An Overview of Malaysia Cyber Security Act 2024

I. Introduction

Malaysia introduced the Cyber Security Act 2024 (Act) to strengthen its cybersecurity framework in an increasingly data-driven digital landscape. The Act received Royal Assent on July 18, 2024, and was published in the Official Gazette on June 26, 2024.

It provides a comprehensive legal foundation for addressing and managing cyber threats. To this end, it establishes the National Cyber Security Committee (NCSC) to coordinate cybersecurity strategies, grants expanded powers to the National Cyber Security Agency (NACSA) and mandates specific cybersecurity protocols for entities classified as having National Critical Information Infrastructure (NCII).

The Act also introduces strict restrictions, such as mandatory risk assessments, incident reporting, and licensing requirements for cybersecurity service providers, to safeguard Malaysia's digital ecosystem against evolving cyber threats. Read on to learn more.

II. Who Needs to Comply with the Act

A. Material Scope

The Act applies to licensed cybersecurity service providers that are designated as National Critical Information Infrastructure (NCII) entities and operate in the following sectors:

• government,
• banking and finance,
• transportation,
• defense,
• national security,
• information, communication and digital,
• healthcare services,
• water, sewerage, and waste management,
• energy, agriculture and plantation,
• trade, industry, and economy,
• science, technology, and innovation.

However, as per the Cybersecurity (Exemption) Order 2025, several companies have been exempted from the provisions of the Cybersecurity Act 2024.

B. Territorial Scope

This Act gives Malaysia extraterritorial jurisdiction over offenses committed under it, regardless of the offender's nationality or location. It applies specifically if the offense involves Malaysia's national critical information infrastructure (NCII).

III. Definitions of Key Terms

a. Chief Executive

The Chief Executive of the National Cyber Security Agency (NCSA).

b. National Critical Information Infrastructure Entity (NCII Entity)

An NCII Entity is any government agency or individual.

c. National Critical Information Infrastructure (NCII)

NCII is a computer or computer system that, if disrupted or destroyed, will negatively affect the ability of the government to conduct its duties or deliver any services that are necessary for Malaysia's security, defense, foreign relations, economy, public health, public safety, or public order.

d. Cyber Security Threat

An unauthorized act or conduct done on or through a computer or computer system that could immediately put at risk or undermine the cyber security of that computer or computer system or another computer or computer system

e. Cyber Security Incident

An unauthorized act or conduct done on or through a computer or computer system that could put at risk or threaten the cyber security of that computer or computer system or another computer or computer system

f. Cyber Security

The state in which a computer or computer system is protected from attacks or unauthorized access, ensuring its availability, operational functionality, integrity, and confidentiality of its stored, processed, or transmitted information.

g. Cyber Security Service Provider

An individual who provides a cyber security service.

IV. Obligations for NCII Entities Under the Act

A. Establishment of the National Cyber Security Committee (NCSC)

The Act establishes the NCSC. The prime minister is the chair of NCSC and other members include the chief secretary to the government, the chief of the defense force, the director general of national security, the inspector general of police, and important ministers in charge of finance, foreign policy, defense, home affairs, communications, and digital issues. Up to two seasoned cybersecurity professionals may also be assigned as members of NCSC.

Functions of the National Cyber Security Committee

In addition to advising the government on cybersecurity policies, the NCSC is in charge of planning, developing, and determining national cybersecurity policies; identifying strategies to address cybersecurity issues; monitoring the implementation of policies and strategies; guiding the Chief Executive and infrastructure sector leads on cybersecurity matters; ensuring the Act is implemented effectively; and carrying out other pertinent tasks.

B. Appointment of Cyber Security Expert

The Chief Executive may appoint any qualified individual as a cybersecurity expert in writing for a duration deemed suitable to fulfill the office's responsibilities.

C. Information Provision

NCII entities must provide the appropriate sector lead with information on their critical infrastructure upon request. This involves disclosing significant adjustments to cybersecurity, including security protocols or design improvements.

If the Chief Executive has good cause, they may request that individuals believed to have records, evidence, or information relevant to their official responsibilities produce it within a certain deadline via a written directive. Additionally, the Chief Executive, by notice, could mandate that such persons appear before a designated official to deliver evidence or submit documentation, with extensions provided if necessary. These authorities provide the Chief Executive access to crucial data for conducting their duties under the Act.

D. Adherence to Codes of Practice

According to the sector-specific codes of practice, entities must implement cybersecurity procedures, standards, and safeguards. While compliance with the established rules is required, alternative measures may be used if they provide equivalent or better protection.

The NCII sector lead must develop a code of practice that outlines procedures, standards, and measurements and is approved by the Chief Executive. While developing this code, the sector lead must consider the roles of NCII entities, relevant cybersecurity regulations, and feedback from regulatory bodies and NCII entities.

If the code complies with or exceeds certain requirements, considers necessary factors, and is consistent with the Act's provisions, the Chief Executive will approve it. When approved, the code immediately takes effect on the date of endorsement. If the decision is not approved, the Chief Executive is required to notify the sector leader and explain why.

E. Cyber Security Risk Assessments and Audits

According to the instructions in the code of practice and directive of the Chief Executive, an NCII entity must conduct a cybersecurity risk assessment and audit within the allotted time frame to ensure compliance with the Act. After being carried out by an authorized auditor, these assessments and audits must be submitted to the Chief Executive within 30 days.

