The Cyber Security Act 2024 (Act) and four regulations issued pursuant to the Act came into force on 26 August 2024. The four regulations are as follows: (i) Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 (ii) Cyber Security (Notification of Cyber Security Incident) Regulations 2024 (iii) Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 and (iv) Cyber Security (Compounding of Offences) Regulations 2024.
Both cyber security service providers as well as entities which own or operate national critical information infrastructure (NCII) (each designated as a national critical information infrastructure entity or “NCII Entity”) will need to take note of these regulations.
Please refer to https://rajadarrylloh.com/cyber-security-bill-2024/ for a summary of the requirements under the Act.
Regulations
1. Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024
These Regulations require an NCII Entity which owns or operates an NCII to:
- conduct a cyber security risk assessment in respect of the NCII owned or operated by the NCII Entity at least once a year; and
- carry out an audit to determine the compliance of the NCII Entity with the Act at least once in every two years or at such higher frequency as may be directed by the Chief Executive of the National Cyber Security Agency (NACSA) (https://www.nacsa.gov.my/index.php) (Chief Executive) in any particular case.
Cyber security risks are defined as “the risks that a vulnerability in the cyber security of the national critical information infrastructure may be exploited by a cyber security threat or cyber security incident”. A vulnerability is defined as “any vulnerability on a computer or computer system that can be exploited by one or more cyber security threats”.
The NCII Entity shall, within the period of 30 days after the completion of the cyber security risk assessment or audit, submit the cyber security risk assessment report or audit report to the Chief Executive. Failure to submit the audit report will result in a fine not exceeding RM200,000.00 or to imprisonment for a term not exceeding 3 years or to both, while failure to comply with the Chief Executive’s direction will result in a fine not exceeding RM100,000.00.
2. Cyber Security (Notification of Cyber Security Incident) Regulations 2024
The Act defines a cyber security incident as “an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cyber security of that computer or computer system or another computer or computer system”.
In the event of a cyber security incident that has or might have occurred, an NCII Entity must report to NACSA and the applicable NCII sector lead within 6 hours from the time a cyber security incident comes to the knowledge of the NCII Entity, and the authorized person of the NCII Entity shall submit the following by electronic means:
- the particulars of the authorized person;
- the particulars of the NCII Entity concerned, the NCII sector and the NCII sector lead to which it relates; and
- the information on the cyber security incident including –
- type and description of the cyber security incident;
- severity of the cyber security incident;
- date and time of the occurrence of the cyber security incident; and
- method of discovery of the cyber security incident;
with a full report to follow within 14 days after the notification containing the following information:
- the particulars of the NCII Entity affected by the cyber security incident;
- the estimated number of hosts affected by the cyber security incident;
- the particulars of the cyber security threat actor;
- the artifacts related to the cyber security incident;
- the information on any incident relating to, and the manner in which such incident relates to, the cyber security incident;
- the particulars of the tactics, techniques and procedures of the cyber security incident;
- the impact of the cyber security incident on the NCII or any computer or interconnected computer system; and
- the action taken.
Failure to report cyber security incidents may attract a fine of not more than RM500,000.00 or imprisonment for a term not exceeding 10 years or to both.
3. Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024
The frequently asked questions (FAQ) below were extracted verbatim from NACSA’s website at https://www.nacsa.gov.my/faq.php and provide a summary of these Regulations.
| BIL | QUESTION | ANSWER |
|---|---|---|
| A. | GENERAL PROVISION | |
| 1. | What type of Cyber Security Service is required to be licenced based on the Cyber Security Act 2024 [Act 854]? | Any cyber security service related to managed security operation centre monitoring service and penetration testing service. |
| 2. | Who is required to apply for a licence? | Any person (individual, company, limited liability partnership, firm, society or other body of persons) who intends to provide any cyber security service or advertise, or in any way hold himself out as a provider of a cyber security service. |
| 3. | Under what conditions is this regulation not applicable? | These Regulations shall not apply if—the cyber security service is provided by a Government Entity;the cyber security service is provided by a person, other than a company, to its related company; orthe computer or computer system in respect of which the cyber security service is provided is located outside Malaysia. |
| 4. | When is the effective date for licensing registration? | To facilitate a better understanding and compliance with Act 854 and Regulation P.U (A) 221/2024, the application process for licencing cybersecurity service providers will commence on 1 October 2024. |
| 5. | How to apply for licensing of cyber security service provider? | The application for licensing will be available via online portal at licence.nacsa.gov.my on 1 October 2024. |
| B. | INTERPRETATION | |
| 6. | What is managed security operation centre monitoring service? | A managed security operation centre monitoring service under the Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 [P.U. (A) 221/2024] is a service for— monitoring the level of cyber security of a computer or computer system of another person by acquiring, identifying or scanning information that is stored in, processed by or transmitted through, the computer or computer system for the purpose of identifying or detecting cyber security threats to the computer or computer system; or determining the measures necessary to respond to or recover from any cyber security incident and to prevent such cyber security incident from occurring in the future. |
| 7. | What is penetration testing service? | A penetration testing service under the Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 [P.U. (A) 221/2024] is a service for assessing, testing or evaluating the level of cyber security of a computer or computer system, by searching for vulnerabilities on, and compromising, the cyber security defences of the computer or computer system, and includes any of the following activities: determining the cyber security vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of; determining or testing the organization’s ability to identify and respond to cyber security incident through simulation of attempts to penetrate the cyber security defences of the computer or computer system; identifying and measuring the cyber security vulnerabilities of a computer or computer system, indicating vulnerabilities and preparing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk; or utilizing social engineering to assess the level of vulnerability of an organization to cyber security threats. |
| 8. | Whether a cyber security service provider can provide both Managed Security Operation Centre Monitoring Service & Penetration Testing to the same client? | A cyber security service provider can provide both Managed Security Operation Centre Monitoring Service & Penetration Testing to the same client. |
| C. | APPLICATION FOR LICENCE | |
| 9. | Whether the tools are required to be licenced? | Tools such as hardware and software are not required to be licenced under this act. |
| 10. | Does the company need to be licenced separately from the employees? | Only the company is required to apply for a licence. However, the company needs to provide information relating to the qualification or experience of;every employee of the applicant who has supervisory responsibility relating to the cyber security service for which a licence is sought; or the person through which the applicant proposes to provide the cyber security service. |
| 11. | Whether the subcontractor or third party to the contract who provides the cyber security service on behalf of the main contractor is also required to be licenced? | If the subcontractor or third party to the contract provides cyber security service on behalf of the main contractor, the subcontractor or third party is required to be licenced. |
| 12. | How long is the validity period of a licence? | A licence is valid for a period of one (1) year. |
| 13. | How much is the fee payable for application of licence by an individual? | The licence fee for an individual is RM400.00. |
| 14. | How much is the fee payable for application of licence by a company, limited liability partnership, firm, society or other body of persons? | The licence fee for a company, limited liability partnership, firm, society or other body of persons is RM1,000.00. |
| 15. | Does the payment of the fee need to be completed before the application is processed? | The payment of the fee needs to be completed before the application. |
| 16. | What are the requirements that need to be complied with for a licence to be approved? | The requirements are as per the NACSA’s Licensing portal. The portal will be available via online portal licence.nacsa.gov.my on 1 October 2024. |
| 17. | Will the list of licenced Cyber Security Service Providers be published on NACSA’s Licensing portal? | The list of licenced Cyber Security Service Providers will be published on NACSA’s Licensing portal once the approval process has been completed. |
| 18. | Does a Cyber Security Service Provider need to apply for a licence if it intends to provide cyber security services to companies located overseas? | Cyber Security Service Provider which provides cyber security services to companies located overseas is not required to apply for a licence. |
| 19. | Is a foreign company required to obtain a licence to provide cyber security services in Malaysia? | A foreign company which provides cyber security services to companies located in Malaysia must apply for a licence. |
| 20. | Does a company which provides cyber security service only to its related company is required to apply for a licence? | A company is not required to apply for a licence if the cyber security services are provided only to its related company. |
| 21. | A foreign company would like to provide cyber security services to its related company registered in Malaysia. Does the foreign company need to apply for a licence? | A foreign company is not required to apply for a licence if the cyber security services are provided only to its related company registered in Malaysia. |
| 22. | A local company would like to provide cyber security service to its related company located abroad. Does the local company need to apply for a licence? | A local company is not required to apply for a licence to provide the cyber security service to its related companies if the cyber security service is provided only to its related company located abroad. |
| 23. | Does a cyber security service provider need to apply for two separate licences in the event it provides both penetrations testing services and managing security operation centre monitoring service? | A cyber security service provider is only required to apply for one licence for both services. Be that as it may, if the initial application is only for one type of cyber security service, the cyber security service provider needs to apply for another licence if it intends to provide another type of cyber security service with additional fee to be paid. For example, company A applied for a licence to provide Penetration Testing services and licence is granted to company A. Thereafter, company A decides to expand its service to include managing security operation centre monitoring service, company A needs to apply for a separate licence and a payment of fee for the licence. |
| 24. | When should a licence renewal application be submitted? | According to section 30 of the Cyber Security Act 2024 [Act 854], a licensee may apply to renew its licence at least thirty (30) days before the date of expiration of the licence in such manner as may be prescribed. |
| 25. | How much is the renewal fee payable by an individual? | The renewal fee for an individual is RM400.00. |
| 26. | How much is the renewal fee payable by a company, limited liability partnership, firm, society, or other body of persons? | The renewal fee for a company, limited liability partnership, firm, society, or other body of persons is RM1,000.00. |
| 27. | What is the notification process for application results? | The application result will be notified through an email from NACSA. |
Any person or entity that provides cyber security services or holds itself out as a provider of cyber security service without a licence shall be liable to a fine not exceeding RM500,000.00 or to imprisonment for a term not exceeding 10 years or to both.
4. Cyber Security (Compounding of Offences) Regulations 2024
These Regulations set out the procedures for the compounding of offences. The following offences are prescribed to be offences which may be compounded with the written consent of the Public Prosecutor:
- Failure to provide information relating to or to notify of material change in certain aspects of national critical information infrastructure (subsections 20(6) and 20(7) of the Act)
- Failure to conduct cyber security risk assessment and/or audit, or to submit the cyber security risk assessment report or audit report or to comply with directions of the Chief Executive in relation to the foregoing (subsections 22(7) and 22(8) of the Act)
- Failure to comply with the directions of the Chief Executive in relation to a cyber security exercise (subsection 24(4) of the Act)
- Failure to keep and maintain records in the manner determined by the Chief Executive (subsection 32(3) of the Act)