Introduction
On 26th August 2024, the Cyber Security Act 2024 (Act 854) (“the Act”) came into force after being published in gazette on 26th June 2024.
The Act was enacted to enhance the national cyber security by providing for the establishment of the National Cyber Security Committee (“the NACSC”), duties and powers of the Chief Executive (“the Chief Executive”) of the National Cyber Security Agency (“the NACSA”), functions and duties of the national critical information infrastructure sector leads (“the Sector Lead”) and National Critical Information Infrastructure Entities (“the Entity”) and the management of cyber security threats and cyber security incidents to national critical information infrastructures, to regulate the cyber security service providers through licensing, and to provide for related matters.
There are several regulations issued that operate together with the Act:
Cyber Security Regulations (Duration for Cybersecurity Risk Assessment and Audit) 2024.
Cyber Security Regulations (Cybersecurity Incident Notification) 2024.
Cyber Security Regulations (Licensing of Cybersecurity Service Providers) 2024
Cyber Security Regulations (Offence Compounding) 2024.
Collectively, hereinafter will be referred to as the Regulations (“the Regulations”).
Background
Prior to the Act’s implementation, cyber security governance in Malaysia was less integrated in the sense that there are various governing statutes depending on the different aspects of cyber law. Legislations such as Personal Data Protection Act 2010, the Communications and Multimedia Act 1998, the Computer Crimes Act 1997 and the Penal Code prescribe certain conduct constituting offences. Additionally, policies to cater specific industry players were also introduced such as the Guidelines on Technology Risk Management issued by the Securities Commission Malaysia and Risk Management in Technology Policy Document issued by the Central Bank of Malaysia.
Fast forward, the Act was passed at the Parliament following three readings dated 25th and twice on 27th March 2024 respectively. Some of the concerns raised by the Members of Parliament are on the liability of directors and agents for offences committed by their subagent or employee which may trigger the doctrine of vicarious liability. This is following the offences prescribed by the Act are strict liability in nature hence do not require proof of mens rea. Nevertheless, the Minister of Digital, Yang Berhormat Tuan Gobind Singh Deo in response assured that a prior investigation will be conducted in determining whether the impugned conduct falls within the provision. In essence, a prosecution in all circumstances including under the Act shall be conducted in accordance with due process as prescribed by the existing procedural laws.
The Act was also pledged to not be granting full immunity to the government in regards to offences relating to cyber security as they may still be subject to other legislations. Nonetheless, the enforcement and effectiveness of the Act is yet to be tested but worth looking out for.
Similar legislation was introduced in Singapore in 2018 which further expanded its scope with the passing of the Cyber Security (Amendment) Bill on 7th May 2024. Three new types of entities besides owners of critical information infrastructure (“CII”) are recognised that are the high risk temporary system, organisations handling sensitive information impacting national interest and digital infrastructure service providers.
Division
The Act is divided into several parts as follows:
Part |
Arrangement |
I. |
Preliminary |
II. |
National Cyber Security Committee (NACSC) |
III. |
Duties and Powers of Chief Executive |
IV. |
National Critical Information Infrastructure Sector Lead and National Critical Information Infrastructure Entity |
V. |
Code of Practice |
VI. |
Cyber Security Service Provider |
VII. |
Cyber Security Incident |
VIII. |
Enforcement |
IX. |
General |
Schedule - List of National Critical Information Infrastructure Sector |
|
Part I - Preliminary
(Section 1 - 4)
This part sets out the commencement date of the Act, the definition, bindingness on the state and federal government and interpretation of terms used therein.
Unlike the Personal Data Protection Act 2010, the Act binds both the state and federal government, but excludes them from liability to prosecution for any offence under the Act.
It also sets out the application of the Act, which is extra-territorial in nature where it catches an offender regardless of nationality and citizenship and the place of commission will be deemed as within Malaysia. However, this would only be applicable to offences affecting the National Critical Information Infrastructure (“the NCII”) that is either wholly or partly in Malaysia.
For the purpose of the Act, the term national critical information infrastructure is defined as:
“A computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its function effectively.”
Part II - National Cyber Security Committee
(Section 5 - 9)
This part provides for the establishment of the National Cyber Security Committee (“the Committee”) that is chaired by the Prime Minister and assisted by the Chief Executive who will act as the secretary to the Committee.
The Committee comprises stakeholders from various ministries such as finance, foreign affairs, defence, home affairs, communications and digital related matters. The line up also includes the heads of enforcement bodies. Further, the same part stipulates functions of the Committee, procedures to convene meetings, authority to invite other attendees and establish subcommittees.
