It is no surprise that as technology advances and evolves, the risk of cyber threats inevitably grows. Several online attacks and data breaches occurred in recent years, affecting both governmental and private institutions, leading to millions of personal data leaks. For instance, the National Registration Department (JPN) and the Social Security Organisation (PERKESO) both at the very least, experienced significant cyber threats that allegedly resulted in extensive leaks of data in 2022 and 2023 respectively. More recently, U-Mobile was investigated by the National Cyber Security Agency (NACSA) for a suspected data breach early this year.
These incidents not only question the effectiveness of data protection by government agencies and businesses but also highlight the inadequacies in enforcing data protection compliance. Thus, this underscores the urgent need for coherent legislation to address these issues and hopefully, the newly passed Cyber Security Act 2024 (Act) brings a much-needed relief for individuals and companies alike.
Key Features Of The Cyber Security Act 2024 (CSA 2024)
The CSA 2024 consists of 8 parts, with 5 important features highlighted below that play a role in fostering accountability and readiness to tackle prevalent cybersecurity threats:
1. National Critical Information Infrastructure (NCII)
The National Critical Information Infrastructure (NCII) as defined under the Act, is a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.
11 sectors are designated as “NCII sectors” including:
Government
Banking and finance
Transportation
Defence and national security
Information, communication and digital
Healthcare services
Water, sewerage and waste management
Energy
Agriculture and plantation
Trade, industry and economy
Science and technology
Each of these sectors requires additional protection and scrutiny as they are integral and interconnected to national security. Each of these sectors will be spearheaded by sectors lead who will be appointed by the Minister (NCII Sector Lead) who are equipped with the following functions to (amongst others):
Designate an NCII entity
Prepare a code of practice within its sector
Implement the decisions of the National Cyber Security Committee (Committee) and the CSA 2024 directives
Monitor the implementation of the duties imposed on the NCII entities
Prepare and maintain guidelines on best practices to cyber security management
Prepare a situational report relating to a cyber security threat
Once an entity is appointed as an NCII entity, it must conduct a cyber security risk assessment pursuant to the code of practice and, conduct an audit to ensure compliance with the CSA 2024. It also has the duty to report and notify the Chief Executive of NACSA (Chief Executive) and its NCII Sector Lead of any cyber security incident.
2. Establishment of the National Cyber Security Committee (Committee)
The CSA 2024 brought forward the establishment of a Committee consisting of a total of 13 members chaired by the Prime Minister and with the assistance of the Chief Executive. The functions of the Committee, among others, include:
Planning and providing policies for national cyber security
Monitoring the implementation of policies relating to national cyber security
Directing the Chief Executive and national information infrastructure sector leads relating to national cyber security
The Committee can also establish a subcommittee to assist in its functions, which is to be chaired by any member from the Committee.
3. Chief Executive
The CSA 2024 also outlines the functions and duties of the Chief Executive, which include:
Advising and recommending the Committee on national cyber security policies
Implementing the policies given or directed by the Committee or the Federal Government
Collecting and coordinating data and information relating to national cyber security
Disseminating information if the Chief Executive thinks that it is essential to do so in the interest of national cyber security
4. Extra-territoriality
Crucially, as much as infrastructure and technology crosses upon borders, the CSA 2024 does not shy away from applying the same principles onto individuals outside of Malaysia. Offences committed outside Malaysia shall be deemed as committed within Malaysia, if it is related to the NCII, either partially or in its entirety.
5. Applicability To Government
Unlike the Personal Data Protection Act 2010 which does not apply to the Government, the CSA 2024 binds both Federal and State Governments.
Conclusion
Overall, the CSA 2024 is welcomed for its enhancement of cybersecurity protection. Its key features collectively signal a positive step forward by the legislature. The legislation promotes accountability, transparency, and efficiency through numerous checks and balances. This move will foster growth and streamline the approach to combating cybersecurity threats. Ultimately, Malaysia will join countries like Singapore and Australia in having a comprehensive cybersecurity law. While there is great anticipation for the enactment of the CSA 2024, its impact and effectiveness will need to be observed and reviewed over time.
9 August 2024