Malaysia introduces a new Cyber Security Act

On 26 June 2024, Malaysia's Cyber Security Act 2024 ("Cyber Security Act") was gazetted to enhance national cyber security in Malaysia. The Cyber Security Act is not in force yet, pending implementation regulations to be issued by the National Cyber Security Agency ("NACSA"). The Cyber Security Act was first contemplated in the Malaysia Cyber Strategy released in October 2020.

Objectives of the Cyber Security Act

Similar to Singapore’s Cybersecurity Act ("Singapore CSA"), the Cyber Security Act aims to enhance cybersecurity of national critical information infrastructure ("NCII"). NCIIs include any computer or computer system which, if disrupted, would impact national security, economy, public health, public safety, or government functionality. The Cyber Security Act also introduces measures to manage cyber security threats and a licensing regime for cyber security service providers.

Territorial Scope Of The Cyber Security Act

The Cyber Security Act has extra-territorial application. Offences related to an NCII that is wholly or partly located in Malaysia are within the scope of the Cyber Security Act. Notably, this approach aligns with Singapore CSA's original scope before its recent amendments in early 2024. Singapore CSA was amended to regulate computer systems which are wholly located outside Singapore if (i) the owner of such computer systems is in Singapore; and (ii) such computer systems would have been designated as CIIs had they been located in Singapore (see our previous article).

Understanding NCIIs

The Cyber Security Act designates the following sectors as NCII sectors:

1. Government
2. Banking and finance
3. Transportation, defence, and national security
4. Information, communication, and digital
5. Healthcare services
6. Water, sewerage, and waste management
7. Energy
8. Agriculture and plantation
9. Trade, industry, and economy
10. Science, technology, and innovation

NCII sector leads

NCII sector leads are government entities or persons which own or operate NCIIs in each NCII sector as designated by the minister charged with the responsibility for cyber security ("Minister"). The name of the NCII sector leads will be published on NACSA’s website.

Each NCII sector lead is responsible for designating NCII entities (as defined below) and formulating sector-specific codes of practice that set out the measures, standards and processes regarding cyber security management.

NCII entities

NCII entities are government entities or persons appointed by a NCII sector lead as the entity or person which owns or operates a NCII.

NCII entities are responsible for

1. providing information about their NCIIs to the NCII sector leads upon request and notify them of any change, acquisition, or disposal of such NCIIs. Any material change relating to the NCII must be notified to the relevant NCII sector lead within 30 days;
2. implementing the codes of practice issued by the relevant NCII sector lead;
3. conducting cyber security risk assessments to ensure compliance with the codes of practice and arranging for external audits to verify their adherence to the Cyber Security Act; and
4. reporting incidents or potential incidents in respect of their NCIIs to NACSA's Chief Executive and NCII sector leads promptly.

While the Cyber Security Act mirrors Singapore's approach by requiring NCIIs to comply with codes, risk assessments, and incident reporting obligations, unlike Singapore, the Cyber Security Act does not extend reporting requirements to cyber incidents involving third-party vendors and the supply chains of critical information infrastructure owners.

Licensing Of Cyber Security Service Providers

The Cyber Security Act introduces a licensing regime for cyber security service providers. No entity or person can offer any cyber security service or advertise itself as a cyber security service provider unless it holds a valid licence. The aim of this licensing regime is to ensure cyber security services, especially those provided to NCIIs, meet international standards.

Whilst the definition and scope of "cyber security services" remain unclear and will be determined by the Minister in the future, it is clear that the licensing regime does not apply to cyber security services provided by a company to its related company.

Providing a cyber security service without a licence is a criminal offence punishable by (i) a fine of MYR 500,000 (approximately USD 106,000); (ii) imprisonment of up to ten years; or (iii) both. For comparison, the penalty under the Malaysia Cyber Security Act is more severe than the penalty under the Singapore CSA for a similar offence, which includes (i) SGD50,000 (approximately USD 37,000); (ii) imprisonment of up to two years; or (ii) both.  

Penalties Under The Cyber Security Act

Penalties for non-compliance with the Cyber Security Act vary based on the type and severity of the violation.

For general non-compliance by NCII entities such as failing to conduct additional cyber security risk assessments, failing to rectify audit reports upon NACSA Chief Executive's request, or failing to notify NCII sector leads of any material changes relating to the NCII, the penalties include (i) a fine of up to MYR100,000 (approximately USD 21,744) or MYR200,000 (approximately USD 43,549), depending on the offence; (ii) imprisonment of up to three years; or (iii) both.

For more serious violations of the Cyber Security Act, such as failing to implement the applicable codes of practice, failing to notify a cyber security incident or non-compliance with the licensing requirements, the penalties are more severe with (i) fines up to MYR 500,000 (approximately USD 106,000); (ii) imprisonment of up to ten years; or (iii) both.

The liabilities under the Cyber Security Act also extend to the employees and agents of an offending entity.

Conclusion

The Cyber Security Act is a pivotal step taken by the Malaysian government to strengthen Malaysia's cyber security resilience. NCII entities and cyber security providers which support NCII entities should revisit their business processes to identify compliance gaps and implement necessary measures to comply with the new obligations under the Cyber Security Act.