Part III - Duties and Powers of Chief Executive
(Section 10 - 14)
This part provides the duties and authorities conferred to the Chief Executive.
Such duties and powers include to advise, make recommendations to the Committee, implement policies, coordinate the implementation, collect data received from the Sector Lead, Entities and make evaluation from it. Further, the duty extends to disseminate such findings back to the NCII, issue directives to the Sector Leads, Entities or carry out any other duties imposed under the Act or as directed by the Committee.
Part IV - National Critical Information Infrastructure (NCII) Sector Lead and National Critical Information Infrastructure (NCII) Entity
(Section 15 - 24)
Distinction must be made between the NCII Sector Lead and Entity which are as follows:
National Critical Information Infrastructure (NCII) Sector Lead |
National Critical Information Infrastructure (NCII) Entity |
|
Appointment |
Appointment by the minister responsible for cyber security upon recommendation by the Chief Executive.
|
Through designation under Section 17 by the Sector Lead. |
Functions / Duties |
Section 16
|
Section 20
Section 21
Section 22
Section 23
|
Revocation |
If no longer owns or operates a NCII. |
|
Cyber Security Exercise |
Will be conducted by the Chief Executive for the purpose of assessing readiness of the Entity in responding to any cyber security threat or incident. Non-compliance to directions by the Chief Executive in regards to the cyber security exercise is an offence with penalty of fine not exceeding one hundred thousand ringgit. |
|
Part V - Code of Practice
(Section 25 - 26)
This part provides details on the duty of the NCII Sector Lead to prepare a code of practice which contains the measures, standards and processes in ensuring the cyber security of a NCII is within the sector for which it is appointed.
In furtherance to that, any directions given by the NCII Sector Lead to the NCII Entity must be consistent with the code of practice prepared.
Part VI - Cyber Security Service Provider
(Section 27 - 34)
This part sets out the requirements, procedures for application, renewal, assignment, revocation for licensing as cyber security service provider and further imposes duty on a licensee to keep records of persons engaging for such service, rendering the service on behalf of licensee and details of the type of cyber security provided.
However, this part is not applicable in the case where the service is provided by a company to its related company. For example, company A is a holding company that offers cyber security service as its main business and rendered such service to its subsidiary, company B. A licence is not required in this circumstance.
Part VII - Cyber Security Incident
(Section 35)
“Cyber security incident” is interpreted as an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardises or adversely affects the cyber security of that computer or computer system or another computer or computer system;
This part sets out the procedure for when a cyber security incident related to NCII has or might have occurred which in brief is as follows:
The Chief Executive will instruct authorised officers to investigate
Authorised officers will notify the Chief Executive on findings of occurrence or nonoccurrence of cyber security incident
In the event a cyber security incident has not occurred, the Chief Executive will notify the Entity concerned to dismiss the matter
In the event of a cyber security incident has occurred, the Chief Executive will issue a directive to the Entity concerned on measures necessary to respond or recover and to prevent such incident from occurring in the future.
Part VIII - Enforcement
(Section 36 - 52)
This part sets out the procedural aspects of the enforcement of the Act while providing authorisation of public officers in the course of enforcing the Act.
