Overview
The Cyber Security Bill 2024 (“Bill”) was passed by the Malaysian Parliament on 27 March 2024. The Bill outlines the governance, measures, standards and processes aimed at ensuring the robust management of cyber security threats and incidents and aims to fortify Malaysia’s resilience to cyber security threat and incidents.
Applicability
The Bill has extra-territorial applicability in that it extends its reach to both within and outside Malaysia’s borders. The Federal Government and State Governments are also required to comply with the Bill however they will not be subject to prosecution for any offence committed under the Bill.
National Critical Information Infrastructure
The Bill defines national critical information infrastructure as “a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively” (“NCII”). Specific requirements are imposed on entities that own or operate an NCII.
The Bill also identifies sectors crucial to Malaysia’s cyber security, as follows: (a) the government; (b) banking and finance; (c) transportation; (d) defence and national security; (e) information, communication and digital; (f) healthcare services; (g) water, sewerage and waste management; (h) energy; (i) agriculture and plantation; (j) trade, industry, and economy; and (k) science, technology and innovation (each a “NCII Sector”).
National Cyber Security Committee, Chief Executive, NCII Sector Lead and NCII Entities
The Bill establishes the National Cyber Security Committee, comprising of 13 members, including the Prime Minister, government bodies and agencies as well as the Chief Executive of the National Cyber Security Agency (“Chief Executive”), to advise on strengthening cyber security and oversee its implementation. The Chief Executive is empowered to, among others, establish the National Cyber Coordination and Command Centre system, issuing directives for compliance and managing cyber security threats and cyber security incidents.
A sector lead will be appointed for each NCII Sector (“NCII Sector Lead”) by the Minister responsible for cyber security (“Minister”). NCII Sector Leads will be tasked with, among others, designating entities responsible for cyber security for the respective sector, creating sector-specific code of practice (“Code of Practice”), and submitting reports to the Chief Executive. Such designated NCII entities (“NCII Entities”) are tasked with, among others, implementing cyber security measures outlined in the applicable Code of Practice, conduct cyber risk assessments and report incidents promptly to the Chief Executive and Sector Leads for investigation and mitigation.
Obligations and Offences
Implementation of Code of Practice
One of the primary roles of NCII Entities is to implement the measures, standards and processes as specified in a Code of Practice. In the event a NCII Entity fails to comply with the requirements under a Code of Practice, it may be liable to a fine not exceeding RM500,000.00 or to imprisonment for a term not exceeding 10 years or to both.
Provision of Information in relation to the NCII
An NCII Entity is required to provide information relating to the NCII owned or operated by the said NCII Entity. The NCII Sector Lead will in turn furnish the information to the Chief Executive. Failure by the NCII Entity to comply with the NCII Sector Lead’s request will result in a fine not exceeding RM100,000.00 or to imprisonment for a term not exceeding 2 years or to both while NCII Sector Leads that fail to report the same upon its receipt of the information to the Chief Executive may be liable to a fine not exceeding RM100,000.00.
Cyber Security Risk Assessment
NCII Entities are required to conduct and submit a cyber security risk assessment in accordance with the Code of Practice and directives issued by the NCII Sector Lead and the Chief Executive. It is crucial to note that NCII Entities that fail to conduct the said cyber security risk assessment may be found liable to a fine not exceeding RM200,000.00 or to imprisonment for a term not exceeding 3 years or to both while failure to comply with the Chief Executive’s direction will result in a fine not exceeding RM100,000.00.
Audit
NCII Entities are also required to carry out an audit by an auditor approved by the Chief Executive and submit the same to the Chief Executive to determine the compliance of the NCII Entity with the Bill. Inadequate audit reports submitted to the Chief Executive necessitate rectification under the Chief Executive’s directives. Failure to submit the audit report will result in a fine not exceeding RM200,000.00 or to imprisonment for a term not exceeding 3 years or to both, while failure to comply with the Chief Executive’s direction will result in a fine not exceeding RM100,000.00.
Reporting
NCII Entities are required to report to the Chief Executive and the NCII sector lead in the event of cyber security incidents. The Chief Executive is then required to investigate the report made by NCII Entities. Failure to report cyber security incidents may attract a fine of not more than RM500,000.00 or imprisonment for a term not exceeding 10 years or to both.
Cyber Security Exercise
NCII Entities are required to comply with the Chief Executive’s directions upon its receipt of a notice in writing from the Chief Executive of its intention to conduct cyber security exercise in respect of the NCII. In the event an NCII Entity fails to comply with the directions of the Chief Executive, it may be liable to a fine not exceeding RM100,000.00.
Licensing
The Bill introduces a licensing framework for cyber security service providers. Cyber security service providers are required to obtain a non-assignable or transferable licence to provide a cyber security service. Any person or entity that provides cyber security services or holds themselves out as a provider of cyber security service without a licence shall be liable to a fine not exceeding RM500,000.00 or to imprisonment for a term not exceeding 10 years or to both. As of now, it is unclear what is meant by “cyber security service” as it is not defined in the Bill and left to the Minister to prescribe.
Summary
The Cyber Security Bill 2024 is a step forward in response to the escalating cyber security threats globally and nationally. It would be crucial to monitor the implementation and enforcement of the Bill once it comes into force, ensuring its sufficiency in regulating the nation’s cyber security landscape.
Tong Lai Ling (Partner)
T: 603 – 2632 9878
E: tonglailing@rdl.com.my
Brandon Loo Yung Wen (Associate)
T: 603 – 2632 9910
E: brandonloo@rdl.com.my