In response to the escalating cyber security threats, Malaysia has introduced the Cyber Security Bill 2024. The Bill was tabled for its first reading in the Malaysian Parliament on March 25, 2024, aiming to create a robust regulatory framework for the nation’s cyber security. This comprehensive legislation mandates that national critical information infrastructure (NCII) entities comply with stringent measures, standards, and processes for managing cyber threats and incidents. Notable provisions include the establishment of the National Cyber Security Committee, delineation of the Chief Executive’s duties and powers, designation of NCII sectors and entities, and the licensing of cyber security service providers.

Applicability and Governance

The Bill’s reach extends beyond Malaysia’s borders, applying to any individual or entity, regardless of nationality or location. Both the Federal and State Governments are subject to its provisions, although they are exempt from prosecution under this Bill. This extra-territorial application underscores Malaysia’s commitment to comprehensive cyber security coverage.

National Cyber Security Committee and Chief Executive

Central to the Bill is the formation of a 13-member National Cyber Security Committee, chaired by the Prime Minister. This committee will play a pivotal role in advising the Federal Government on enhancing cyber security measures. Its responsibilities include overseeing the implementation of the Bill once it is enacted and providing guidance to the Chief Executive of the National Cyber Security Agency and the NCII sector leads on matters related to national cyber security.

The Chief Executive holds significant authority under the Bill. One of the key responsibilities is establishing the National Cyber Coordination and Command Centre, a system designed to address cyber security threats and incidents. Additionally, the Chief Executive is empowered to issue directives necessary for ensuring compliance with the Bill’s provisions, thus ensuring a coordinated and effective national response to cyber threats.

National Critical Information Infrastructure (NCII)

To safeguard against cyber security threats and incidents, the Bill imposes specific requirements on entities that own or operate NCII. The Bill defines NCII as any computer or computer system whose disruption or destruction would significantly impact Malaysia’s essential services, security, defense, economy, public health, public safety, public order, or government functionality. This definition is broad, encompassing various critical sectors vital to the nation’s well-being.

NCII Sectors

The Bill identifies several sectors deemed as NCII sectors, highlighting their importance to national security and stability. These sectors include:

• Government,
• Banking and finance,
• Transportation, defense, and national security,
• Information, communication, and digital,
• Healthcare services,
• Water, sewerage, and waste management,
• Energy,
• Agriculture and plantation,
• Trade, industry, and economy,
• Science, technology, and innovation.

NCII Sector Leads

For each NCII sector, a Sector Lead will be appointed by the Minister responsible for cyber security, based on recommendations from the Chief Executive. Sector Leads can be government or private entities and are tasked with several critical responsibilities. They will designate entities as NCII operators within their sector and develop Codes of Practice that outline the necessary measures, standards, and processes to ensure the cyber security of their respective NCII.

NCII Entities

Designated NCII entities are obliged to implement the prescribed Codes of Practice. These entities must conduct regular cyber security risk assessments in line with the Code of Practice and undergo audits to determine their compliance with the Cyber Security Act 2024. The audit reports must be submitted to the Chief Executive within specified periods, ensuring ongoing compliance and accountability.

Additionally, NCII entities must report any cyber security incidents to the Chief Executive and their Sector Lead. This reporting triggers an investigation by the Chief Executive to confirm the incident and determine corrective and preventative measures to avoid future occurrences. Although the Bill does not specify the timelines and scope of information required for incident reporting, these details are expected to be clarified through directives or regulations issued by the Minister once the Bill is enacted.

Licensing of Cyber Security Service Providers

The Bill mandates that any individual or entity providing or advertising cyber security services must obtain a Cyber Security Service Provider License. The definition and scope of what constitutes a “cyber security service” will be determined by the Minister. This licensing requirement aims to ensure that only qualified and reputable service providers operate within the country, thereby enhancing the overall cyber security landscape.

Key Takeaways

The Cyber Security Bill 2024 is a significant legislative measure aimed at bolstering Malaysia’s defense against cyber threats. While it shares similarities with cyber security laws in other Commonwealth countries, such as Singapore’s Cybersecurity Act 2018, the Malaysian Bill introduces distinctive roles and frameworks tailored to the nation’s specific needs.

Comparison with Other Jurisdictions

Similar to the Singapore Cybersecurity Act 2018, the Malaysian Bill focuses on enhancing the security of national critical information infrastructure and regulating cyber security service providers. However, it introduces unique roles such as the Chief Executive and NCII Sector Leads, ensuring a more industry-specific focus on cyber security governance. These roles are designed to provide specialized oversight and management, reflecting an understanding that different sectors have unique vulnerabilities and requirements.

Addressing the Growing Threat Landscape

The introduction of the Bill comes at a crucial time when cyber breach incidents are becoming increasingly prevalent in Malaysia. The extensive use of information and communications technology systems in both the public and private sectors has heightened the nation’s vulnerability to cyber threats. This Bill represents a proactive step towards securing Malaysia’s digital future, emphasizing the importance of protecting national critical information infrastructures.

The proposed measures, standards, and processes underscore Malaysia’s commitment to maintaining a secure cyber environment. By mandating regular risk assessments, audits, and incident reporting, the Bill ensures that NCII entities are continuously monitored and held accountable for their cyber security practices. This rigorous approach aims to mitigate the risk of cyber attacks and minimize their impact on essential services and national security.

Implementation and Future Considerations

As Malaysia moves forward with this legislation, it will be crucial to monitor its implementation and impact. Ensuring the Bill effectively addresses the evolving landscape of cyber threats will require continuous evaluation and adaptation. The roles of the National Cyber Security Committee, the Chief Executive, and the NCII Sector Leads will be instrumental in this process, providing the necessary oversight and guidance to navigate the complexities of cyber security.

The Bill’s extra-territorial application and its comprehensive scope reflect Malaysia’s recognition of the global nature of cyber threats. By holding entities accountable regardless of their location, the Bill aims to create a robust and secure cyber environment both within and beyond Malaysia’s borders.

In conclusion, the Cyber Security Bill 2024 marks a significant advancement in Malaysia’s efforts to enhance its cyber security infrastructure. By establishing a detailed regulatory framework and introducing specialized roles for oversight and management, the Bill aims to provide a robust defense against the growing threat of cyber attacks. As Malaysia continues to develop its digital landscape, this legislation will play a crucial role in ensuring the security and resilience of the nation’s critical information infrastructures.