Search for:

In brief

Since the coming into force of Malaysia Cyber Security Act 2024 (“CSA“) on 26 August 2024 (please see our client alerts on these here and here), there have been substantial developments in the landscape in the past few months. In this update, we summarize the following key developments:

  1. The announcement of National Critical Information Infrastructure Sector Leads (“NCII Sector Leads”)
  2. The Cyber Security Service Providers (CSSP) licensing portal has gone live and has started accepting  applications commencing from 1 October 2024
  3. Obligations on designated National Critical Information Infrastructure Entities (“NCII Entities”) to complete the National Cyber Security Baseline Self-Assessment within 14 days of designation
  4. Clarification on the scope, steps and processes to be adopted by NCII Entities when undertaking cyber security risk assessments under Section 22(1) of the CSA

In more detail

NCII Sector Leads announced

On 11 September 2024, the National Cyber Security Agency (NACSA) announced the full list of NCII Sector Leads appointed by the Prime Minister under Section 15 of the CSA for the 11 NCII Sectors.

The full list of NCII Sector Leads can be accessed here.

CSSP license application formally begins on 1 October 2024

The licensing application for CSSP has formally begun on 1 October 2024 via  the licensing portal here. There will be a grace period up until 31 December 2024 for CSSPs to apply for their licenses. Any individual or entity providing, advertising itself or holding himself out as a provider of cyber security service, will be required to obtain a licence.

Obligations of NCII Entities to complete National Cyber Security Baseline Self-Assessment

Following the designation of NCII Entities, the Chief Executive of NACSA also issued Directive No. 4/2024 on the National Cyber Security Baseline (NCSB), which requires all designated NCII Entities to complete the National Cyber Security Baseline Self-Assessment (“NCSB Self-Assessment”) (“Directive”).

According to the Directive which came into effect on 1 October 2024, the NCSB is a set of minimum cyber security controls and best practices to be implemented by the NCII Entities as their blueprint to ensure a basic level of cyber security protection. The NCSB encompasses six (6) key main domains, which branches into 15 essential cyber security categories / aspects and further distributed into 33 specific elements of cyber security. This structure is designed to enable NCII Entities to manage their cyber security efforts in a layered, structured manner, with an ultimate aim to safeguard national critical information infrastructure from a wide range of cyber security threats. 

All NCII Entities are required to complete the NCSB Self-Assessment within two (2) weeks from the date of being designated as an NCII Entity. The NCII Entity is then required to return the completed NCSB Self-Assessment to the Chief Executive of NACSA via email and their respective national critical information infrastructure sector leads.  

Scope, process and reporting of Cyber Security Risk Assessments

Under Section 22(1) of the CSA (read together with the Cyber Security (Period For Cyber Security Risk Assessment and Audit) Regulations 2024), NCII Entities are required to undertake cyber security risk assessments on the national critical information infrastructure which it owns or operates, annually (“Annual Risk Reports“). 

Directive No. 5/2024 on the Cyber Security Risk Assessment was issued by NACSA (taking effect on 10 October 2024) to clarify the scope, steps and processes to be undertaken by the NCII Entity when assessing cyber security risk for purposes of the Annual Risk Reports. Among others, the steps to be taken should include:

  1. Identifying (to the extent reasonably possible), each cyber security risk faced by the NCII Entity. This may include conducting an inventory of all assets connected to the national critical information infrastructure owned or operated by the NCII Entity which may be exposed to cyber security risk and assessing vulnerabilities of the computer or computer system which can be exploited by one or more cyber security threats
  2. Analysing the probability of and impact of an identified cyber security risk to the NCII Entity; and
  3. Assess and identify actions to be taken by the NCII Entity in respect of each cyber security risk identified

The outcome of each of the above steps will need to be documented in the Annual Risk Reports, and sent to the Chief Executive of NACSA via e-mail and the relevant national critical information infrastructure sector leads.

* * * * *

Kean Lynn Tai, Associate, has contributed to this legal update.

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Author

Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in IP, commercial litigation, corporate compliance, information technology and Internet regulatory issues. She is ranked in Tier 1 for IP in Malaysia by Chambers Asia Pacific which has noted that Kherk Ying is "an acclaimed figure in the sector, drawing praise as a lawyer who is 'really commercial, very practical' and 'knows her subject impressively well." Asia Pacific Legal 500 inducted her into its Hall of Fame in 2021 for IP, it had commented that she is "highly respected for contentious and non-contentious work". Kherk Ying was also named in Benchmark Asia-Pacific’s Top 100 Women in Litigation for IP and Commercial Transactions (2020-2021). Kherk Ying won the Women Lawyer of the Year at the ALB Malaysia Law Awards in 2019. She is highly regarded for IP litigation, and has been named the "Best Female Lawyer in IP Litigation" by Euromoney Asia Women in Business Law Awards 2014. She is also recognised as a Tier 1 lawyer in enforcement and litigation by the World Trademark Review 1000, and ranked as a Tier 1 litigation and transactions professional by IAM Patent 1000. Kherk Ying is a registered trade mark, patent and design agent in Malaysia and the principal author of the CCH published Intellectual Property Laws of Malaysia. She is among the few selected trainers for an IP valuation course by Intellectual Property Corp of Malaysia (MyIPO) and is an accredited IP valuer by the World Trade Institute.

Author

Serene Kan is a partner in the Intellectual Property & Technology Practice Group of Wong & Partners, a member firm of Baker & McKenzie International in Kuala Lumpur.