Bread & Kaya: Impact of the Cyber Security Bill 2024 on the Cybersecurity Industry in Malaysia

• Powers of Chief Executive in Sect 10, 14 widely worded, may be subject to abuse
• Paramount any legislative measure implemented does not inadvertently impede innovation

On 3 April 2024, the Cyber Security Bill 2024 (hereinafter referred to as the Bill or Act) was passed by Parliament. The Bill will be presented for Royal Assent and subsequently gazetted into law.

(References to any sections herein shall be in reference to the Cyber Security Bill 2024 unless stated otherwise.)

This new law aims to enhance the national cyber security by providing for:

• The establishment of the National Cyber Security Committee
• Duties and powers of the Chief Executive of the National Cyber Security Agency
• Functions and duties of the national critical information infrastructure (NCII) sector leads and national critical information infrastructure entities;
• Management of cyber security threats and cyber security incidents to national critical information infrastructures
• To regulate the cyber security service providers through licensing, and to provide for related matters.

Cyber security legislation is not a new concept. Various countries have enacted laws to address this critical issue: Singapore enacted the Cybersecurity Act 2018; Thailand enacted the Cyber Security Act 2019; Vietnam enacted the Law on Cyber Security in 2018; the EU enacted the Cybersecurity Act (EU 881/2019); Australia enacted the Security of Critical Infrastructure Act in 2018; and the Ghana enacted the Cybersecurity Act 2020.

Though bearing similarities to other foreign cyber security legislations, the Bill brings forth unique positions such as the Chief Executive and the national critical information infrastructure sector lead. These roles are designed to provide a more industry-tailored approach to cyber security governance within Malaysia.

Amid the rising cyber breaches in Malaysia, the Bill marks a crucial step towards a secure digital future. It highlights the nation's dedication to safeguarding NCII in both public and private sectors through proposed measures, standards, and processes.

Applicability of the Bill

The Bill has extra-territorial effect and shall apply in relation to any person, regardless of nationality or citizenship, and shall have effect outside as well as within Malaysia.

In practice, it may however be difficult to apprehend transnational cybercriminals, especially if the criminals are often based in jurisdictions with weaker laws and enforcement. The increase in extraterritorial reach may have limited impact in preventing or deterring these criminals.

While the Federal Government and State Governments are also subject to the Bill, no prosecution action can be taken against them for any failure to comply with the provisions of this law within this legislation. It was provided that in terms of government administration, the government will take all necessary steps to ensure that the provisions of this legislation are fully complied with by agencies under the Federal Government and also agencies under the State Governments.

National Critical Information Infrastructure

The Bill introduces the concept of NCII. It is defined as “computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.”

For instance, computer or computer systems utilised to process all banking or telecommunications records.

[Ed: Para edited for clarity.]

National Cyber Security Committee (NCSC)

The Bill establishes the NCSC, consisting of the Prime Minister, the Ministers responsible for certain government bodies and agencies, Chief Secretary to the Government, Chief of Defence Force, Inspector General of Police, Director General of National Security and two other persons who shall be appointed by the Committee from among persons of standing and experience in cyber security.

The functions of the NCSC include:

(a) to plan, formulate and decide on policies relating to national cyber security;

(b) to decide on approaches and strategies in addressing matters relating to national cyber security;

(c) to monitor the implementation of policies and strategies relating to national cyber security;

(d) to advise and make recommendations to the Federal Government on policies and strategic measures to strengthen national cyber security;

(e) to give directions to the Chief Executive and national critical information infrastructure sector leads on matters relating to national cyber security;

(f) to oversee the effective implementation of the Act; and

(g) to do such other things arising out of or consequential to the functions of the Committee under the Act consistent with the purposes of the Act.

The NCSC shall have all such powers as may be necessary, or in connection with, or reasonably incidental to, the performance of its functions under the Act.

The Chief Executive

The Act creates a Chief Executive of the National Cyber Security Agency (Chief Executive) and he is the secretary of the NCSC.

The Chief Executive is empowered under the Act to, among others, advise and make recommendations to the NCSC, implement policies relating to cyber security, appoint a cyber security expert, conduct a cyber security exercise for the purpose of assessing the readiness of any NCII entity in responding to any cyber security threat or cyber security incident, establish the National Cyber Coordination and Command Centre system for the purpose of dealing with cyber security threats and cyber security incidents and issue directives as necessary for the purpose of ensuring compliance with the Act.

