Malaysia’s Commitment to Cyber Security Law Updates

Malaysia is taking significant steps to enhance its cyber security framework with the recent updates to its Cyber Security Act 2024. These updates aim to strengthen the protection of national critical information infrastructure and ensure compliance among service providers in the digital landscape.

Key Takeaways

• Introduction of National Critical Information Infrastructure Sector Leads.
• Launch of the Cyber Security Service Providers licensing portal.
• Mandatory National Cyber Security Baseline Self-Assessment for designated entities.
• Clarification on cyber security risk assessment processes.

Overview of Cyber Security Act 2024

The Cyber Security Act 2024 (CSA), which came into effect on August 26, 2024, marks a pivotal moment in Malaysia's approach to cyber security. The Act establishes a comprehensive legal framework aimed at safeguarding the nation’s critical information infrastructure from cyber threats.

National Critical Information Infrastructure Sector Leads

On September 11, 2024, the National Cyber Security Agency (NACSA) announced the appointment of National Critical Information Infrastructure Sector Leads. These leaders are responsible for overseeing the implementation of cyber security measures across various sectors deemed critical to national security.

Licensing for Cyber Security Service Providers

As part of the CSA, a licensing portal for Cyber Security Service Providers (CSSPs) was launched on October 1, 2024. This portal allows individuals and entities offering cyber security services to apply for necessary licenses. A grace period until December 31, 2024, has been established for CSSPs to comply with this requirement.

National Cyber Security Baseline Self-Assessment

Designated National Critical Information Infrastructure Entities (NCII Entities) are now required to complete a National Cyber Security Baseline Self-Assessment within 14 days of their designation. This assessment is designed to ensure that these entities implement minimum cyber security controls and best practices to protect against potential threats. The assessment covers six key domains and includes 33 specific elements of cyber security.

Cyber Security Risk Assessment Process

Under Section 22(1) of the CSA, NCII Entities must conduct annual cyber security risk assessments. A directive issued by NACSA outlines the necessary steps for these assessments, which include:

1. Identifying potential cyber security risks.
2. Analyzing the probability and impact of these risks.
3. Documenting actions to mitigate identified risks.

The results of these assessments must be reported to NACSA and relevant sector leads, ensuring transparency and accountability in the management of cyber security risks.

Conclusion

Malaysia's proactive approach to updating its cyber security laws reflects its commitment to safeguarding national interests in an increasingly digital world. By establishing clear guidelines and requirements for service providers and critical infrastructure entities, the country aims to bolster its defenses against cyber threats and enhance overall security resilience.

Sources

• Malaysia: Public consultation – draft Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers – Global Compliance News, Global Compliance News.
• Malaysia: Cyber security law updates – Global Compliance News, Global Compliance News.