Conventus Law

Conventus Law

by

Cyber threats have become a significant concern for businesses across industries as organisations increasingly rely on digital systems and interconnected technologies. Incidents such as ransomware attacks, data breaches, and system intrusions can disrupt operations, compromise sensitive information, and expose businesses to regulatory and legal consequences.  

In Malaysia, organisations facing cyber risks must comply with legal obligations relating to data protection, cybersecurity governance, and incident response. As cyber incidents grow in scale and complexity, businesses are increasingly seeking guidance from cybersecurity lawyers to navigate legal risks and ensure regulatory compliance.  

This article explores the role of cybersecurity lawyers in supporting organisations to manage cyber threats, strengthen data security practices, and address legal obligations arising from cyber incidents in Malaysia.  

The Growing Cyber Risk Landscape  

Increasing Cyber Threats to Businesses  

Cyber threats have evolved rapidly in recent years, affecting organisations of all sizes. Attackers increasingly target businesses through sophisticated techniques such as:  

  • phishing and social engineering attacks;  
  • ransomware attacks;  
  • malware infections; and  
  • distributed denial-of-service (DDoS) attacks.  

These cyber risks can lead to operational disruption, financial loss, reputational damage, and potential legal liability.  

For organisations operating in Malaysia, cyber incidents may also trigger regulatory obligations relating to data protection and cybersecurity.  

Legal and Regulatory Environment in Malaysia  

Malaysia’s legal framework addressing cyber risks consists of several key statutes and regulatory requirements.  

Personal Data Protection Act 2010 (PDPA)  

The Personal Data Protection Act 2010 governs the processing of personal data in commercial transactions. Businesses that process personal data must implement appropriate security measures to protect such information from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destructiona.  

A data breach involving personal data may therefore expose organisations to regulatory risks and potential criminal liability.  

Cyber Security Act 2024  

The Cyber Security Act 2024 governs, among others, the duties of national critical information infrastructure entities and the management of cyber security threats and cyber security incidents to national critical information infrastructures.  

Organisations designated as national critical information infrastructure entities are required to comply with the Cyber Security Act 2024.  

Computer Crimes Act 1997  

The Computer Crimes Act 1997 criminalises unauthorised access to computer systems and the misuse of computer networks.   

This legislation plays a key role in Malaysia’s legal framework relating tocyberattacks.  

Cybersecurity Compliance Obligations  

Implementing Adequate Data Security Measures  

Organisations that handle sensitive or personal information must establish appropriate data security safeguards that may be required by the relavant laws.  

Failure to implement reasonable safeguards may expose businesses to legal liability.  

Governance and Risk Management  

Cybersecurity is increasingly viewed as a corporate governance issue rather than merely a technical matter.  

Boards and senior management are expected to ensure that organisations maintain appropriate systems to manage cyber risks.  

This typically involves:  

  • establishing cybersecurity governance frameworks;  
  • conducting regular risk assessments;  
  • implementing incident response plans; and  
  • ensuring compliance with applicable regulatory requirements.  

Legal advisors often play an important role in helping organisations align cybersecurity governance with regulatory expectations.  

Cyber Incident Response and Legal Support  

Managing Cyber Incident Response  

When a cyber incident occurs, organisations must respond quickly to mitigate operational disruption and legal exposure.  

A structured cyber incident response plan should therefore address not only operational issues, but also legal, regulatory, communications, governance and evidential considerations.  

Organisations may therefore seek the assistance of cybersecurity lawyers in preparing their organisation’s cyber incident response plan, and coordinate the legal and regulatory aspects of incident response in the event of an actual cyber incident.  

Data Breach Notification Obligations  

Cyber incident would often result in data breach. In many jurisdictions, businesses must notify regulators and affected individuals when a data breach occurs.  

Organisations may therefore need legal guidance on:  

  • whether data breach notification obligations arise;  
  • communicating with the relevant regulators (such as the Personal Data Protection Commissioner); and  
  • managing legal exposure arising from the data breach.  