If the Chief Executive is unsatisfied with the assessment or audit results, further action, such as re-evaluation or correction, may be necessary. The Chief Executive may also request further assessments or audits if significant adjustments are made to the NCII's operations or security.

More details on cyber security risk assessments and audits are available in the Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024.

F. Incident Reporting

NCII entities must promptly notify their sector lead and the Chief Executive of any cybersecurity incident or possible risk impacting their infrastructure. A comprehensive report should be sent within 6 hours from the time the incident comes to the knowledge of the NCII entity, and a follow-up report should be sent within 14 days.

Moreover, details on notification of cyber security incidents are available in the Cyber Security (Notification of Cyber Security Incident) Regulations 2024.

G. Participation in Cybersecurity Exercises

The Chief Executive can lead cybersecurity exercises to assess an NCII entity's readiness to manage cybersecurity threats or events. Before conducting such an activity, the Chief Executive shall provide written notice to the NCII entity and may provide instructions to assist with the procedure.

H. Licensing for Cybersecurity Service Providers

NCII entities that provide cybersecurity services must apply for a NACSA license. This criterion ensures service providers meet certain requirements and comply with set guidelines.

More details on licensing of cyber security service providers are available in the Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024.

I. Record of Processing Activities

For every engagement, a licensee providing cybersecurity services must keep detailed records, including the client's name and address, the service provider's name, date, time, service details, and any other information the Chief Executive requests. The Chief Executive must have access to these documents upon request and must be retained for at least six years.

V. Regulatory Authority

The Act establishes the National Cyber Security Committee and defines the roles and responsibilities of the Chief Executive of the National Cyber Security Agency (NACSA). These bodies oversee the implementation of cybersecurity policies and ensure compliance across sectors.

The Minister charged with the responsibility for cyber security may authorize public officials to conduct their duties under this Act. An authorization card, signed by the Minister, shall be given to each authorized official and must be shown upon request to exercise these rights.

VI. Penalties for Non-Compliance

The Act outlines stringent noncompliance penalties, including:

a. Non-compliance by National Critical Information Infrastructure (NCII) Entities

• Failure to Implement Codes of Practice

  • NCII entities must follow sector-specific codes of practice. Non-compliance can result in fines of up to RM500,000, imprisonment for up to 10 years, or both.

• Inadequate Cybersecurity Risk Assessments and Audits

  • NCII entities must conduct regular cybersecurity risk assessments and audits. Failure to do so or submit reports may result in fines of up to RM200,000, imprisonment for up to 3 years, or both.

• Failure to Report Cybersecurity Incidents

  • NCII entities must promptly report cybersecurity incidents to the NACSA’s Chief Executive and their respective NCII sector leads. Failure to report can result in fines up to RM500,000, imprisonment for up to 10 years, or both.

b. Non-compliance by Cybersecurity Service Providers

• Unlicensed Service Provision

  • Offering or advertising cybersecurity services without a valid license is punishable by a fine of up to RM500,000, imprisonment for up to 10 years, or both.

• Unauthorized or Illegal Transfer or Assignment of License

  • Violating licensing conditions may result in a fine of up to RM200,000, imprisonment for up to 3 years, or both.

• Failure to Maintain Service Records

  • Failure to keep required records of services provided can result in fines of up to RM100,000, imprisonment for up to 2 years, or both.

c.  Non-compliance with Cybersecurity Exercises

• Failure to Comply with Directions

  • NCII entities must follow the Chief Executive's directions regarding cybersecurity exercises. Non-compliance can result in fines of up to RM100,000.

VII. How Can an Organization Operationalize the Act

To operationalize the Act, an organization must take the following steps:

a. Conduct a Compliance Assessment

Compare the Act's standards with current cybersecurity policies to determine documentation, reporting, or process gaps.

b. Establish a Cybersecurity Compliance Team

Assign an individual or a team to understand and comply with the Act's obligations while communicating with regulatory agencies.

c. Develop and Implement Cybersecurity Policies

Develop or revise cybersecurity policies, including incident response, data protection, and employee obligations to comply with the Act.

d. Conduct Regular Risk Assessments and Audits

Conduct regular audits and cybersecurity risk assessments while recording results and improvement strategies.

e. Train Employees on Compliance Requirements

Provide adequate training on the Act’s requirements to ensure all employees understand their roles in maintaining compliance and reporting incidents.

f. Implement Incident Reporting Mechanisms

Establish procedures for promptly identifying, recording, and reporting cybersecurity incidents to comply with the Act's obligations.

g. Ensure Record-Keeping Practices

Maintain accurate records of cybersecurity services, including details of engagements and client information, to comply with record-keeping and reporting obligations.

h. Engage in Regular Cybersecurity Exercises

Participate in or lead cybersecurity exercises while complying with regulatory agency guidelines to evaluate and enhance the organization's incident response readiness.

i. Obtain Necessary Licenses for Cybersecurity Services

Obtain the necessary license and maintain compliance with licensing requirements when advertising or providing cybersecurity services.

VIII. How Securiti Can Help

Securiti emerges as a pivotal catalyst for organizations seeking to navigate and comply with Malaysia’s Cyber Security Act 2024 and privacy laws in Malaysia. Securiti’s robust modules fortify organizations against potential cyber threats and ensure alignment with Saudi Arabia’s stringent data privacy laws.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.