The Malaysia Cyber Security Act 2024: A New Era in Cyber Security
As the digital landscape continues to evolve, so too does the need for robust cyber security measures. Malaysia has taken a significant step forward with the enactment of the Cyber Security Act 2024 (CSA), which came into force on August 26, 2024. This legislation marks a pivotal moment in the country’s approach to safeguarding its critical information infrastructure. In this article, we will explore the key developments following the implementation of the CSA, including the announcement of National Critical Information Infrastructure Sector Leads, the launch of the Cyber Security Service Providers (CSSP) licensing portal, and the obligations placed on designated National Critical Information Infrastructure Entities (NCII Entities).
NCII Sector Leads Announced
On September 11, 2024, the National Cyber Security Agency (NACSA) unveiled the full list of NCII Sector Leads appointed by the Prime Minister under Section 15 of the CSA. This announcement is crucial as it designates specific individuals responsible for overseeing the cyber security measures within the 11 identified NCII sectors. The appointment of these leads is a strategic move to ensure that each sector has dedicated oversight, facilitating a more coordinated and effective response to cyber threats. For those interested, the complete list of NCII Sector Leads can be accessed here.
CSSP License Application Begins
The CSA also introduced a licensing requirement for Cyber Security Service Providers (CSSPs). As of October 1, 2024, the licensing application process has officially commenced through the newly launched licensing portal, which can be found here. This portal will remain open for applications until December 31, 2024, providing a grace period for CSSPs to secure their licenses. It is important to note that any individual or entity that offers or advertises cyber security services must obtain a license to operate legally under the CSA. This regulatory framework aims to enhance the professionalism and accountability of cyber security service providers in Malaysia.
Obligations of NCII Entities: National Cyber Security Baseline Self-Assessment
Following the designation of NCII Entities, NACSA issued Directive No. 4/2024 on the National Cyber Security Baseline (NCSB), which came into effect on October 1, 2024. This directive mandates that all designated NCII Entities complete the National Cyber Security Baseline Self-Assessment (NCSB Self-Assessment) within 14 days of their designation. The NCSB serves as a comprehensive framework outlining minimum cyber security controls and best practices that NCII Entities must implement to ensure a fundamental level of protection against cyber threats.
The NCSB is structured around six key domains, which encompass 15 essential cyber security categories and further break down into 33 specific elements. This layered approach enables NCII Entities to manage their cyber security efforts systematically, ultimately aiming to protect national critical information infrastructure from a wide array of cyber security threats. Upon completion, the NCSB Self-Assessment must be submitted to the Chief Executive of NACSA via email, along with the respective NCII Sector Leads.
Cyber Security Risk Assessments: Scope, Process, and Reporting
Under Section 22(1) of the CSA, NCII Entities are required to conduct annual cyber security risk assessments on the national critical information infrastructure they own or operate. To clarify the scope and processes involved, NACSA issued Directive No. 5/2024 on Cyber Security Risk Assessment, which takes effect on October 10, 2024. This directive outlines the necessary steps for NCII Entities to follow when assessing cyber security risks for their Annual Risk Reports.
The assessment process involves several critical steps:
-
Identification of Cyber Security Risks: NCII Entities must identify potential cyber security risks, which includes conducting an inventory of all assets connected to their infrastructure and assessing vulnerabilities that could be exploited by cyber threats.
-
Analysis of Risks: Once risks are identified, NCII Entities must analyze the probability and potential impact of each risk on their operations.
- Action Planning: For each identified risk, NCII Entities must assess and identify appropriate actions to mitigate or manage the risk effectively.
The outcomes of these assessments must be documented in the Annual Risk Reports and submitted to the Chief Executive of NACSA and the relevant NCII Sector Leads.
Conclusion
The implementation of the Cyber Security Act 2024 represents a significant advancement in Malaysia’s commitment to enhancing its cyber security framework. With the establishment of NCII Sector Leads, the initiation of the CSSP licensing process, and the introduction of mandatory self-assessments and risk assessments for NCII Entities, Malaysia is poised to strengthen its defenses against the growing threat of cyber attacks. As organizations adapt to these new regulations, the emphasis on structured and proactive cyber security measures will be crucial in safeguarding the nation’s critical information infrastructure.
For further details and updates on the CSA and its implications, stakeholders are encouraged to stay informed through NACSA and relevant legal advisories.