Bread & Kaya: Impact of the Cyber Security Bill 2024 on the Cybersecurity Industry in Malaysia

By:
On:
In: Technology
Tagged: ,
  • The 14 commonly used Religion. 10’s of Chief Executive Powers may be abuseable.
  • Paramount any parliamentary determine implemented does not inadvertently inhibit creativity

Bread & Kaya: Impact of the Cyber Security Bill 2024 on the Cybersecurity Industry in Malaysia

The Cyber Security Bill 2024 ( hereinafter referred to as the Bill or Act ) was passed by Parliament on April 3, 2024. The Bill may become presented for Royal Assent and consequently gazetted into law.

( Unless otherwise stated, links to any parts herein shall be made to the Cyber Security Bill 2024.)

This innovative law aims to improve the national cyber security by providing for:

  • The National Cyber Security Committee’s formation
  • Duties and powers of the Chief Executive of the National Cyber Security Agency
  • What are the responsibilities and functions of the national critical information infrastructure (NCII ) sector leaders, respectively.
  • Control of cyber security risks and computer security incidents to regional critical information infrastructures
  • to regulate and provide for related issues for the providers of computer security services through licensing.

Digital security policy is hardly a new idea. Singapore passed the Cybersecurity Act 2018, Thailand passed the Cyber Security Act 2019, Vietnam passed the Law on Cyber Security in 2018, Australia passed the Security of Critical Infrastructure Act 2018, and Ghana passed the Cybersecurity Act 2020.

Though bearing similarities to other foreign computer security legislations, the Bill brings back unique positions such as the Chief Executive and the federal critical information system market lead. These positions aim to give Malaysians a more industry-specific perspective on virtual safety management.

Amid the rising cyber intrusions in Malaysia, the Bill marks a vital step towards a secure online future. Through suggested steps, standards, and procedures, the country’s commitment to protecting NCII in both the public and private sectors is highlighted.

Applicability of the Bill

Regardless of nationality or citizen, the Bill will have an extra-territorial influence that will apply to anyone and apply to both domestic and foreign residents of Malaysia.

In practice, it may yet be difficult to capture international cybercriminals, especially if the criminals are usually based in states with weaker regulations and police. The potential impact of a wider extralegal approach on preventing or dissuading these criminals is limited.

While the Federal Government and State Governments are also content to the Bill, no trial action can be taken against them for any failure to comply with the rules of this regulation within this policy. The state will take all necessary steps to ensure that all government-related organizations, including those under the Federal Government, are compliant with the rules of this policy.

National Critical Information Network

The Bill introduces the NCII idea. It is defined as” computer or computer system which the disruption to or destruction of the computer or computer program would have a detrimental impact on the delivery of any company essential to the security, military, foreign relations, business, public health, public health or public attempt of Malaysia, or on the skill of the Federal Government or any of the State Governments to carry out its functions effectively”.

For instance, what laptop or computer systems are used to practice every banks or communications record? This includes

National Cyber Security Committee (NCSC )

The Bill establishes the NCSC, consisting of the Prime Minister, the Ministers accountable for certain government body and agencies, Chief Secretary to the Government, Chief of Defence Force, Inspector General of Police, Director General of National Security and two other persons who may be appointed by the Committee from among persons of position and knowledge in computer security.

The NCSC’s responsibilities include:

( a ) to plan, formulate and decide on policies relating to national cyber security,

( b ) to choose the best methods and tactics for addressing issues involving national cyber security.

( c ) to monitor the implementation of policies and strategies relating to national cyber security,

( d ) to consult and make recommendations to the Federal Government regarding policies and strategic measures to improve national cyber security.

( e ) to give directions to the Chief Executive and national critical information infrastructure sector leads on matters relating to national cyber security,

( f ) to oversee the Act’s effective application;

( g ) to do such other things arising out of or consequential to the functions of the Committee under the Act consistent with the purposes of the Act.

The NCSC shall have all the authority to carry out its duties in accordance with the Act, whether it be necessary, in connection with, or reasonably incidental to it.

The Chief Executive

The Act establishes the NCSC’s secretary, the Chief Executive ( Chief Executive ).

The Chief Executive is empowered under the Act to, among others, advise and make recommendations to the NCSC, implement policies relating to cyber security, appoint a cyber security expert, conduct a cyber security exercise for the purpose of assessing the readiness of any NCII entity in responding to any cyber security threat or cyber security incident, establish the National Cyber Coordination and Command Centre system for the purpose of dealing with cyber security threats and cyber security incidents and issue directives as necessary for the purpose of ensuring compliance with the Act.

Under Section 14, the Chief Executive has incredibly broad authority. Under section 14 ( 1 ), the Chief Executive has the power to direct for information. If he believes they have good reason to believe they have the information necessary to his duties and powers, he may require any person, public body, or organization to provide it. Failure of any person to comply with the request is liable to a fine not exceeding US$ 42, 440 ( RM200, 000 ) and/or to imprisonment for a term not exceeding three years.

The Chief Executive has a wide range of authority under this section because he or she may issue written notices to “any person” for the production of information, documents, or electronic media” as specified” or as the Chief Executive may choose. Though the duties and powers of the Chief Executive are set out in section 10, section 14 is still widely worded and this may be subject to abuse or exercised excessively or improperly.

The Chief Executive has complete discretion over the content and procedure of the direction for information. It is not subject to any external review processes. It is also noted that section 14 ( 1 ) uses the term “any person”. The Chief Executive may direct for such information from anyone, regardless of whether they own or run any NCII, with the deliberate choice of the term.

In any event, under section 14 ( 2 ), if the recipient of such a request does not possess the document, he shall state, to the best of his knowledge and belief, where the document may be found, and identify, to the best of their knowledge and belief, the last person who had custody of the document, and to state, to the best of their knowledge and belief, where that last- mentioned person may be found.

The recipient of such a request must make sure that the information, particulars, or copies of the document provided are accurate, and complete in accordance with section 14 ( 3 ), including a declaration that he is not aware of any additional information, particulars, or documents that might turn out to be false or misleading.

Failure of any person to comply with sections 14 ( 2 ) and/or 14 ( 3 ) will be liable to a fine not exceeding RM200, 000 or to imprisonment for a term not exceeding three years or to both.

NCII Sectors

The Bill sets out the following list of sectors regarded as NCII sectors that are crucial to Malaysia’s cyber security:

  1. the government
  2. banking and finance,
  3. transportation; 
  4. defense, national security,
  5. information, communication and digital,
  6. healthcare products and services
  7. water, sewerage and waste management,
  8. energy;
  9. plantations and agriculture,
  10. trade, industry, and economy, and
  11. science, technology, and innovation

NCII Sector Lead and NCII Entity

National Critical Information Infrastructure Sector Lead (NCII Sector Lead ) and National Critical Information Infrastructure Entity (NCII Entity ) are two different classifications introduced in the Bill.

The Bill defines NCII Sector Lead as “any Government Entity or person appointed as a national critical infrastructure sector lead for each of the NCII Sector. Any government entity or person may be appointed as the NCII Sector Lead for each of the NCII sectors, subject to the recommendation of the Minister in charge of cyber security ( Minister ). Each NCII Sector may have one or more NCII Sector Lead ( s ).

NCII Sector Leads will be, among other things, tasked with:

  1. designate any government entity or person as an entity which owns or operates NCII in respect of its appointed sector,
  2. create a code of practice that includes procedures, standards, and measures to safeguard an NCII within the NCII Sector for which it has been appointed ( Code of Practice ).
  3. implement the decisions of the NCSC and directives made under the Act, and
  4. monitor and make sure NCII entities fulfill their obligations.

NCII Entity is defined as” any Government Entity or person designated as an NCII Entity by a NCII Sector Lead, designated in such a manner as may be determined by the Chief Executive, if the NCII Sector Lead is satisfied that they own or operate an NCII”. If the Chief Executive is satisfied that the NCII Sector Lead owns or runs a NCII, he may also designate a NCII as an NCII Entity.

Government Entity means any ministry, department, office, agency, authority, commission, committee, board, council or other body, of the Federal Government, or of any of the State Governments, established under any written law or otherwise, and any local authority. Notably, an NCII Sector Lead, who is also a Government Entity, can only designate a government entity as an NCII entity.

NCII Entity may lose their designation if the NCII Sector Lead, or the Chief Executive ( in the case where the NCII Sector Lead itself is an NCII Entity ) is satisfied that the NCII Entity no longer owns or operates any NCII.

The NCII Entity’s responsibilities include, among others,:

  1. Introduce a code of practice: implement the measures, standards and processes as specified in the Code of Practice
  2. Audit: order an audit to be conducted to check whether the NCII entity is in compliance with the Act.
  3. Cyber risk assessments: conduct cyber risk assessments in accordance with the Code of Practice and directive.
  4. Notify the Chief Executive and the relevant NCII Sector Lead( s ) of any cyber security incident that has or may have occurred in connection with the NCII owned or operated.
  5. Provision of information: provide information relating to NCII owned or operated when there is a request by the NCII Sector Lead ( s ), when the NCII Entity procures or has come into possession or control of any additional computer or computer system which, in its opinion, is an NCII, or when a material change is made to the design, configuration, security or operation of the NCII.

We provide an explanation of what this entails because we think Cyber Security Incident will be of greatest interest to readers.

Cyber Security Incident

Any cyber security incident that may have occurred in relation to the NCII owned or operated shall be reported to the Chief Executive and the relevant NCII Sector Lead( s ) in accordance with section 23.

Upon receipt of the incident report, the Chief Executive will instruct an authorized officer to investigate the matter. The investigation’s goal is to determine whether an incident actually occurred and what can be done to correct it and take preventative measures to stop it from happening again.

Upon completion of the investigation by the authorized officer, if the authorized officer finds that-

No cyber security incident has occurred, and the authorized officer shall notify the Chief Executive of such findings and dismiss the matter accordingly.

( b ) &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, if the authorised officer finds that a cyber security incident has occurred, the authorised officer shall notify the Chief Executive about such findings and the Chief Executive shall notify the NCII Entity accordingly.

The Chief Executive may send a directive to the NCII entity concerned after being informed that a cyber security incident has occurred and how to stop such cyber security incidents from occurring in the future.

Failure of the NCII Entity to comply with the directive of the Chief Executive on the measures necessary to respond to or recover from the cyber security incident and to prevent such cyber security incident from occurring in the future is an offence and it will be liable to a fine not exceeding RM200, 000.00 and/or to imprisonment for a term not exceeding three years.

licensing of providers of cyber security services

Importantly, the Bill introduces a licensing framework for cyber security service providers. A cyber security service provider is defined as a person who offers a cyber security service, and any cyber security service that the Minister may designate and for which a permit is required. It was stated in the presentation slides provided at the public dialog session of the Cyber Security Bill dated 24 Nov 2023 that a cyber security service is a service provided by a person for reward that is intended primarily for or aimed at ensuring or safeguarding the cyber security of an information and communications technology device belonging to another person.

A person who follows section 27

( a ) &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, provide any cyber security service, or

( b ) promotes, promotes, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, &nbsp, in any way, or otherwise promotes his services as a provider of a cyber security service.

shall hold a licence to provide a cyber security service.
This does not apply where a business provides a service to a subsidiary company.

Any person or entity that provides cyber security services or holds themselves out as a provider of cyber security service without a licence shall be liable to a fine not exceeding RM500, 000 and/or to imprisonment for a term not exceeding10 years.

Foreign businesses that offer cyber security services in Malaysia must also register as such entities.

According to section 28, an applicant must not have any convictions for offences involving fraud, dishonesty, or moral turpitude. Additionally, the Chief Executive will set forth additional prerequisites for license applications.

Under section 29, when the Chief Executive receives the application for licence, the Chief Executive may approve the application and issue to the applicant upon payment of the prescribed fee a licence in such form as may be determined by the Chief Executive. The Chief Executive must explain the reasons why a licence application is turned down by him. The Chief Executive may issue a licence that is subject to such conditions as the Chief Executive thinks fit to impose, and the Chief Executive may at any time vary or revoke the conditions imposed on a licence.

Additionally, licensees are required to maintain and uphold records. They must record particulars such as the licence holder, or any person acting on his behalf’s name, details of the services provided, and any other particulars the Chief Executive requires. The records shall be kept and maintained in the manner that the Chief Executive may choose, kept for a period of at least six years after the provision of the cyber security service, and delivered to the Chief Executive at any time as the Chief Executive may request.

Based on the presentation slides provided at the public dialog session of the Cyber Security Bill dated 24 Nov 2023, the requirement of licensing will likely apply to service providers that provide services to safeguard information and communications technology devices of another person. Using the case of penetration testing, security operations centers, and providers.

In comparison, Singapore Cybersecurity Act 2018 also sets out the same types of service providers i. e. penetration testing and managed security operations centre monitoring.

Due to the sensitive client data they handle, these two services take precedence. They are also widely used in the Singapore market, making them influential in shaping overall security measures. Additionally, industry concerns that broader licensing requirements might prevent Singapore’s development of a vibrant cybersecurity ecosystem are taken into account when deciding to limit the licensing framework to these two services.

Positive step for Malaysia in the face of increasing and evolving cyber threats

In light of the growing and evolving cyber threats, Malaysia should take a positive and timely step with the Bill. The Bill has the potential to address existing legal gaps and enhance cyber defence mechanisms. In the context of a rapidly evolving cyber landscape, this is a significant milestone in protecting the NCII.

However, given the presence of certain uncertainties and shortcomings, it is hoped that such uncertainties and shortcomings can be resolved through implementations of regulations and guidelines. The Act must strike a balance between protecting the rights of the parties involved and promoting business.

Given the potential financial constraints that the NCII Entities may encounter while adhering to the provisions of the Act, it is imperative for the Government to extend support in various forms, such as tax benefits, incentives, grants or subsidies, guidance, to alleviate their burden, fostering an environment conducive to innovation and digital advancement.

In addition, it is crucial for the government to schedule an interim period of industry consultation and feedback, making necessary adjustments and responses, and ensuring its effectiveness in light of the Code of Practice’s implementation. It is paramount to ensure that any legislative or policy measures implemented within the cyber environment do not inadvertently impede innovation or hinder the growth of the digital economy.

Organizations can restrain their concerns by developing robust internal cybersecurity capabilities in spite of the difficulties caused by these changes. Due to the negative publicity and financial risks of cyberattacks, being prepared for cybersecurity is becoming essential for businesses. Organizations should be prepared, anticipate being designated as an NCII entity, and take proactive steps to ensure that once the Act is in effect, it will be in line with its requirements. This involves ensuring that they have the necessary processes, structures, and personnel to manage cybersecurity issues and comply with regulations.

These capabilities include the following:

1 ) strengthen their cybersecurity

2 ) review, update, and re-evaluate their current cyber security policies and procedures. If they lack such policies and procedures, they should consult with legal and professional experts to create them

3 ) take risk assessment measures

4 ) develop and implement effective risk management strategies

5 ) develop plans for responding to cyber security incidents.

6 ) obtain the necessary cyber insurance

7 ) threat intelligence analysis to anticipate potential threats

8 ) establish cyber security incident handling and digital forensics

9 ) carry out penetration testing and cyber-security network defense, and

10 ) foster cybersecurity awareness of the various types and sophistication of cyberattacks among employees and third- party contractors by organising regular and consistent cyber security training or tabletop simulations of cyberattacks.

While cost increases are inevitable, they are crucial when it comes to cyber insurance because it could lessen the effects of a cyber security breach or non-compliance with the Act. From an insurance standpoint, regulatory protection within a cyber policy covers expenses related to legal defence and investigation in the event of regulatory inquiries or claims arising from cyber incidents or mishandling of such events. Costs for breach response, data administrative investigation, and regulatory investigation costs are among the other insurable costs in a cyber policy. The requirement for mandatory reporting of cyber incidents can help insurers more accurately price risks and provide better protection.

Given the lack of standardized forms in the Asian cyber insurance market, organizations should be aware of their specific risk exposure when evaluating cyber insurance. Consequently, policies vary in their coverage. The breadth of coverage is largely determined by even tidbits of language. &nbsp,

Everyone at the company must be aware of cyber threats and attacks as a result of the widespread use of artificial intelligence and its growing use by threat actors for cyberattacks. This is particularly important because most cyber security incidents are often caused by human susceptibility, carelessness, or accidents.

Second year of Joanne Wong’s Help University’s Bachelor of Law program.