MCCG) and related guidance rather than a standalone “ESG Act.” The 2021 iteration of the MCCG explicitly strengthens the role of the board and senior management in managing sustainability risks and opportunities, including climate, and encourages companies to appoint a dedicated management‑level person to focus on sustainability. The SC has also worked with the World Bank on an ESG Disclosure Assessment of Malaysian listed companies to set a baseline and inform future policy development on sustainability reporting.[1] In addition, the SC has initiated a broader review of Malaysia’s corporate governance framework (including consultation steps from December 2025 to February 2026), which may lead to revisions to governance guidance (including MCCG-related instruments) once formally issued[2].

Bursa Malaysia has strengthened its sustainability regime through an enhanced Sustainability Reporting Framework that sets the baseline for ESG disclosures by listed companies. Crucially, this has now been elevated by the National Sustainability Reporting Framework (NSRF) published on 24 September 2024, which positions IFRS S1 and IFRS S2 (ISSB Standards) as the baseline sustainability disclosure standards in Malaysia, with phased adoption timelines set out under the NSRF framework and related Exchange requirements[3]. Accordingly, Sustainability Statements in annual reports are moving toward NSRF-aligned disclosure expectations, and issuers should treat sustainability disclosures as governance-grade reporting supported by disclosure controls and verification trails.

In 2023, amendments to the Main Market, ACE Market and LEAP Market Listing Requirements also introduced mandatory sustainability training for directors and more detailed disclosure of sustainability management practices, reinforcing director accountability and market transparency[4]. For financial institutions, Bank Negara Malaysia (BNM) has further tightened oversight by issuing an updated Climate Risk Management and Scenario Analysis (CRMSA) policy document (issued 17 March 2025), mandating strict climate-risk disclosures aligned with global standards[5].

MALAYSIAN DATA PROTECTION FRAMEWORK

The PDPA is Malaysia’s primary statute governing the processing of personal data in commercial transactions. It currently imposes seven personal data protection principles (including notice and choice, disclosure, security and retention) on “data controllers” and applies to personal data processed in respect of commercial transactions in Malaysia, subject to certain sectoral exclusions. Importantly, unlike many foreign regimes, the PDPA does not generally apply to the Federal or State Governments, though GLCs organised as commercial entities do fall within its scope.

The Personal Data Protection Commissioner (PDPC) is responsible for administering and enforcing the PDPA, including registration of certain classes of data controllers, issuance of codes of practice and guidelines, and enforcement actions. The PDPC also issues guidance on cross‑border data transfers, data breach handling and emerging issues such as artificial intelligence, and is expected to play a central role in operationalising the forthcoming amendments through subsidiary legislation and guidance. In enforcement, the PDPC can investigate complaints, conduct inspections and recommend prosecution for PDPA offences, which are criminal in nature.

The Personal Data Protection (Amendment) Act 2024 (which was officially gazetted in October 2024 and comes into force in phases throughout 2025) introduces several significant changes that will tighten Malaysia’s data governance regime. Key reforms include: (i) extending direct legal obligations to data processors (not only data controllers), (ii) mandatory appointment of a data protection officer in specified circumstances, and (iii) a statutory data breach notification obligation to the PDPC and, in some cases, affected data subjects where a breach risks significant harm. The amendment also substantially increases penalties for non‑compliance with the personal data protection principles, raising maximum fines to RM1 million and/or imprisonment of up to three years (from RM300,000.00 and two years), and introducing specific offences for failure to notify data breaches[6].

Alongside the PDPA, corporates must now also navigate the Cyber Security Act 2024 (Act 854), which came into force on 26 August 2024, which imposes stringent cyber risk assessment, auditing, and incident reporting obligations on entities designated as National Critical Information Infrastructure (NCII)[7].

For Malaysian corporates, the convergence of ESG and data governance means boards must treat sustainability reporting, climate‑risk expectations from financiers, and PDPA compliance (including cyber‑resilience and breach response capabilities) as integrated elements of overall corporate governance rather than separate technical issues. Public‑listed companies, GLCs and increasingly sophisticated SMEs that strengthen their ESG and data governance frameworks will be better positioned to meet regulatory expectations, attract capital, satisfy multinational counterparties and manage evolving litigation and enforcement risks.

CORPORATE DATA RISK

The rapid increase in cross-border data transfers has significantly heightened the risk of data breaches extending across organisations and jurisdictions, thereby complicating regulatory compliance and enforcement exposure. As businesses become more digitally interconnected, corporate data risks are no longer confined within a single entity or territory. Key areas of exposure include the following:

I. Data breaches and cybersecurity failures

Data breaches and cybersecurity incidents remain among the most significant risks facing corporates. Unauthorised access, ransomware attacks, and system vulnerabilities may result in regulatory investigations, financial penalties, civil liability, operational disruption, and long-term reputational damage. Beyond immediate financial loss, such incidents can erode stakeholder confidence and trigger heightened regulatory scrutiny. Under the new Cyber Security Act 2024, the margin for error has shrunk considerably, as NCII entities are now mandated to notify the National Cyber Coordination and Command Centre System (NC4S) within a strict 6-hour window of discovering a cybersecurity incident[8].

