Securing the Future: How the New Cyber Security Act 2024 is Transforming Digital Safety
Kathreena Korotana highlights the key features of Malaysia’s new cyber security framework.
Cyber threats are on a continuous rise worldwide due to the rapid expansion of the digital environment. This has resulted in various complexities and challenges in combatting such cyber threats. As the digital landscape in Malaysia has proliferated over the years, ensuring digital security is paramount to safeguard the nation from various cybercrimes. To strengthen its cyber security framework, Malaysia has taken a significant and positive measure by introducing its first cyber security legislation this year, namely the Cyber Security Act 2024 (“Act”). The Act is designed to enhance and bolster Malaysia’s cyber defences to combat emerging threats and ensure a safe and secure digital environment. The Act came into force on 26 August 2024.
Prior to the introduction of the Act, Malaysia did not have a unified cyber security legislation. However, laws relating to cyber security can be found in separate legislations such as the Computer Crimes Act 1997, the Communications and Multimedia Act 1998 and the Personal Data Protection Act 2010, among others. The Act is anticipated to function as the primary cyber security legislation, complementing other existing laws. This will create a more comprehensive legislative framework for addressing cyber issues.
Below is a summary of some of its key provisions:
a. Binding on the Government
It is expressly provided that the Act shall also bind the Malaysian Federal Government and State Governments. However, they shall not be liable to prosecution for any offence under the Act.
b. Extra Territorial Application
The Act shall have extraterritorial application and is applicable to any person, irrespective of nationality and citizenship, and shall have effect outside as well as within Malaysia if an offence under the Act is committed in relation to a national critical information infrastructure that is wholly or partly in Malaysia.
c. National Critical Information Infrastructure (“NCII”)
Under the Act, an NCII is defined as “a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.
There are currently 11 NCII sectors specified in the Act (“NCII Sectors”) which are as follows:
Any government entity or person may be appointed by the Prime Minister, being the Minister responsible for cyber security in Malaysia (“Minister”) (upon recommendation of the Chief Executive) to be the NCII sector lead (“NCII Sector Lead”) for each of the NCII Sectors. The Minister may appoint more than one NCII Sector Lead for any of the NCII Sectors.
The NCII Sector Lead are tasked with the following responsibilities:
d. NCII Entities
Government or private entities in the NCII Sectors that are designated as NCII Entities for owning or operating an NCII in the specific NCII Sectors are obligated to carry out various duties among others, including:
For the avoidance of doubt, government entity is defined under the Act to include any ministry, department, office, agency, authority, commission, committee, board, council or other body of the Federal Government or any of the State Governments established under any written law or otherwise and any local authority.
e. Establishment of National Cyber Security Committee
A National Cyber Security Committee (“Committee”) is established with 13 members including the Prime Minister as the chairman, ministers responsible for finance, foreign affairs, defence, home affairs, communications and digital related matters, the Chief Secretary to the Government, the Chief of Defence Force, the Inspector General of Police, the Director General of National Security and not more than 2 people appointed by the Committee with experience and standing in cyber security.
The Committee has various functions including among others, planning, formulating, implementing policies and strategies relating to national cyber security; monitoring the implementation of such policies and strategies and its effectiveness to address matters pertaining to national cyber security; advising the Federal Government on policies and strategic actions to enhance national cyber security; direct the Chief Executive of the National Cyber Security Agency and national critical information infrastructure sector leads on matters relating to national cyber security and overseeing the implementation of the Act.
f. License for Cyber Security Service Providers
The Act mandates that a cyber security service provider (meaning a person who provides a cyber security service) shall not provide cyber security services or advertise, or in any way hold itself out as a provider of cyber security service unless it has obtained a license to do so and complies with the related licence conditions. The Act has however not specified the types of cyber security services within the scope of the Act which would require such license. This is likely to be determined by the Minister in due course.
Cyber security service providers who fail to obtain the license shall be liable to criminal penalties such as a fine not exceeding RM500,000 (approx. USD115,000) or imprisonment for a term not exceeding 10 years or both.
Conclusion
The Act is a landmark legislation aimed at strengthening the nation’s cyber security in an increasingly digital world. By creating a robust regulatory framework, Malaysia is setting a strong foundation for safeguarding and ensuring secured digital future. The standards, measures and requirements set out in the Act demonstrate the country’s commitment in protecting its cyber landscape. The Act is promising to provide significant improvements in cyber security resilience and mitigate cyber challenges currently faced by the nation.
Kathreena is an Associate at Wong Jin Nee & Teo. Her practice predominantly focuses on brand protection and enforcement, franchise advisory and registration, as well as regulatory compliance work.