In our increasingly interconnected world, cyber security threats pose a significant risk to national security. Malicious actors, ranging from state-sponsored hackers to cybercriminal organizations and terrorists, exploit vulnerabilities in critical infrastructure, government systems, and military networks to disrupt essential services and steal sensitive information. These cyberattacks not only disrupt businesses, financial institutions, and supply chains but also directly impact economic stability at both the national and global levels. Therefore, in this article, our focus is on the Cyber Security Bill 2024. Rather than just providing a comprehensive summary, we aim to distill the essence into five key takeaways that every company and general counsel should be aware of.

1. The Objective and Current Status of the Cyber Security Bill 2024

The first takeaway revolves around grasping the core objectives and current status of the Cyber Security Bill 2024 (“Bill“). Essentially, the Bill is designed to establish a regulatory framework aimed at bolstering national cybersecurity. It introduces the notion of national critical information infrastructure, a concept we will delve into shortly, and also sets out provisions for licensing cyber security providers.

Notably, the Bill achieved a significant milestone when the upper house of Parliament (Dewan Negara) unanimously passed it after the third reading on 3 April 2024. Subsequently, upon receiving assent from the King (Yang di-Pertuan Agong), the law will come into effect upon publication in the Government Gazette. Given its potential impact, it is imperative for companies to proactively monitor these developments to ensure alignment with the forthcoming legislation, as failure to do so could expose companies to significant risks and liabilities.

2. Defining National Critical Information Infrastructure

The second significant takeaway in the Bill is the introduction of the concept of national critical information infrastructure (“NCII”). The Bill defines NCII as “computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defense, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.“

Notably, the Bill delineates 11 sectors encompassed within the NCII framework, which are as follows (“NCII Sectors”):

3. The Designation of NCII Sector Leads and NCII Entities

The third point emphasizes the appointment of sector leads by the Minister for each of the 11 NCII Sectors (“NCII Sector Leads”). These appointed sector leads’ names will be publicly disclosed on the official website of the National Cyber Security Agency (“NCSA”). Subsequently, the respective NCII Sector Leads will develop specific codes of practice for their respective sectors and designate entities that own or operate NCII as national critical information infrastructure entities (“NCII Entities”).

Although the Bill does not explicitly define what constitutes “owning or operating NCII” for designation as NCII Entities, however, a literal interpretation suggests that companies meeting certain criteria may fall under this NCII Entities designation. These criteria may include (i) companies with ownership, control or legal rights over NCII, including those with decision-making authority regarding the relevant NCII’s use, security protocols, data access, and terms of third-party usage; and (ii) companies involved in the day-to-day operation, management, maintenance, and security of NCII, including those with decision-making authority affecting the relevant NCII’s functionality, security, and integration with other networks.

Therefore, companies can conduct internal checks based on these criteria while awaiting official confirmation to avoid surprises upon designation as NCII Entities. By doing so, companies can better prepare internally and ensure readiness to comply with forthcoming legislation.

4. Regulatory Obligations of NCII Sector Leads and NCII Entities

The fourth point is of utmost importance, especially for companies within the NCII Sectors, as they may be designated as NCII Entities. Upon receiving this designation, NCII Entities are obligated to implement the measures, standards, and processes outlined in the code of practice as prepared by the NCII Sector Leads (“Code of Practice”).

However, it is conceivable that some NCII Entities may encounter challenges in strictly adhering to all specified measures within the Code of Practice due to various reasons. For instance, financial constraints could pose a significant hurdle for some NCII Entities as implementing these measures may demand substantial investments in advanced technological infrastructure, specialized software, or hardware upgrades. To address this challenge, the Bill allows NCII Entities to implement alternative measures, standards, and processes, subject to approval by the Chief Executive of the NCSA, provided they offer an equal or higher level of protection.

Given the flexibility within the regulatory framework to implement alternative measures instead of strictly complying with the Code of Practice, it is advisable for NCII Entities to collaborate with professional legal counsels well-versed in technology law to ensure that any proposed alternative measures undergo thorough scrutiny to meet the standards of applicable Codes of Practice. External legal professionals could also assist in presenting compelling arguments for the approval of alternative measures that not only satisfy the Chief Executive of the NCSA but also uphold the integrity and security of NCII operations.

Additionally, the Bill mandated NCII Entities to conduct cybersecurity risk assessments as per the Code of Practice and directives, along with performing audits to ensure compliance with the Cyber Security Act 2024.

It is crucial to highlight that in the event of a cybersecurity incident, the Bill also imposes a duty on the NCII Entities to notify both the Chief Executive of the NCSA and the respective NCII Sector Lead(s) (“Cyber Security Incident Notification”).

Such Cyber Security Incident Notification in the event of a cybersecurity incident is paramount for effective cyber security incident response. However, if the NCII Sector Lead(s) happens to be a competitor of the NCII Entities, significant legal concerns may potentially emerge as sharing sensitive information with a competitor may raise apprehensions regarding data security, trust, and cooperation within the NCII Sector, potentially hindering timely and collaborative responses to incidents. It is notable that the Bill currently does not have explicit provisions addressing this issue; however, we trust that additional measures should be put in place by the NCII Sector Lead(s) and the Chief Executive of the NCSA to address this potential concern.

Considering the sensitive nature of such Cyber Security Incident Notification, where it may potentially involve the exposure and disclosure of proprietary or confidential information of NCII Entities to NCII Sector Leads, it is, therefore, advisable to engage lawyers to facilitate Cyber Security Incident Notification processes, ensuring that appropriate notifications are made while safeguarding sensitive, proprietary, and confidential information of the NCII Entities. External lawyers can also play a vital role in overseeing the notification process, providing legal guidance on compliance with regulatory requirements and contractual obligations, and ensuring that the interests of the NCII Entities are protected.

5. Licensing Regime for Cyber Security Service Providers

The fifth key takeaway in the Bill pertains to the licensing requirement for companies providing cyber security services. According to the Bill, no company shall offer any cyber security service or advertise itself as a cyber security service provider unless it holds a valid license to provide such services.

The definition and scope of cyber security services will be determined by the Minister, and this licensing requirement will definitely have a significant impact on companies operating in the cyber security sector. It also remains to be seen whether additional licensing terms will be imposed on cyber security service providers through the licensing regime.

It is crucial to underscore the profound impact that this new licensing requirement will have on all cyber security service providers, as any company providing cyber security services without a proper license is subject to severe penalties. Upon conviction, such a company may face a fine not exceeding RM500,000, imprisonment for a term not exceeding ten years, or both. This emphasizes the gravity with which the government views the regulation of cyber security services and highlights the importance of adhering to licensing requirements.

Conclusion

In conclusion, the Bill stands as a pivotal milestone in Malaysia’s journey towards bolstering national cyber security. Its implications reverberate not only across critical infrastructure sectors but also through the intricate fabric of businesses operating within the cyber security landscape. As the regulatory landscape evolves, it becomes increasingly imperative for companies to navigate these complexities with precision and foresight. The above five points highlight critical aspects of the Bill that companies should prioritize and understand thoroughly. Given the complex and evolving nature of cyber security, it is imperative that companies collaborate closely with legal professionals who possess a deep understanding of technology law.

With our unwavering commitment to excellence and a deep understanding of both legal intricacies and technological nuances, our team of seasoned legal professionals stands ready to guide your organization through the nuances of the Cyber Security Bill 2024. Let us empower your organization to thrive amidst evolving cyber security challenges, ensuring compliance while fortifying your resilience against emerging threats.

About the authors

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
[email protected].

Ong Johnson
Partner
Head of Technology Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
[email protected]