The Chief Executive is given very wide powers under section 14. Under section 14(1), the Chief Executive has the power to direct for information. He may require any person, public body, or corporation to provide information, particulars, documents, or evidence within a specified period and in a specific manner if he has reasonable grounds to believe that they possess such information relevant to his duties and powers. Failure of any person to comply with the request is liable to a fine not exceeding US$42,440 (RM200,000) and/or to imprisonment for a term not exceeding three years.

The power of the Chief Executive is wide under this section because the Chief Executive can issue written notices to “any person” for the production of information, documents, or electronic media on a schedule “as specified” or otherwise determined by the Chief Executive. Though the duties and powers of the Chief Executive are set out in section 10, section 14 is still widely worded and this may be subject to abuse or exercised excessively or improperly.

The direction for information is not subject to any external review process and is entirely up to the discretion of the Chief Executive in substance and procedure. It is also noted that section 14(1) uses the term “any person”. The deliberate choice of term seems to suggest that the Chief Executive may direct for such information from any person, regardless whether they own or operate any NCII.

In any event, under section 14(2), if the recipient of such a request does not possess the document, he shall state, to the best of his knowledge and belief, where the document may be found; and identify, to the best of their knowledge and belief, the last person who had custody of the document, and to state, to the best of their knowledge and belief, where that last-mentioned person may be found.

Under section 14(3), the recipient of such a request, shall ensure that the information, particulars or documents or copies of the document given or produced are true, accurate and complete and such person shall provide an express representation to that effect, including a declaration that he is not aware of any other information, particulars or document which would make the information, particulars or document given or produced untrue or misleading.

Failure of any person to comply with sections 14(2) and/or 14(3) will be liable to a fine not exceeding RM200,000 or to imprisonment for a term not exceeding three years or to both.

NCII Sectors

The Bill sets out the following list of sectors regarded as NCII sectors that are crucial to Malaysia’s cyber security:

1. the Government;
2. banking and finance;
3. transportation; 
4. defence and national security;
5. information, communication and digital;
6. healthcare services;
7. water, sewerage and waste management;
8. energy;
9. agriculture and plantation;
10. trade, industry, and economy; and
11. science, technology and innovation

NCII Sector Lead and NCII Entity

The Bill introduces two types of persons, namely, national critical information infrastructure sector lead (NCII Sector Lead) and national critical information infrastructure entity (NCII Entity).

The Bill defines NCII Sector Lead as “any Government Entity or person appointed as a national critical infrastructure sector lead for each of the NCII Sector. The Minister charged with the responsibility of cyber security (Minister) may, upon the recommendation of the Chief Executive, appoint any Government Entity or person to be the NCII Sector Lead for each of the NCII sectors. Each NCII Sector may have one or more NCII Sector Lead(s).

NCII Sector Leads will be tasked with, among others, to^:

1. designate any government entity or person as an entity which owns or operates NCII in respect of its appointed sector;
2. prepare a code of practice, containing measures, standards and processes in ensuring the cyber security of an NCII within the NCII Sector for which it is appointed (Code of Practice);
3. implement the decisions of the NCSC and directives made under the Act; and
4. monitor and ensure that NCII Entities carry out obligatory duties imposed upon them.

NCII Entity is defined as “any Government Entity or person designated as an NCII Entity by a NCII Sector Lead, designated in such a manner as may be determined by the Chief Executive, if the NCII Sector Lead is satisfied that they own or operate an NCII”. The Chief Executive may also designate a NCII Sector Lead as a NCII Entity in such manner as he may determine if the Chief Executive is satisfied that the NCII Sector Lead owns or operates a NCII.

Government Entity means any ministry, department, office, agency, authority, commission, committee, board, council or other body, of the Federal Government, or of any of the State Governments, established under any written law or otherwise; and any local authority. Notably, a Government Entity can only be designated as an NCII Entity by an NCII Sector Lead which is itself a Government Entity.

NCII Entity may lose their designation if the NCII Sector Lead, or the Chief Executive (in the case where the NCII Sector Lead itself is an NCII Entity) is satisfied that the NCII Entity no longer owns or operates any NCII.