Ransomware and Cyber Extortion Risks  

The Rise of Ransomware Attacks  

Ransomware attacks have become one of the most serious cyber threats confronting businesses today. In a ransomware incident, attackers encrypt an organisation’s systems and demand payment in exchange for restoring access to systems and data.  

Such attacks can severely disrupt business operations and compromise critical systems.  

Businesses affected by ransomware may need to consider several legal issues, including:  

  • whether ransom payments are legally permissible;  
  • regulatory reporting obligations;  
  • potential exposure under anti-money laundering laws; and  
  • liability arising from compromised personal data.  

Given the complexity of ransomware incidents, early legal involvement is often essential.  

Managing Cybersecurity Risk Through Legal Strategy  

Contractual Risk Management  

Cybersecurity risks may arise through relationships with third-party vendors and technology providers.  

Businesses relying on cloud services, software providers, or external IT vendors should ensure that contracts address cybersecurity issues such as:  

  • data protection and security obligations;  
  • incident response responsibilities; and  
  • liability allocation for cyber incidents.  

Legal advisors can assist organisations in drafting contractual protections that mitigate cybersecurity risks.  

Compliance Monitoring and Legal Audits  

To strengthen cybersecurity compliance, organisations should conduct periodic legal and regulatory reviews of their cybersecurity frameworks.  

Such reviews may involve:  

  • evaluating internal cybersecurity policies;  
  • reviewing data protection practices;  
  • assessing incident response preparedness’ and  
  • identifying gaps in compliance with applicable laws  

Legal audits can help organisations proactively address cyber risks before incidents occur.  

The Role of Cybersecurity Lawyers in Business Risk Management  

As cyber threats continue to evolve, businesses increasingly rely on specialised legal expertise to manage cyber risks.  

A cybersecurity lawyer can provide advisory support across multiple areas, including:  

Cybersecurity Compliance  

Advising businesses on regulatory requirements relating to data security, privacy laws, and cybersecurity governance.  

Incident Response Coordination  

Providing legal guidance during cyber incidents to manage regulatory obligations and mitigate liability exposure.  

Data Breach and Cyberattack Investigations  

Assisting organisations in the investigations arising from data breaches or cyberattacks.  

Cyber Risk Governance  

Supporting businesses in developing governance frameworks and policies to manage cybersecurity risks effectively.  

Through these services, cybersecurity lawyers help organisations integrate legal risk management into broader cybersecurity strategies.  

Conclusion  

Cyber threats have become a persistent risk for organisations operating in today’s digital environment. Businesses in Malaysia must address cyber risks not only from a technical perspective but also through effective legal and regulatory compliance.  

Cybersecurity compliance involves managing data protection obligations, implementing robust security safeguards, and responding effectively to cyber incidents such as ransomware attacks and data breaches.  

Engaging experienced cybersecurity counsel can assist organisations in strengthening cybersecurity governance, and managing the legal implications of cyber incidents.   

With appropriate legal guidance, businesses can better protect their operations, safeguard sensitive information, and respond effectively to the evolving cyber threat landscape. 

WRITTEN BY

For further information, please contact:

K. Shanti Mogan – Shearn Delamore & Co,
shanti@shearndelamore.com

Practice Areas

  • Arbitration & Mediation (Head)
  • Competition Law & Antitrust (Co-Head)
  • Dispute Resolution
  • Personal Data Protection & Privacy Laws
  • Regulatory Compliance & Enforcement

  • Technology, Media & Telco

Languages

  • English,
  • Malay,
  • Tamil

PRACTICE

Shanti has a broad commercial practice, representing clients in commercial litigation and arbitration, both domestic and international. She acts as counsel and arbitrator, and represents parties in arbitrations held domestically and internationally under the Rules of the KLRCA, SIAC, ICC and UNCITRAL. Her experience covers a wide range of disputes including banking, commercial and corporate, and technology related disputes.

She regularly acts for banks, regulatory bodies and corporations in relation to consumer protection, data protection and privacy, defamation, entertainment, multimedia and communications dispute matters.