The summary of the enforcement part is as follows:
Authorised Officer |
|
Source of Authority |
By the Minister in writing, will provide authorisation to any public officer to exercise powers of enforcement under the Act |
Proof of Authority |
Issuance of authority card signed by the Minister |
Powers granted |
|
Additional Powers Granted |
For the purpose of execution under the Act:
|
Seized Items |
|
List |
A list of seized items must be prepared and delivered to the owner of the items or premise or persons acting on behalf at the premise. |
Cost of Holding |
The cost of holding the seized items will be a debt due to the Federal Government in the event the person under investigation is convicted of such offence |
Release |
Upon referring to the Deputy Public Prosecutor, any authorised officer may release the seized items if the thing or matter is not liable to forfeiture and required for the purpose of proceeding under the Act. A record in writing affecting the release must be made and a copy of it is sent to the Deputy Public Prosecutor as soon as practicable |
Forfeiture |
Any items seized is liable to forfeiture When no prosecution is initiated in regards to the seized item and a notice regarding such is served, the owner within the period of a month from the service can claim the items through written notice to authorised officers in possession of items. Upon expiry of the period, the items will be deemed to be forfeited Further, an order can be made by a Magistrate to forfeit items that were the subject matter of or used in the commission of any offence under the Act Any forfeited items shall be regarded as the property of the Federal Government |
Irrecoverability of Cost / Damage |
No person in regards to the seized items is entitled to recover costs of proceeding or damages or other relief unless such seizure was made without reasonable cause |
Admissibility of Statement as Evidence |
|
Usage in Impeachment |
The statement made by the witness may be used against him to impeach his credit in the manner provided by the Evidence Act 1950 |
Usage as Defence in Trial |
The statement made by the witness may be admitted as evidence in support of his defence during the course of trial |
Usage in Prosecution Case |
The statement made by the witness may be used as evidence in the prosecution case against him if he is charged with any offence related with the making or contents related to the statement made |
Obstruction |
|
Any person who assaults, impedes, obstructs or interferes with or refuses access to any premises or computerised data in the course of performance of duties under the Act will constitute offence under the Act. |
|
Part IX - General
(Section 53 - 64)
This general part of the Act can be summarised as follows:
Appeal |
Any person aggrieved by decision of the Chief Executive regarding:
May submit an appeal in writing to the Minister in charge of cyber security within 30 days after being informed of such refusal, revocation or suspension. |
Service of Document |
The Chief Executive in regards to the submission of informations, documents or particulars for the purpose of the Act may:
|
Obligation of Secrecy |
Prohibits disclosure of any information obtained by authorised persons in the course of duties either during or after tenureship or employment. Exception may applies to disclosure made for any purposes under this Act or proceedings under any written law or when authorised by the Committee |
Protection Against Suit & Legal Proceedings |
Provides protections against action, suit, prosecution or proceedings for personnel below:
Exception may applies when it can be proven that the act, neglect or default was done or omitted in bad faith without reasonable cause |
Prosecution |
Prosecution for any offence under this Act can only be instituted with written consent of the Public Prosecutor |
Liability |
|
Companies, directors, employees etc. |
Provides liability of director, compliance officer, partner, officers or employees working for entities below, in the event the entities are found guilty of any offence under the Act:
Key Principles:
|
Employer, Principal etc. |
Provides liability of employers, principals and agent who appoints sub-agent in the event an offence under the Act is committed by:
|
Power of the Minister |
|
To Exempt |
Exempt any person or class of persons from any or all provisions of the Act |
To Amend Schedule |
Amend the Schedule of the Act upon recommendation by the Chief Executive |
To Make Regulations |
Make regulations necessary to carry into effect the provisions in the Act |
To Make Regulations on Compounding of Offences |
Make regulations that prescribe:
In practice, any person who has committed a compoundable offence under the Act may be offered by the Deputy Public Prosecutor, an Offer to Compound Offences Following that, any person that has been compounded under the same provision:
As of 29th August, a regulation has been issued which provides the list of compoundable offences under the First Schedule of the regulation which as follows: Provision - Compoundable Offence Section 20 (6) - Failure to provide information regarding national critical information infrastructure Section 20 (7) - Failure of Sector Lead to notify the Chief Executive on any informations received regarding the national critical information infrastructure Section 22 (7) - Failure of Entity to conduct a cyber security risk assessment and cause for carrying out of an audit Section 22 (8) - Failure of Entity to comply with directions of the Chief Executive in regards to cyber security risk assessment and audit Section 24 (4) - Failure of Entity to comply with directions of the Chief Executive in regards to cyber security exercise Section 32 (3) - Failure of licensee to keep and maintain records required |
Saving |
|
Any measures, standards and processes which have been:
Will continue to remain in force so long it is consistent with provisions of the Act until it is revoked under the National Security Council Act 2016. |
|
Schedule
The Schedule provides for the list of sectors under the NCII which are as below:
Bil |
Sector |
1. |
Government |
2. |
Banking and Finance |
3. |
Transportation |
4. |
Defence and national security |
5. |
Information, communication and digital |
6. |
Healthcare services |
7. |
Water, sewerage and waste management |
8. |
Energy |
9. |
Agriculture and plantation |
10. |
Trade, industry and economy |
11. |
Science, technology and innovation |
Conclusion
All in all, the Cyber Security Act 2024 represents a significant legislative development on the country’s cybersecurity framework while focusing on the safeguarding of national critical information against threats across regions. With the digital world continuing to shift at a great pace, it certainly calls for greater security standards and accountability in dealing with the national critical information. This includes requirements for audit, risk assessments, incident reporting, licensing and compliance with established security protocols.