The duties of the NCII Entity include, among others, to:

1. Introduce a code of practice: implement the measures, standards and processes as specified in the Code of Practice
2. Audit: cause to be carried out an audit to determine the compliance of the NCII Entity with the Act
3. Cyber risk assessments: conduct cyber risk assessments in accordance with the Code of Practice and directive.
4. Cyber security incident: notify the Chief Executive and the relevant NCII Sector Lead(s) on any cyber security incident which has or might have occurred in respect of the NCII owned or operated.
5. Provision of information: provide information relating to NCII owned or operated when there is a request by the NCII Sector Lead(s), when the NCII Entity procures or has come into possession or control of any additional computer or computer system which, in its opinion, is an NCII, or when a material change is made to the design, configuration, security or operation of the NCII.

As we believe Cyber Security Incident will be most of interest to readers, we here provide an elaboration of what this entails.

Cyber Security Incident

Pursuant to section 23, the NCII Entity shall notify the Chief Executive and the relevant NCII Sector Lead(s) on any cyber security incident which has or might have occurred in respect of the NCII owned or operated.

Upon receipt of the incident report, the Chief Executive will instruct an authorized officer to investigate the matter. The purpose of the investigation is to ascertain if it in fact occurred and determine rectification and preventative measures to prevent the incident from occurring in the future.

Upon completion of the investigation by the authorized officer, if the authorized officer finds that -

(a)        no cyber security incident has occurred, the authorized officer shall notify the Chief Executive about such findings and the Chief Executive shall notify the NCII Entity accordingly and dismiss the matter; or

(b)        if the authorised officer finds that a cyber security incident has occurred, the authorised officer shall notify the Chief Executive about such findings and the Chief Executive shall notify the NCII Entity accordingly.

Upon being notified by the authorized officer that a cyber security incident has occurred, the Chief Executive may issue a directive to the NCII Entity concerned on the measures necessary to respond to or recover from the cyber security incident and to prevent such cyber security incident from occurring in the future.

Failure of the NCII Entity to comply with the directive of the Chief Executive on the measures necessary to respond to or recover from the cyber security incident and to prevent such cyber security incident from occurring in the future is an offence and it will be liable to a fine not exceeding RM200,000.00 and/or to imprisonment for a term not exceeding three years.

Licensing of cyber security service providers

Importantly, the Bill introduces a licensing framework for cyber security service providers. Cyber security service provider is defined as a person who provides a cyber security service, where cyber security service is defined as any cyber security service that may be prescribed by the Minister for which a licence shall be obtained. It was stated in the presentation slides provided at the public dialog session of the Cyber Security Bill dated 24 Nov 2023 that a cyber security service is a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cyber security of an information and communications technology device belonging to another person.

Following section 27, a person who -

(a)        provide any cyber security service; or

(b)        advertise, or in any way hold himself out as a provider of a cyber security service,

shall hold a licence to provide a cyber security service.
However, this does not apply where the service is provided by a company to its related company.

Any person or entity that provides cyber security services or holds themselves out as a provider of cyber security service without a licence shall be liable to a fine not exceeding RM500,000 and/or to imprisonment for a term not exceeding10 years.

Foreign companies who provide cyber security services in Malaysia are also required to register as a cyber security service provider.

According to section 28, an applicant must not have any convictions for offences involving fraud, dishonesty, or moral turpitude. Additionally, the Chief Executive shall establish other prerequisite requirements for applying for a licence.

Under section 29, when the Chief Executive receives the application for licence, the Chief Executive may approve the application and issue to the applicant upon payment of the prescribed fee a licence in such form as may be determined by the Chief Executive. If the Chief Executive refuses a licence application, he must provide the reasons for refusal. The Chief Executive may issue a licence that is subject to such conditions as the Chief Executive thinks fit to impose, and the Chief Executive may at any time vary or revoke the conditions imposed on a licence.

Licensees also have a duty to keep and maintain records. They must record particulars such as the licence holder, or any person acting on his behalf’s name, details of the services provided, and any other particulars the Chief Executive requires. The records shall be kept and maintained in the manner as may be determined by the Chief Executive; retained for a period of not less than six years from the date the cyber security service was provided; and produced to the Chief Executive at any time as the Chief Executive may direct.

Based on the presentation slides provided at the public dialog session of the Cyber Security Bill dated 24 Nov 2023, the requirement of licensing will likely apply to service providers that provide services to safeguard information and communications technology devices of another person. For instance, penetration testing providers and security operation centres.

In comparison, Singapore Cybersecurity Act 2018 also sets out the same types of service providers i.e. penetration testing and managed security operations centre monitoring.

These two services are given precedence due to the sensitive data they handle from clients. They are also widely used in the Singapore market, making them influential in shaping overall security measures. The decision to limit the licensing framework to these two services also considers industry concerns that broader licensing requirements could hinder the growth of a vibrant cybersecurity ecosystem in Singapore.

Positive step for Malaysia in the face of increasing and evolving cyber threats

Overall, the implementation of the Bill is a timely and positive step for Malaysia in the face of increasing and evolving cyber threats. The Bill has the potential to address existing legal gaps and enhance cyber defence mechanisms. It marks a significant milestone in protecting the NCII amidst a rapidly changing cyber landscape.

However, given the presence of certain uncertainties and shortcomings, it is hoped that such uncertainties and shortcomings can be resolved through implementations of regulations and guidelines. The Act must balance protecting the NCII with creating an environment that encourages businesses and protects the rights of the parties involved.

Given the potential financial constraints that the NCII Entities may encounter while adhering to the provisions of the Act, it is imperative for the Government to extend support in various forms, such as tax benefits, incentives, grants or subsidies, guidance, to alleviate their burden, fostering an environment conducive to innovation and digital advancement.

Besides, regarding the implementation of the Code of Practice, it is important for the Government to plan an interim period for industry consultation and feedback, making necessary adjustments and responses to ensure its effectiveness. It is paramount to ensure that any legislative or policy measures implemented within the cyber environment do not inadvertently impede innovation or hinder the growth of the digital economy.

Despite the challenges posed by these changes, organisations can mitigate their concerns by building robust internal cybersecurity capabilities. Due to the negative publicity and financial risks of cyberattacks, being prepared for cybersecurity is becoming essential for businesses. Organisations should be prepared and anticipate that they will be designated as an NCII Entity and take proactive measures to ensure it is ready to comply with the requirements of the Act once it is enforced. This involves ensuring that they have the necessary processes, structures, and personnel to manage cybersecurity issues and comply with regulations.

Essential components of these capabilities include:

1) strengthen their cybersecurity

2) review, update, and re-evaluate their current cyber security policies and procedures. If they lack such policies and procedures, they should consult with legal and professional experts to create them

3) undertake risk assessment measures

4) develop and implement effective risk management strategies

5) create cyber security incident response plans

6）obtain the necessary cyber insurance

7) threat intelligence analysis to anticipate future threats

8) establish cyber security incident handling and digital forensics

9) implement cyber security network defence and penetration testing; and

10) foster cybersecurity awareness of the various types and sophistication of cyberattacks among employees and third-party contractors by organising regular and consistent cyber security training or tabletop simulations of cyberattacks.

With respect to cyber insurance, while increased costs are inevitable, it is crucial as it could soften the blow of consequences of cyber security breach or non-compliance of the Act. From an insurance standpoint, regulatory protection within a cyber policy covers expenses related to legal defence and investigation in the event of regulatory inquiries or claims arising from cyber incidents or mishandling of such events. Other insurable aspects within a cyber policy encompass expenses for breach response, data administrative investigation, and regulatory investigations expenses. The requirement for mandatory reporting of cyber incidents can help insurers more accurately price risks and provide better protection.

Organisations should grasp their specific risk exposure when evaluating cyber insurance, especially given the lack of standardised forms in the Asian cyber insurance market. Consequently, policies vary in their coverage. Even subtle variations in language can significantly affect the extent of coverage available. 

Due to the widespread use of artificial intelligence and its growing exploitation by threat actors for cyberattacks, it is essential for everyone in the company to be aware of cyber threats and attacks. This is particularly important because most cyber security incidents are often caused by human susceptibility, carelessness, or accidents.

Joanne Wong is a second year in Bachelor of Law at Help University