II. Weak data governance policies

Insufficiently developed data governance policies, including unclear data ownership, retention practices, and access controls, significantly increase the risk of compliance breaches, operational failures, and regulatory enforcement. In particular, the absence of a formal PDPA policy exposes the organisation to legal penalties, reputational damage, and potential liability in the event of a personal data breach. Establishing and enforcing clear PDPA-compliant policies is therefore critical to safeguarding both corporate and personal data. With the mandatory appointment of Data Protection Officers (DPOs) taking effect under the 2024 PDPA amendments, operational enforcement of these policies is now a statutory prerequisite.

III. Use of AI and automated decision-making

The deployment of artificial intelligence (AI) and automated decision-making tools introduces new and amplified governance, operational, and compliance risks that organisations must actively manage. Concerns relating to algorithmic bias, transparency, explainability, and accountability are increasingly attracting regulatory scrutiny worldwide. To manage these risks, companies should align with the National Guidelines on AI Governance & Ethics (AIGE) issued by MOSTI in late 2024, which establishes core principles such as fairness, privacy, transparency, and accountability[9].

Without proper oversight, risk assessments, and clear documentation, organisations may face legal challenges, regulatory intervention, and reputational harm arising from flawed, discriminatory, or opaque automated systems. Additionally, the use of generative AI tools in the workplace including platforms such as ChatGPT may create inadvertent data protection and confidentiality risks where employees input sensitive corporate, personal, or proprietary information into external systems. Absent clear internal policies and safeguards, such practices may result in unintended data disclosures, loss of confidentiality, or potential breaches of statutory and contractual obligations.

IV. Third-party/vendor risk exposure and Cross-border data transfers

The PDPA Amendment Act 2024 radically alters vendor management by directly applying the Security Principle to data processors. Processors now face direct criminal liability for failing to implement technical and organizational security measures, requiring corporates to overhaul existing data processing agreements. Simultaneously, the regulatory paradigm for exporting personal data has shifted from a whitelist approach to allowing transfers only to jurisdictions with adequate laws or through approved safeguards like Standard Contractual Clauses (SCCs), demanding rigorous compliance tracking[10].

INTERNAL GOVERNANCE FAILURES

Effective corporate governance is critical to managing ESG and data-related risks. Failures in oversight, inadequate controls, or lack of board-level accountability can expose organisations and their directors to legal, financial, and reputational consequences. Understanding these governance gaps is essential to strengthening risk management and ensuring compliance.

I. Duty to exercise reasonable care, skill and diligence

Directors are subject to a statutory and fiduciary duty to exercise reasonable care, skill, and diligence in the discharge of their responsibilities pursuant to Section 213(1) and Section 213(2) of the Companies Act 2016[11]. This duty extends to oversight of ESG matters where such obligations are applicable, particularly for public-listed companies subject to regulatory and disclosure requirements. Boards must ensure that sustainability considerations are fully integrated into the company’s overall business strategy, with clearly defined objectives, measurable targets, and accountability frameworks established and monitored by senior management. Failure to properly identify, assess, and monitor ESG and data-related risks may expose directors to personal liability, shareholder actions, and regulatory scrutiny.

II. Oversight responsibility over ESG and data governance frameworks

Boards are increasingly expected to provide active oversight of ESG strategies and data governance structures. Inadequate supervision, lack of reporting mechanisms, or failure to integrate these risks into enterprise risk management frameworks may constitute a breach of governance obligations.

III. Lack of board-level ESG oversight

The absence of a clear board mandate or a designated committee responsible for ESG matters may result in fragmented accountability, inconsistent disclosures, and weak alignment between sustainability objectives and overall business strategy. This risk is further compounded by the lack of standardisation across industries and limited expertise in ESG measurement and reporting, which may lead to inaccurate disclosures, inadequate benchmarking, and increased exposure to regulatory and stakeholder scrutiny.

IV. Risk of derivative actions and litigation

Legal exposure regarding ESG is escalating from theoretical risk to actual litigation. This is evidenced by Malaysia’s first major greenwashing climate litigation case filed in late 2025 by RimbaWatch, which seeks judicial review to compel regulatory authorities to investigate misleading corporate environmental claims. This signals a new era where stakeholders will actively use the courts to enforce ESG accountability[12].

PRACTICAL RISK MITIGATION STRATEGIES

For companies that have yet to significantly integrate ESG and data governance into their corporate structures, a practical starting point is the establishment of dedicated sustainability and data governance committees. Such committees serve not merely as symbolic structures, but as formal mechanisms to ensure that ESG considerations and data integrity are systematically reviewed, monitored, and embedded within corporate decision-making processes. By placing these issues firmly on the corporate agenda, companies signal that ESG and data governance are matters of strategic and legal importance rather than peripheral compliance exercises.

