top of page

Evaluating The Impact Of The Cyber Security Act 2024






It is no surprise that as technology advances and evolves, the risk of cyber threats inevitably grows. Several online attacks and data breaches occurred in recent years, affecting both governmental and private institutions, leading to millions of personal data leaks. For instance, the National Registration Department (JPN) and the Social Security Organisation (PERKESO) both at the very least, experienced significant cyber threats that allegedly resulted in extensive leaks of data in 2022 and 2023 respectively. More recently, U-Mobile was investigated by the National Cyber Security Agency (NACSA) for a suspected data breach early this year.

 

These incidents not only question the effectiveness of data protection by government agencies and businesses but also highlight the inadequacies in enforcing data protection compliance. Thus, this underscores the urgent need for coherent legislation to address these issues and hopefully, the newly passed Cyber Security Act 2024 (Act) brings a much-needed relief for individuals and companies alike.

 

Key Features Of The Cyber Security Act 2024 (CSA 2024)

 

The CSA 2024 consists of 8 parts, with 5 important features highlighted below that play a role in fostering accountability and readiness to tackle prevalent cybersecurity threats:

 

1.         National Critical Information Infrastructure (NCII)

 

The National Critical Information Infrastructure (NCII) as defined under the Act, is a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.

 

11 sectors are designated as “NCII sectors” including:


  •                      Government


  •                     Banking and finance


  •                     Transportation


  •                     Defence and national security


  •                     Information, communication and digital


  •                     Healthcare services


  •                     Water, sewerage and waste management


  •                     Energy


  •                     Agriculture and plantation


  •                     Trade, industry and economy


  •                     Science and technology

 

Each of these sectors requires additional protection and scrutiny as they are integral and interconnected to national security. Each of these sectors will be spearheaded by sectors lead who will be appointed by the Minister (NCII Sector Lead) who are equipped with the following functions to (amongst others):

 

  • Designate an NCII entity


  • Prepare a code of practice within its sector


  • Implement the decisions of the National Cyber Security Committee (Committee) and the CSA 2024 directives


  • Monitor the implementation of the duties imposed on the NCII entities


  • Prepare and maintain guidelines on best practices to cyber security management


  • Prepare a situational report relating to a cyber security threat

 

Once an entity is appointed as an NCII entity, it must conduct a cyber security risk assessment pursuant to the code of practice and, conduct an audit to ensure compliance with the CSA 2024. It also has the duty to report and notify the Chief Executive of NACSA (Chief Executive) and its NCII Sector Lead of any cyber security incident.

 

2.         Establishment of the National Cyber Security Committee (Committee)

 

The CSA 2024 brought forward the establishment of a Committee consisting of a total of 13 members chaired by the Prime Minister and with the assistance of the Chief Executive. The functions of the Committee, among others, include:

 

  • Planning and providing policies for national cyber security


  • Monitoring the implementation of policies relating to national cyber security


  • Directing the Chief Executive and national information infrastructure sector leads relating to national cyber security

 

The Committee can also establish a subcommittee to assist in its functions, which is to be chaired by any member from the Committee.


3. Chief Executive

 

The CSA 2024 also outlines the functions and duties of the Chief Executive, which include:

 

  • Advising and recommending the Committee on national cyber security policies


  • Implementing the policies given or directed by the Committee or the Federal Government

     

  • Collecting and coordinating data and information relating to national cyber security


  • Disseminating information if the Chief Executive thinks that it is essential to do so in the interest of national cyber security

 

4. Extra-territoriality

 

Crucially, as much as infrastructure and technology crosses upon borders, the CSA 2024 does not shy away from applying the same principles onto individuals outside of Malaysia. Offences committed outside Malaysia shall be deemed as committed within Malaysia, if it is related to the NCII, either partially or in its entirety.

 

5. Applicability To Government

 

Unlike the Personal Data Protection Act 2010 which does not apply to the Government, the CSA 2024 binds both Federal and State Governments.

 

Conclusion

 

Overall, the CSA 2024 is welcomed for its enhancement of cybersecurity protection. Its key features collectively signal a positive step forward by the legislature. The legislation promotes accountability, transparency, and efficiency through numerous checks and balances. This move will foster growth and streamline the approach to combating cybersecurity threats. Ultimately, Malaysia will join countries like Singapore and Australia in having a comprehensive cybersecurity law. While there is great anticipation for the enactment of the CSA 2024, its impact and effectiveness will need to be observed and reviewed over time.


9 August 2024

 

bottom of page