The Cyber Security Bill 2024 (“Bill”) was passed by both the Dewan Rakyat (House of Representatives) and Dewan Negara (Senate) on 27th March 2024 and 3rd April 2024 respectively after being tabled by the Minister of Digital, Gobind Singh Deo. The Bill will be the first overarching piece of legislation dedicated to addressing cyber security threats and incidents in Malaysia, with there previously being no single piece of legislation to cater for this.
The Bill seeks to establish a robust regulatory framework through the introduction of National Critical Information Infrastructure entities, as well as the setting up of a National Cyber Security Committee and appointment of a Chief Executive and Sector Leads (all defined below). The Bill also seeks to introduce a licensing regime applicable to cyber security service providers.
A. National Critical Information Infrastructure (“NCII”)
The Bill is intended to impose obligations on entities that own or operate NCII which is defined as:
“A computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively”.
The Schedule of the Bill further specifies a list of sectors categorised as NCII sectors:
- Government;
- Banking and finance;
- Transportation;
- Defence and national security;
- Information, communication and digital;
- Healthcare services;
- Water, sewerage and waste management;
- Energy;
- Agriculture and plantation;
- Trade, industry and economy; and
- Science, technology and innovation.
Businesses operating in any of the above NCII sectors may be required to comply with the duties and obligations stipulated in the Bill if they are subsequently designated as an “NCII entity”.
B. National Cyber Security Committee (“Committee”), Chief Executive and Sector Leads
The Bill introduces the establishment of a 13-member Committee which will be chaired by the country’s Prime Minister and comprised of other ministers including no more than two other persons of standing and experience in cyber security. The Committee shall oversee the implementation and administration of the Bill (once this has been enacted as law), formulate policies relating to national cyber security and give directions to the Chief Executive as well as advising and making recommendations to the Federal Government.
The Committee will be assisted by the Chief Executive of the National Cyber Security Agency (“NACSA”) who will also be responsible for establishing the National Cyber Coordination and Command Centre System for the purpose of dealing with cyber security threats and cyber security incidents in the country.
The Chief Executive shall make recommendations to the Minister for the appointment of NCII sector leads (“Sector Leads”) who will be tasked with designating relevant government entities or persons as an NCII entity (who will then be subject to the obligations outlined in the Bill) as well as preparing a code of practice and guidelines for cyber security best practices for the NCII sector in which it is appointed.
C. Cyber Security Risk Assessment, Audit and Incident Reporting
It shall be mandatory for an NCII entity to conduct both: (i) a cyber security risk assessment in accordance with the code of practice; and (ii) an audit by an auditor approved by the Chief Executive to determine its compliance with the Bill. Any NCII entity which fails to carry out either the cyber security risk assessment or audit within the timeframe prescribed will have committed an offence and shall be liable to pay a fine not exceeding RM200,000 or imprisonment for a term not exceeding 3 years, or both.
Additionally, an NCII entity will also need to notify the Chief Executive and the relevant Sector Lead in the event it becomes aware that a cyber security incident has or might have occurred. The Chief Executive shall investigate the matter and determine the measures necessary to respond to or recover from the cyber security incident. Failure to make the requisite notification to the Chief Executive will be considered an offence and the NCII entity shall be liable to pay a fine not exceeding RM500,000 or imprisonment for a term not exceeding 10 years, or both.
D. Licensing
The Bill also aims to introduce a licensing regime applicable to cyber security service providers whereby:
“No person shall: (a) provide any cyber security service; or (b) advertise, or in any way hold himself out as a provider of a cyber security service, unless he holds a license to provide a cyber security service issued under this Part.”
The definition and scope of “cyber security service” is not defined in the Bill but will instead be subsequently prescribed by the Minister at his discretion. The Bill provides that an application for a license will have to be made to the Chief Executive who may impose conditions for any approved license as the Chief Executive thinks fit to impose. It is an offence to transfer or assign to any other person any license granted by the Chief Executive.
E. Extra-Territorial Application
The Bill has expressly stated that it shall have extra-territorial effect and shall apply to any person, whatever his nationality or citizenship, and whether outside or within Malaysia. Where an offence is committed outside of Malaysia, it may be dealt with as if such offence was committed at any place within Malaysia. For the purposes of such offence, the Bill shall apply where the NCII is located wholly or partly in Malaysia.
Concluding Comments
The Bill takes significant strides in introducing a comprehensive framework over Malaysia’s national critical information infrastructure in response to global and national cyber threats and breaches which have been prevalently increasing in frequency and magnitude. It is clear from the reading of the Bill that it is primarily focused on establishing the governing structure in which the appointed authorities (such as the Committee, Chief Executive and Sector Leads) will coordinate their efforts in implementing the Bill and monitoring designated NCII entities. It is expected that the bulk of the new regulatory requirements will be covered in future codes of practice and guidelines to be issued by the Sector Leads for each NCII sector. It remains an exciting time in Malaysia’s digital and cyber security landscape as we await further legislative developments in the very near future.
Author: Shawn Zachary Tan, LL.B. (Hons) Queen Mary University of London (UK), Middle Temple.
Disclaimer: The views, thoughts and opinions expressed in the articles belong solely to the author and do not reflect the views of Loke, King, Goh & Partners. Readers of this website should contact their lawyer/attorney to obtain advice with respect to any particular legal matter. No reader, user or browser of this site should act or refrain from acting on the basis of the information on this site without first seeking legal advice from counsel in the relevant jurisdiction. LKGP Advocates shall not be held liable for any liabilities, losses and/or damages incurred, suffered and/or arising from the articles posted on this site.