As ESG and data governance increasingly shape the regulatory landscape in Malaysia, corporates must move beyond surface-level compliance and adopt a structured, forward-looking approach to risk management. Heightened scrutiny from Bursa Malaysia, sectoral regulators, investors, and civil society means that legal exposure today often arises not only from deliberate misconduct, but from inadequate systems, weak oversight, or poor documentation. In this environment, the absence of proper governance structures may itself be construed as a failure of reasonable care and this is where the committees’ work remain significantly relevant.

One of the most critical safeguards is the implementation of structured ESG disclosure audits. Sustainability reporting can no longer be treated as a branding exercise, as it carries tangible legal implications, particularly where disclosures are incorporated into annual reports, prospectuses, financing documents, or investor related communications documents. Inaccurate emissions data, overstated sustainability achievements, or unverified social impact claims may give rise to allegations of misrepresentation, greenwashing, or breaches of applicable regulations. Periodic internal reviews, supplemented where appropriate by independent assurance, can help ensure that ESG disclosures are accurate, consistent, and aligned with evolving regulatory standards. Beyond compliance, such audits allow companies to identify data gaps, interdepartmental inconsistencies, and weaknesses in internal controls before they crystallise into regulatory or reputational crises. For SMEs and companies within wider supply chains, leveraging the Simplified ESG Disclosure Guide (SEDG) introduced by Capital Markets Malaysia provides a vital, standardised framework to manage downstream sustainability data requirements accurately[13].

Closely linked to ESG disclosure is the need for a comprehensive data governance framework. ESG reporting is fundamentally data-driven, relying on information drawn from supply chains, workforce metrics, environmental performance indicators, and stakeholder engagement records. Where governance structures are fragmented or unclear, the reliability and defensibility of such data becomes questionable. Under the Personal Data Protection Act 2010, alongside increasing cybersecurity expectations from Malaysian regulators, deficiencies in data management may expose companies to financial penalties, civil claims, and contractual disputes. A robust data governance framework clarifies accountability, strengthens internal controls, and integrates cybersecurity safeguards into enterprise risk management systems. By institutionalising data integrity, companies are better positioned to demonstrate due diligence and defend against allegations arising from inaccurate, misleading, or compromised information.

Board oversight remains a central pillar of effective risk mitigation. Directors owe statutory duties under the Companies Act 2016 to exercise reasonable care, skill, and diligence in the management of the company. As ESG and data governance risks become increasingly material to corporate performance and regulatory compliance, boards can no longer treat these issues as purely operational matters delegated entirely to management. Regular training, informed deliberation, and structured reporting to the board are essential. Equally important is proper documentation. In the context of regulatory investigations or shareholder actions, contemporaneous records demonstrating that the board actively considered ESG and data governance risks may provide critical evidence that directors discharged their fiduciary and statutory duties. The legal inquiry increasingly focuses not simply on whether harm occurred, but on whether the board exercised appropriate oversight in anticipating and managing foreseeable risks.

Finally, companies must be prepared to respond decisively when incidents arise. Data breaches, environmental accidents, and ESG-related controversies can escalate rapidly in an interconnected and digitally driven environment. Delayed responses, inconsistent public communications, or failure to comply with disclosure obligations may compound legal exposure far beyond the initial event. A clearly defined crisis management framework governing data breaches for each company is therefore essential which a committee should regularly update from time to time to ensure it remains in compliance. On top of that, early involvement of legal counsel is particularly critical to preserve privilege, manage regulatory notifications, and ensure that public statements do not inadvertently increase liability. In practice, companies that maintain ongoing engagement with legal advisers, particularly on a retainer basis, are often better positioned and benefit significantly, to respond swiftly and coherently when incidents occur. In many instances, the legal and reputational consequences hinge less on the occurrence of the incident itself and more on how effectively the company responds.

Taken all of the above together, these measures reflect a broader shift in corporate governance. Risk mitigation in the ESG and data governance era is no longer confined to compliance checklists or isolated policy statements. It demands integrated governance structures, active board engagement, and systems capable of withstanding sustained regulatory and stakeholder scrutiny.

CONCLUSION

The convergence of ESG obligations and data governance requirements has materially expanded the legal exposure facing Malaysian corporates. From Bursa Malaysia’s sustainability reporting framework and regulatory expectations under the MCCG, to compliance with the PDPA and increasing scrutiny over cybersecurity, cross-border data transfers, and AI deployment, the risk landscape has become significantly more complex. Failures in disclosure accuracy, weak internal controls, inadequate board oversight, or poor data management are no longer mere operational shortcomings, they may constitute breaches of statutory duties and expose companies and directors to regulatory enforcement, shareholder actions, and reputational damage.

In this evolving environment, ESG and data governance must be treated as core elements of corporate governance rather than peripheral compliance functions. Companies that embed structured oversight, strengthen internal controls, and integrate ESG and data risks into board-level decision-making will be better positioned to mitigate liability and sustain stakeholder confidence. For Malaysian corporates, whether public-listed companies, government-linked companies, or SMEs, proactive governance is no longer simply a matter of best practice, but a necessary safeguard against increasing legal and regulatory exposure.

Authors: