This article first appeared in Digital Edge, The Edge Malaysia Weekly on May 27, 2024 - June 2, 2024
The Malaysian Cyber Security Bill 2024 has emerged as a pivotal milestone in the nation’s cybersecurity landscape. Passed by Dewan Negara on April 3 following its initial reading at the Dewan Rakyat on March 25, the bill awaits royal assent and publication in the Government Gazette before it officially becomes law.
Unlike existing statutes that only hone in on narrower aspects like the protection of personal data, such as the Personal Data Protection Act (PDPA) 2010, and computer crimes like the Computer Crimes Act, the bill's significance lies in its scope — it represents Malaysia’s first overarching legislation specifically tailored to address cybersecurity.
At the heart of it is the National Cyber Security Agency (NACSA), which is the regulatory body granted sweeping powers to enforce the bill. The bill targets entities that own or operate national critical information infrastructure (NCII). These are the digital nerve centres — computers and computer systems, whether fully or partly located in Malaysia — whose disruption or destruction could, among other things, cripple the provision of essential government services and public health services, disrupt the economy or strain foreign relations.
Its impact will be most acutely felt by entities owning or operating NCII in selected industries such as banking finance, trade, industry and economy, healthcare, transport as well as information, communication and digital services.
Upon being designated by yet-to-be-formally-identified sector leads, the bill mandates that such entities — referred to as NCII entities — implement minimum cybersecurity measures, which will include undertaking cybersecurity risk assessments and compliance audits at prescribed intervals. Not complying with these obligations can lead to criminal (prison term ranging from three to 10 years) and/or civil liability (fine ranging from RM200,000 to RM500,000). Directors and compliance officers can also be personally liable.
What happens, however, when the minimum cybersecurity measures that an NCII entity has put in place fails to keep out threat actors?
In this instance, NCII entities must report to NACSA and sector leads, any unauthorised attacks or access that jeopardises the availability and integrity of their NCII (including any confidential information in the NCII), within a prescribed time from becoming aware of such incidents. These incidents can include everything from the introduction of malware that leads to downtime with the system or ransomware attacks potentially resulting in confidential information being released to the public unless a ransom payment is made.
At present and save for entities operating within the regulated industries, there is no mandatory notification for loss of data, including personal data; any personal data breach notification to the Personal Data Protection Department, which oversees the PDPA, is voluntary. Hence, while not unfamiliar to those in the highly regulated banking, finance and capital market industries, such mandatory reporting of cybersecurity incidents will be a new construct for entities operating in the other industries such as healthcare, digital services and transport. It will likely also add to an NCII entity's already extensive compliance obligations and therefore increase its cost of doing business.
For the general public, such a mandatory reporting mechanism will hopefully encourage the NCII entity (holding an extensive repository of any and all types of data ranging from personal data to transaction data) to better protect such data against threat actors and ensure that the NCII entity is held accountable for such data.
This is because NACSA, upon being notified, is required to investigate such incidents and can thereafter issue directives to the NCII entity to, among others, take steps to recover from the cybersecurity incident and prevent it from occurring in the future. Failure to comply with such a directive can expose the NCII entity, and its directors and compliance officers, to criminal (prison term of a maximum of three years) and/or civil liabilities (maximum fine of RM200,000).
The bill is just the beginning. As more substantive regulations, directives and pronouncements are issued by NACSA and/or the Minister of Digital in the coming months, the depth and breadth of compliance obligations of the NCII entity with respect to cybersecurity will become clearer.
This should not, however, stop organisations from anticipating that it will be designated an NCII entity and from taking proactive steps to ensure that it is prepared to meet the requirements under the bill when enforced. In fact, given the adverse publicity and potential financial ramifications associated with cyberattacks, cybersecurity preparedness should be and is increasingly seen as a business critical function.
But cybersecurity is not the sole responsibility of management or the directors of the NCII entity alone.
Given the ubiquitousness of artificial intelligence and its increasing use by threat actors to perpetuate cyberattacks, everyone within the company will need to be exposed to an awareness of cyberattacks and threats.
This is especially because most cybersecurity incidents are more likely to have occurred as a result of human susceptibility, carelessness or accidents. Hence, providing frequent and consistent exposure to training or tabletop simulations of a cyberattack to employees and third-party independent contractors will bring to bear an awareness of the types and sophistication of cyberattacks and hopefully result in such attempts being thwarted.
Additional practical interim steps that an organisation can take include undertaking pre-emptive assessments of cybersecurity-related policies and procedures that are adopted within the organisation and update the same. Where not already available, an organisation should start formulating and putting in place effective risk management strategies (including procuring cybersecurity insurance if required) and incident response plans to guide the organisation when faced with a cybersecurity incident.
Ultimately, the hope is that the cybersecurity hygiene practices introduced by the bill and the upcoming amendments to the PDPA this year will uplift the level and standards of cybersecurity compliance by key players in the public and private sectors in Malaysia, thus engendering confidence in the country as it aspires to become a digital hub.
Chew Kherk Ying is head and Serene Kan is a partner of IP and technology practice at Wong & Partners, a member firm of Baker McKenzie International
Save by subscribing to us for your print and/or digital copy.
P/S: The Edge is also available on Apple's App Store and Android's Google Play.