Shanti also has experience in the area of competition and antitrust laws, and offers advisory services, compliance audits and legal representation in competition law investigations and disputes. Specific industries she has represented in her competition practice include the pharmaceutical, insurance, energy, travel, banking, automotive, entertainment and retail sectors.

Shanti advises on regulatory compliance and activities coming under the purview of various authorities including the Securities Commission, the Anti-Corruption Commission and the Communications and Multimedia Commission.

QUALIFICATIONS

  • LL.B (Hons), University of Bristol
  • LL.M (Hons), University of Malaya
  • Barrister-at-Law, Gray’s Inn
  • Advocate & Solicitor, High Court of Malaya

ADMISSIONS

  • England & Wales (1989)
  • Malaysia (1990)

PROFESSIONAL MEMBERSHIPS

  • Malaysian Bar
  • Fellow of the Chartered Institute of Arbitrators
  • Fellow of the Malaysian Institute of Arbitrators
  • Member of the Singapore international Arbitration Centre’s (SIAC) Court of Arbitration
  • Member of the Arbitration Sub-Committee of the Malaysian Bar Council
  • Member of the Arbitration Committee of the International Chamber of Commerce (ICC) Malaysia
  • Member of the Legal Affairs Committee of the Malaysian International Chamber of Commerce and Industry
  • Member of the Panel of Arbitrators of AIAC, SIAC and ICC (Malaysia)
  • International Bar Association (IBA)
  • Inter-Pacific Bar Association (IPBA)

    PUBLICATIONS

  • Exclusive contributor to the International Law Office’s Legal Newsletter on Arbitration, including the following:
  • Federal Court reinforces law that supervisory courts may review arbitral awards
  • High Court clarifies proceedings under Arbitration Act
  • Federal Court clarifies statutory rights granted by Advocates Ordinance
  • High Court gives effect to parties’ intention in the face of ambiguously drafted arbitration clause
  • Malaysian courts continue to give effect to arbitration agreements

AWARDS & RECOGNITION

  • Asialaw Leading Lawyers (2021) – “Notable practitioner” in Dispute Resolution
  • Chambers Asia-Pacific (2014 – 2020) – “Leaders in their Field” in Dispute Resolution
  • The Legal 500 Asia-Pacific (2010 – 2012, 2014, 2019 and 2020) – “Recommended Lawyer” in Dispute Resolution
  • Expert Guides (2018 and 2019) – “Leading Practitioner” in Commercial Arbitration and Women in Business Law

ARBITRATION EXPERIENCE INCLUDES:

  • Disputes involving the provision of a cellular blocking system valued at over RM250 million
  • Disputes involving payment for chilled water supplied by a district cooling plant where the sums involved exceed RM200 million
  • Disputes involving delay claims for a national infrastructure project
  • Disputes in a multimillion dollar ICC arbitration involving the designing, manufacturing and supplying of a steel manufacturing plant
  • Disputes involving a warehouse management and logistics coordination agreement
  • Disputes involving development agreements for digital electric vehicles.
  • Dispute involving an agreement for the development of an integrated tourist resort.
  • Dispute involving warranty claims for a car tracking system.
  • Disputes involving the provision of pharmaceutical supplies to a government concessionaire
  • Disputes involving the breach of marketing agreements in respect of the marketing of coal
  • Dispute involving the provision offshore services in respect a charter party.
  • Disputes involving the design and construction of residential homes for public servants
  • Disputes involving a contract for the supply of resources for an automated enforcement system
  • Disputes involving the breach of a distributorship agreement
  • Disputes involving a hotel management project
  • Disputes involving the development and supply of a digital broadcasting system
  • Disputes relating to a software licence agreement for the supply and implementation of a software trading system
  • Disputes arising from the provision of consultancy services for the procurement of oil and gas projects
  • Dispute involving a scholarship training programme
  • Joint venture disputes, breaches of training programmes, warranty disputes, sale of business, contracts for services
  • Disputes relating to a plantation company in respect of the sale of a plantation
  • Disputes involving a Privatisation Cum Development Agreement involving a Waterfront Project
  • Disputes in respect of a telecommunications joint venture
  • Enforcement/Setting Aside arbitral awards

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES