The Cyber Security Act 2024 (“Act”) and four regulations issued pursuant to the Act came into force on 26 August 2024. The four regulations are as follows: (i) Cyber Security Regulations (Duration for Cybersecurity Risk Assessment and Audit) 2024 (ii) Cyber Security Regulations (Cyber Security Incident Notification) 2024 (iii) Cyber Security Regulations (Licensing of Cyber Security Service Providers) 2024 and (iv) Cyber Security Regulations (Offence Compounding) 2024.
Both cyber security service providers, as well as entities which own or operate national critical information infrastructure (NCII) and designated as a national critical information infrastructure entity (NCII Entity) will need to take note of these regulations.
Please refer to https://rajadarrylloh.com/cyber-security-bill-2024/ for a summary of the requirements under the Act.
Regulations
1. Cyber Security Regulations (Duration for Cybersecurity Risk Assessment and Audit) 2024
These Regulations require an NCII Entity which owns or operates an NCII to:
- conduct a cyber security risk assessment at least once a year; and
- carry out an audit at least once in every two years or at such higher frequency as may be directed by the Chief Executive of the National Cyber Security Agency (NACSA) (https://www.nacsa.gov.my/index.php) (Chief Executive) in any particular case.
A cyber security risk is defined as “the risks that a vulnerability in the cyber security of the national critical information infrastructure which may be exploited by a cyber security threat or cyber security incident”.
Failure to submit the audit report will result in a fine not exceeding RM200,000.00 or to imprisonment for a term not exceeding 3 years or to both, while failure to comply with the Chief Executive’s direction will result in a fine not exceeding RM100,000.00.
2. Cyber Security Regulations (Cyber Security Incident Notification) 2024
In the event of a cyber security incident, NCII Entities must report to NACSA and the NCII sector leads within 6 hours from the time a cyber security incident comes to the knowledge of the NCII Entity and the authorized person of the NCII Entity shall submit the following by electronic means:
- the particulars of the authorized person;
- the particulars of the NCII Entity concerned, the NCII sector and NCII sector lead to which it relates; and
- the information on the cyber security incident including –
- type and description;
- severity;
- date and time of the occurrence; and
- method of discovery;
with a full report to follow within 14 days after the notification with the following information:
- the particulars of the NCII Entity affected by the cyber security incident;
- the estimated number of hosts affected by the cyber security;
- the particulars of the cyber security threat actor;
- the artifacts related to the cyber security incident;
- the information on any incident relating to, and the manner in which such incident relates to, the cyber security incident;
- the particulars of the tactics, techniques and procedures of the cyber security incident;
- the impact of the cyber security incident on the NCII or any computer or interconnected computer system; and
- the action taken.
Failure to report cyber security incidents may attract a fine of not more than RM500,000.00 or imprisonment for a term not exceeding 10 years or to both.
3. Cyber Security Regulations (Licensing of Cyber Security Service Providers) 2024
These Regulations apply to cyber security services for managed security operation centre monitoring and penetration testing. They do not apply if: the service is provided by a Government Entity, the service is provided by an individual (not a company) to their related company, or where the computer or system receiving the service is located outside Malaysia.
A managed security operation centre monitoring service means a service for:
- monitoring the level of cyber security of a computer or computer system of another person by acquiring, identifying or scanning information stored in, processed by or transmitted through, the computer or computer system for the purpose of identifying or detecting cyber security threats to the computer or computer system; or
- determining the measures necessary to respond to or recover from any cyber security incident and to prevent future incidents.
A penetration testing service means a service for assessing, testing or evaluating the level of cyber security of a computer or computer system, by searching for vulnerabilities on, and compromising, the cyber security defences of the computer or computer system, and includes any of the following activities:
- determining the cyber security vulnerabilities of a computer or computer system, and demonstrating how such vulnerabilities may be exploited and taken advantage of;
- determining or testing the organization’s ability to identify and respond to cyber security incident through simulation of attempts to penetrate the cyber security defences of the computer or computer system;
- identifying and measuring the cyber security vulnerabilities of a computer or computer system, indicating vulnerabilities and preparing appropriate mitigation procedures required to eliminate vulnerabilities or to reduce vulnerabilities to an acceptable level of risk; or
- utilizing social engineering to assess the level of vulnerability of an organization to cyber security threats.
A vulnerability is defined as “any vulnerability on a computer or computer system that can be exploited by one or more cyber security threats”.
It is to be noted that any person or entity that provides cyber security services or holds themselves out as a provider of cyber security service without a licence shall be liable to a fine not exceeding RM500,000.00 or to imprisonment for a term not exceeding 10 years or to both.
4. Cyber Security Regulations (Offence Compounding) 2024
The following offences are prescribed to be offences which may be compounded with the written consent of the Public Prosecutor:
- Duty to provide information relating to national critical information infrastructure (subsections 20(6) and 20(7))
- Duty to conduct cyber security risk assessment and audit (subsections 22(7) and 22(8))
- Cyber security exercise (subsection 24(4))
- Duty to keep and maintain record (subsection 32(3))