The new Cyber Security Bill 2024 (“Bill“) was tabled for first reading at the Malaysian Parliament on 25 March 2024. The Bill aims to provide a regulatory framework for the safeguarding of Malaysia’s cyber security landscape by requiring national critical information infrastructure entities to comply with certain measures, standards and processes in the management of the cyber security threats and cyber security incidents. To achieve such objectives, the Bill provides for, among others, the establishment of the National Cyber Security Committee, the duties and powers of the Chief Executive, the appointment of national critical information infrastructure sector leads, the designation of national critical information infrastructure entities and the licensing of cyber security service providers.


Who: Applicability of the Bill and governing bodies

Extra territoriality

The Bill is intended to have extra-territorial application and shall apply to any person, irrespective of nationality or citizenship, and shall have effect outside as well as within Malaysia. The Federal Government and State Governments are also subject to the Bill (although they will not be liable to prosecution for any offence under the Bill).

National Cyber Security Committee and Chief Executive’s powers

The Bill establishes a 13 member National Cyber Security Committee which shall be chaired by the Prime Minister of Malaysia. Its primary function is to, among others, advise and provide recommendations to the Federal Government to strengthen cyber security, oversee implementation of the Bill (when it comes into force) and give directions to the Chief Executive of the National Cyber Security Agency  (“Chief Executive“) and national critical information infrastructure sector leads on matters relating to national cyber security.

The Chief Executive, in turn, is empowered under the Bill to, among others, establish the National Cyber Coordination and Command Centre system for the purpose of dealing with cyber security threats and cyber security incidents and issue directives as necessary for the purpose of ensuring compliance with the Bill.

What and how: National Critical Information Infrastructure, NCII Sectors, NCII Sector Leads and NCII entities  

NCII

In seeking to protect against cyber security threats and incidents in Malaysia, the Bill seeks to impose specific requirements on entities that own or operate national critical information infrastructure (NCII). Specifically, NCII is defined as “a computer or computer system which the disruption or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia or on the ability of the Federal Government or any State Government to carry out its functions effectively”.

NCII Sectors

The Bill complements the NCII definition with a list of certain sectors regarded as NCII sectors as follows;  (a) the government: (b) banking and finance; (c) transportation, defence and national security; (d) information, communication, and digital; (e) healthcare services; (f) water, sewerage, and waste management; (g) energy; (h) agriculture and plantation; (i) trade, industry, and economy; (j)  science, technology, and innovation (each and collectively, “NCII Sector(s)“).

NCII Sector Leads

A sector lead (which can be a government entity or a private entity) for each of the NCII Sectors (“NCII Sector Lead“) will be appointed by the Minister responsible for cyber security (“Minister“) (at the recommendation of the Chief Executive), and such NCII Sector Lead is thereafter tasked with the responsibility of:

  • Designating any government entity or person as an entity which owns or operates NCII in respect of its appointed sector (“NCII Entity“)

If so designated, an NCII Entity will be subject to various requirements (discussed further below).

  • Preparing a code of practice, containing measures, standards and processes in ensuring the cyber security of an NCII within the NCII Sector for which it is appointed (“Codes of Practice“)

NCII Entities  

A NCII Entity then has the obligation of among others, implementing measures, standards and processes as specified in the Code of Practice for the purposes of ensuring the cyber security of its NCII, conducting a cyber security risk assessment in accordance with the Code of Practice, and cause to be carried out an audit to determine the compliance of the NCII Entity with the Cyber Security Act 2024 (“Audit Report“). This Audit Report will need to be submitted to the Chief Executive within the prescribed periods.

Specifically, the NCII Entity will also need to notify the Chief Executive and its NCII Sector Lead of any cyber security incident (“Incident“) which has or might have occurred in respect of itself (“Incident Reporting“). Upon receipt of the Incident Reporting, the Chief Executive is obligated to investigate the Incident to ascertain if it in fact occurred and determine rectification and preventative measures to prevent the Incident from occurring in the future. The timelines and scope of information required to be provided in respect of the Incident Reporting is not provided for in the Bill; we expect that these will be dealt with by the Minister under directives or regulations once the Bill comes into force.

Others: Cyber Security Service Provider License

The Bill also mandates that any person providing or advertising (or holding himself out) as a provider of cyber security service, shall obtain a licence (“Cyber Security Service Provider Licence“). Similarly, the definition and scope of a “cyber security service” is as yet, defined in the Bill and is instead, left to the determination of the Minister.

Key takeaways

While not dissimilar to cyber security legislations in other Commonwealth jurisdictions, such as the Singapore Cybersecurity Act 2018, (i.e. both are intended to enhance the cyber security of critical national information infrastructure and regulates the licensing of cyber security service providers), the Bill introduces distinctive roles such as the Chief Executive and the NCII Sector Lead to ensure a more industry-specific focus on cyber security governance in Malaysia.

With the prevalence of cyber breach incidents in Malaysia accompanying the extensive use of information and communications technology systems and devices in the public sectors and private sectors, the Bill is a significant stride forward in Malaysia’s journey towards a secured digital future. The proposed measures, standards, and processes under the Bill underscores the nation’s commitment to protecting its national critical information infrastructures. As we move forward, it will be crucial to monitor the implementation and impact of this legislation, ensuring it effectively addresses the evolving landscape of cyber threats.

Author

Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in intellectual property (IP), commercial litigation, corporate compliance, information technology and Internet regulatory issues.

Author

Serene Kan is a Partner in Baker McKenzie's Kuala Lumpur office.