While the Act and Regulations provide a strong foundation, certain nuanced aspects still require further refinement in subsidiary legislation, guidelines, and codes of practice. It is essential for Sector Leads to closely collaborate with their respective Entities to develop codes of practice that are not only robust but also tailored to address specific vulnerabilities within their sectors. This collaborative approach, along with NACSA’s willingness to assist Entities in complying with the Act, will be crucial in ensuring that cybersecurity measures remain appropriate and proportionate to the evolving threat landscape.
Besides imposing certain obligations on the stakeholders, the Act provides certain conducts and omissions that may amount to offences hence subject to penalties. The summary of offence and consequences under the Act is as follows:
Provision |
Offence |
Consequences |
Section 14 (6) |
Failure to provide information based on direction of the Chief Executive |
Fine not exceeding RM200,000 or imprisonment for a term not exceeding three years or to both |
Section 14 (7) |
Failure to state and identify according to best knowledge and belief, the location and person that may have possession over information directed to be produced by the Chief Executive |
Fine not exceeding RM200,000 or imprisonment for a term not exceeding three years or to both |
Section 20 (6) |
Failure to provide information regarding national critical information infrastructure |
Fine not exceeding RM100,000 or imprisonment for a term not exceeding two years or to both |
Section 20 (7) |
Failure of Sector Lead to notify the Chief Executive on any informations received regarding the national critical information infrastructure |
Fine not exceeding RM100,000 |
Section 21 (5) |
Failure of Entity to implement code of practice |
Fine not exceeding RM500,000 or imprisonment for a term not exceeding ten years or to both |
Section 22 (7) |
Failure of Entity to conduct a cyber security risk assessment and cause for carrying out of an audit |
Fine not exceeding RM200,000 or imprisonment for a term not exceeding three years or to both |
Section 22 (8) |
Failure of Entity to comply with directions of the Chief Executive in regards to cyber security risk assessment and audit |
Fine not exceeding RM100,00 |
Section 23 (2) |
Failure of Entity to notify the Chief Executive and Sector Lead if a cyber security incident have or might have occurred |
Fine not exceeding RM500,000 or imprisonment for a term not exceeding ten years or to both |
Section 24 (4) |
Failure of Entity to comply with directions of Chief Executive in regards to cyber security exercise |
Fine not exceeding RM100,000 |
Section 25 (6) |
Failure of Sector Lead to prepare a code of practice |
Fine not exceeding RM100,000 |
Section 27 (5) |
Provide cyber security service without licence |
Fine not exceeding RM500,000 or imprisonment for a term not exceeding ten years or to both |
Section 31 (3) |
Non-compliance of conditions to licensing imposed by the Chief Executive |
Fine not exceeding RM100,000 or imprisonment for a term not exceeding two years or to both |
Section 32 (3) |
Failure of licensee to maintain and keep records |
Fine not exceeding RM100,000 or imprisonment for a term not exceeding two years or to both |
Section 35 (5) |
Non-compliance of directives issued by the Chief Executive in regards to cyber security incident |
Fine not exceeding RM200,000 or imprisonment for a term not exceeding three years or to both |
Section 48 (2) |
Failure or refusal of person acquainted to case under investigation to attend before the authorised officer making such order |
Magistrate will issue a warrant to secure the attendance as ordered |
Section 55 (2) |
Failure to abide by obligation of secrecy |
Fine not exceeding RM1,000 or imprisonment for a term not exceeding two years or to both |
Section 63 (3) |
Failure to comply regulations made by the Minister under Section 63 (1) and (2) |
Fine not exceeding RM200,000 or imprisonment for a term not exceeding three years of to both |
The Law is stated as at 18 October 2024
Written By: Naielah Nafisah Binti Muhammad Zarkashi, intern
Supervised By: Haiqal and Ainul Azam
For further clarification, please contact us at 03-2171 1484 or at mail@azamlaw.com.
REFERENCES
19 Penyata Rasmi Dewan Rakyat Parlimen Kelima Belas Penggal Ketiga Mesyuarat Pertama 36–99 (2024). Retrieved September 27, 2024, from https://www.parlimen.gov.my/hansard-dewan-rakyat.html?uweb=dr&lang=en.
Cyber Security Act 2014
Cyber Security Regulations (Duration for Cybersecurity Risk Assessment and Audit) 2024.
Cyber Security Regulations (Cybersecurity Incident Notification) 2024.
Cyber Security Regulations (Licensing of Cybersecurity Service Providers) 2024
Cyber Security Regulations (Offence Compounding) 2024.
