In brief
Since our earlier client alert on Malaysia’s Cyber Security Bill 2024 (“Bill“), the Bill was passed by both houses of the Malaysian Parliament on 27 March 2024 (Dewan Rakyat) and 3 April 2024 (Dewan Negara) respectively. Subsequent to its Royal Assent on 18 June 2024 and publication in the Official Gazette on 26 June 2024, the Malaysia Cyber Security Act 2024 (“CSA“), together with four subsidiary regulations, will come into force on 26 August 2024.
The regulations are:
- Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024
- Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024
- Cyber Security (Notification of Cyber Security Incident) Regulations 2024
- Cyber Security (Compounding of Offences) Regulations 2024
(collectively, “Regulations“).
Contents
- In more detail
- NCII Entity: Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024 (“Risk Assessment and Audit Regulations”)
- NCII Entity: Cyber Security (Notification of Cyber Security Incident) Regulations 2024 (“Incident Notification Regulations”)
- NCII Entity and CSSP: Cyber Security (Compounding of Offences) Regulations 2024 (“Compounding Regulations”)
- CSSP: Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 (“CSSP Regulations”)
- Key Takeaways
In more detail
We had in our earlier client alert, highlighted who will be impacted by (i.e., entities who are owners and operators of national critical information infrastructure1 (“NCII“) (such entities, a “NCII Entity“) and cyber security service providers (“CSSP“), and the obligations brought about by, the CSA.
Coming into force on 26 August 2024 together with the principal act, the Regulations sheds more light on the various compliance requirements imposed on a NCII Entity, provides a list of compoundable offences under the CSA and clarifies the type of CSSP who will require a licence. Set out below is a high level summary of the subject matter of each of the Regulations.
NCII Entity: Cyber Security (Period of Cyber Security Risk Assessment and Audit) Regulations 2024 (“Risk Assessment and Audit Regulations”)
Section 22 of the CSA mandates a NCII Entity to (among others) conduct a cyber security risk assessement in accordance with the code of practice and directives applicable to the NCII Entity and cause to be carried out an audit to determine the compliance by the NCII Entity with the CSA.
Under the Risk Assessment and Audit Regulations, a NCII Entity will need to conduct:
- A cyber security risk assessment (i.e., assessment of risks that a vulnerability in the cyber security of the NCII may be exploited by a cyber security threat or cyber security incident) at least once a year; and
- An audit at least once in every two years (or at such higher frequency as may be directed by the Chief Executive of the National Cyber Security Agency Malaysia (NACSA).
NCII Entity: Cyber Security (Notification of Cyber Security Incident) Regulations 2024 (“Incident Notification Regulations”)
Section 23 of the CSA mandates a NCII Entity to notify each, the Chief Executive of NACSA and a NCII Sector Lead2 of any “cyber security incident” which has or might have occurred in respect of its NCII (“Notifications“). The Incident Notification Regulations goes on to prescribe the frequency, timelines and substance of the Notifications required.
Specifically:
- Immediately on T: An authorized person of a NCII Entity must immediately provide the Notifications (electronically) of a cyber security incident that has or might have occurred (“First Notification“), when the cyber security incident comes to the knowledge of the NCII Entity (“T“).
- T + 6 hours: Within 6 hours from the time the cyber security incident comes to the knowledge of the NCII Entity, the authorized person shall submit further particulars on the cyber security incident to the National Cyber Coordination and Command Centre System (“NC4S“)3.
Such further particulars include, information on the NCII Entity (including its sector and sector lead) and information on the cyber security incident (including the type and description of the cyber security incident, the severity of the cyber security incident and the method of discovery of the cyber security incident).
- First Notification + 14 days: Within 14 days from the First Notification, the authorized person of the NCII Entity shall provide (to the fullest extent practicable) additional supplementary information to the NC4S. Such supplementary information includes the particulars of the NCII affected by the cyber security incident, the estimated number of host affected by the cyber security incident, particulars of the cyber security threat actor, impact of the cyber security incident on the NCII or any computer or interconnected computer system and any action taken.
NCII Entity and CSSP: Cyber Security (Compounding of Offences) Regulations 2024 (“Compounding Regulations”)
Section 60 of the CSA provides that the Minister of Digital may make regulations prescribing any offence under the CSA as an offence which may be compounded, and the method and procedure for compounding such offence.
The Compounding Regulations lists out the 6 offences under the CSA which are being capable of being compounded (if consented to by the Public Prosecutor in writing at the material time). These include:
- Section 20(6): NCII Entity’s failure to provide information relating to its NCII.
- Sections 22(7) and 22(8): NCII Entity’s failure to conduct cyber security risk assessment and audit (and subsequent failure to submit the reports to the Chief Executive of NACSA) as well as a NCII Entity’s failure to comply with directions to the NCII Entity arising from the findings in such reports.
- Section 24(4): NCII Entity’s failure to comply with the directions of the Chief Executive of NACSA in relation to cyber security exercises.
CSSP: Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 (“CSSP Regulations”)
Under Section 27 of the CSA and save where it is provided by a company to its related company, any person providing or advertising (or holding himself out) as a provider of cyber security service, must be licensed.
To this end, the CSSP Regulations sets out the licensing procedures and fees applicable to a cyber security service relating to:
- Managed security operation centre monitoring services, i.e., a service for;
- Monitoring the level of cyber security of a computer or computer system of another person by acquiring, identifying or scanning information that is stored in, processed by or transmitted through, the computer or computer system for the purpose of identifying or detecting cyber security threats to the computer or computer system; or
- Determining the measures necessary to respond to or recover from any cyber security incident and to prevent such cyber security incident from occurring in the future.
- Penetration testing service, i.e., a service for assessing,testing or evaluating the level of cyber security of a computer or computer system, by searching for vulnerabilities4 on, and compromising, the cyber security defences of the computer or computer system, and includes:
- Determining the cyber security vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of;
- Determining or testing the organization’s ability to identify and respond to cyber security incident through simulation of attempts to penetrate the cyber security defences of the computer or computer system;
- Identifying and measuring the cyber security vulnerabilities of a computer or computer system, indicating vulnerabilities and preparing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk; or
- Utilizing social engineering to assess the level of vulnerability of an organization to cyber security threats.
Where the above services are:
- Provided by a Government Entity;
- Provided by a person, other than a company, to its related company; or
- Provided in respect of computer or computer systems which are located outside Malaysia,
the CSSP Regulations (and therefore the licensing obligations attached to such services) will not apply.
Key Takeaways
The Regulations provide much-needed clarity to enable NCII Entities and affected CSSPs to navigate and adhere to the CSA. Organisations in Malaysia will need to now assess if there is a possibility of it being designated a NCII Entity. Such organisations will then need to review and consider its existing cyber security governance and data frameworks, against the requirements under the CSA and the Regulations, to ensure that these new requirements are addressed, to enable effective compliance by such organisations with the CSA and its new regulatory framework.
*Tai Kean Lynn, Associate, has contributed to this legal update.
1 Section 4 of the CSA defines a “national critical information infrastructure” to mean a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.
2 Section 4 of the CSA defines “NCII Sector Lead” to mean any government entity or person appointed as a national critical information infrastructure sector lead under section 15 of the CSA. The NCII Sector Leads will carry the functions as provided under Section 16 of the CSA.
3 The National Cyber Coordination and Command Centre (NC4) is a centre that deals with cyber threats and crises at the national level. The NC4 was developed under the purview of the NACSA as a central coordination and command facility responsible for managing cyber security at the national level. The National Cyber Coordination and Command Centre System (NC4S) on the other hand, is a national cyber security system established and maintained by the Chief Executive pursuant to Section 11 of the CSA.
4 The CSSP Regulations define “vulnerabilities” as ” any vulnerability on a computer or computer system that can be exploited by one or more cyber security threats”.
* * * * *
© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome