The Cyber Security Act 2024 (“Act”), which received royal assent on 18 June 2024, and was subsequently gazetted on 26 June 2024 has, along with its subsidiary regulations, come into force on 26 August 2024.
The four subsidiary regulations under the Act (collectively, “Cyber Regulations”) are:
- the Cyber Security (Compounding of Offences) Regulations 2024;
- the Cyber Security (Notification on Cyber Security Incident) Regulations 2024 (“Incident Notification Regulations”);
- the Cyber Security (Risk Assessment and Audit) Regulations 2024 (“Risk Assessment Regulations”);and
- the Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024.
This legal alert will focus on the Incident Notification Regulations and the Risk Assessment Regulations.
Incident Notification Regulations
1. What are the obligations in the event of an actual or suspected cyber security incident?
A national critical information infrastructure (“NCII”) is subject to a threefold obligation in the event of an actual or suspected cyber security incident: an immediate notification (“Immediate notification”), followed by an initial submission of prescribed information (“Initial Submission”), and, lastly, a submission of supplemental information (“Supplemental Submission”). In addition, further updates on the cyber security incident as the Chief Executive of the National Cyber Security Agency (“Chief Executive”) may require must be provided from time to time.
2. Who should make the required notifications, submissions and updates?
The authorised person of the NCII.
3. When does the obligation arise?
When the actual or suspected cyber security incident comes to the knowledge of the NCII entity (“Trigger Event”).
4. How quickly?
- Immediate Notification: Immediately upon the Trigger Event.
- Initial Submission: Within 6 hours from the Trigger Event.
- Supplemental Submission: Within 14 days from the Immediate Notification.
5. How should the notification or submission be made?
- Immediate Notification: By electronic means.
- Initial Submission: Through the National Cyber Coordination and Command Centre System or, in the event of disruption, by communication as maybe determined by the Chief Executive.
- Supplemental Submission: As per “Initial Submission” above.
6. What information needs to be submitted?
– Immediate Notification: No prescribed particulars under the Incident Notification Regulations.
– Initial Submission
(a) Particulars of the authorised person;
(b) Particulars of the NCII entity concerned, the NCII sector and the NCII sector lead to which it relates; and
(c) Information on the cybersecurity incident including: the type and description of the cyber security incident, its severity, the date and time of occurrence, and the method of discovery of such incident.
– Supplemental Submission: To the fullest extent practicable, the following:
(a) Particulars of the NCII affected by the cyber security incident;
(b) Estimated number of hosts affected;
(c) Particulars of the cybersecurity threat actor;
(d) Artifacts related to the cyber security incident;
(e) Information on any incident relating to, and the manner in which such incident relates to, the cybersecurity incident;
(f) Particulars of the tactics, techniques and procedures of the cyber security incident;
(g) Impact of the cyber security incident on the NCII or any computer or interconnected computer system; and
(h) Action taken.
Risk Assessment Regulations
1. What are the obligations under the Risk Assessment Regulations?
- Requirement to conduct a cyber security risk assessment; and
- Requirement to carry out a cybersecurity audit,
(collectively, “Obligations”).
2. Who is subject to the Obligations?
NCII entity that owns or operates an NCII.
3. How often?
- Risk assessment: Atleast once a year.
- Audit: Atleast once in every two years or at such higher frequency as may be directed by the Chief Executive.
What’s Next?
The coming into force of the Act and the Cyber Regulations is both timely and commendable in the digital age today where data breaches and cyber security incidents frequently make headlines with serious consequences. As technology continues to evolve, it is imperative that our laws and regulations adapt accordingly, ensuring that they effectively address emerging threats and maintain robust security measures. Ultimately, a proactive and adaptive regulatory framework will be crucial in defending against cyber threats and securing Malaysia’s digital future.
The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.
