Overview
The Cyber Security Bill 2024 (“the Bill”) was passed by the Dewan Negara on 3 April 2024. The Bill aims to improve Malaysia’s cyber security by requiring national critical information infrastructure entities to comply with extensive measures, standards, and processes when it comes to cyber security threats and incidents.
In doing so, the Bill provides for the establishment of new cyber security bodies and offices, the appointment of national critical information infrastructure sector leads, the designation of national critical infrastructure entities and the licensing of cyber security service providers.
This article summarises the key provisions of the recently passed Cyber Security Bill 2024.
Who does the Bill govern?
Both the Federal and State Governments are bound by the Bill, although they will not be subjected to prosecution for any offence under the Bill.
Additionally, the Bill applies to any person within or outside of Malaysia regardless of their nationality or citizenship. The Bill also grants jurisdiction over offences committed outside of Malaysia.
Governing Bodies
The Bill establishes the National Cyber Security Committee (“NCSC”). Besides that, it provides for the powers and duties of the Chief Executive of the National Cyber Security Agency (“Chief Executive”).
The NCSC shall be chaired by the Prime Minister. Other members of the NCSC include the Finance, Home, Foreign Affairs, Defence, Communications, and Digital-related matters Ministers, the Chief Secretary to the Government, the Chief of the Defence Force, the Inspector General of Police, the Director General of National Security, and up to two cyber security experts.
The NCSC is tasked with cyber security policy-making. On top of that, it monitors the implementation of cyber security policies and this Bill, and serves as an advisor to the Federal Government on cyber security matters. The Chief Executive of the National Cyber Security Agency also receives directions from the NCSC. The NCSC is given wide-ranging powers, with the Bill providing it “all powers as may be necessary” to perform its functions.
Besides the NCSC, the Chief Executive’s duties include:
- advising the NCSC on cyber security policies and strategies;
- implementing policies, strategies, and directions given by the NCSC or Federal Government;
- gathering and coordinating cyber security data and information from the national information infrastructure sector leads and entities, as well as government entities or any other person;
- distributing the data and information gathered to national critical information entities in the interest of National Security;
- establishing and running the National Cyber Coordination and Command Centre System, which is used to deal with cyber security threats and incidents; and
- any other duties under this Bill or on the NCSC’s direction.
The Chief Executive’s powers
The Chief Executive may issue directives as he considers necessary to ensure compliance with the Bill.
Furthermore, the Chief Executive has the power to require information. He may require any person, public body, or corporation to provide information, particulars, documents, or evidence within a specified period of time and in a specific manner if he has reasonable grounds to believe that they possess such information relevant to his duties and powers.
If the person/public body/corporation is unable to provide what the Chief Executive requested, they should state to the best of their knowledge where it may be found. They should also identify the last person who had custody of the information/particulars/documents/evidence.
Failure to comply with the Chief Executive’s request is an offence, punishable with a fine of up to RM200,000 and/or imprisonment for up to three years. Additionally, failure to provide the last known details of the requested information, or providing false information is punishable with a fine of up to RM200,000 and/or imprisonment for up to three years.
National Critical Information Infrastructure
National Critical Information Infrastructure (“NCII”) is defined as “a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively”.
On top of defining NCII, the Bill identifies “NCII Sectors” as follows:
(i) the government;
(ii) banking and finance;
(iii) transportation;
(iv) defence/national security;
(v) information, communication and digital;
(vi) healthcare
(vii) water, sewerage and waste management;
(viii) energy;
(ix) agriculture and plantation;
(x) trade industry and economy; and
(xi) science, technology and innovation.
Each NCII Sector will be assigned a NCII Sector Lead by the Minister responsible for cyber security. The Sector Lead’s responsibilities include:
- designating any government entity or any person as a NCII Entity. An NCII Entity is any entity or person who owns or operates national critical information infrastructure;
- preparing a Code of Practice for NCII Entities. This Code of Practice shall include measures, standards, and processes to ensure the critical infrastructure’s cybersecurity;
- implementing the NCSC’s directives;
- preparing guidelines on the best practices of cyber security management; and
- Preparing reports for the Chief Executive when there are cyber security threats/incidents.
Duties of NCII Entities
A NCII Entity has four main duties:
- duty to provide information;
- duty to adhere to the Code of Practice;
- duty to conduct risk assessments and audits; and
- duty to report incidents.
Pursuant to their duty to provide information, NCII Entities must comply with the Sector Lead’s request for information relating to the NCII. As part of this duty, NCII Entities must notify the Sector Lead upon receiving any new national critical information infrastructure, or if there are material changes to the design, configuration, security or operation of a NCII. Failure of which constitutes an offence, punishable with a fine of up to RM100,000 and/or imprisonment for up to two years.
Secondly, NCII Entities have a duty to implement and adhere to the Code of Practice. This is to promote their infrastructure’s cyber security. However, NCII Entities may choose to implement alternate cyber security practices, if they can prove to the Chief Executive if the alternate practices are as good or better than that of the Code of Practice. Entities may also implement internationally recognised standards or frameworks instead. Either way, a failure to implement the Code of Practice is an offence, punishable with a fine of up to RM500,000 and/or imprisonment for up to ten years.
Thirdly, NCII Entities must periodically conduct cyber security risk assessments and audits. The Entities must submit the risk assessment and audit to the Chief Executive within 30 days of completing these reports. If the Chief Executive is not satisfied with these reports, he may order the Entities to rectify or re-evaluate their assessment and audit. As with the other duties, failure to comply with this duty is an offence.
Lastly, NCII Entities are required to notify the Chief Executive of cyber security incidents. When a NCII Entity knows that an incident has, or might have occurred it must notify the Chief Executive within the time and in the prescribed time and manner. Entities who fail to do so are liable to a fine up to RM500,000 and/or imprisonment for up to ten years.
Licences for Cyber Security Providers
The definition of a Cyber Security Service is not provided by the Bill and is to be determined by the Chief Executive. However, the Bill requires all providers or advertisers of cyber security services to possess a non-transferrable, non-assignable licence. Providing or advertising cyber security services without a licence is an offence punishable with a fine of up to RM500,000 and/or imprisonment for up to ten years.
Under the Bill, applicants for a licence cannot have been convicted of an offence that was fraudulent, dishonest, or immoral. On top of that, the Chief Executive shall set out other prerequisite requirements for a licence. If the Chief Executive refuses a licence application, he must provide the reasons for refusal.
Licensees also have a duty to keep and maintain records. They must record particulars such as the licence holder, or any person acting on his behalf’s name, details of the services provided, and any other particulars the Chief Executive requires.
Cyber Security Incidents
Cyber security incidents are defined as “an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardises or adversely affects the cyber security of that computer or computer system or another computer or computer system”.
When the Chief Executive receives notice from a NCII Entity of an incident, he shall order an authorised officer to open an investigation into it. First of all, the investigation shall determine whether the incident had indeed occurred. If an incident has occurred, the authorised officer shall notify the Chief Executive, who notifies the NCII Entity. The Chief Executive may also direct the NCII Entity to take steps to recover from the incident and prevent recurrences. Failure to comply with the Chief Executive’s directive is an offence, punishable with a fine of up to RM200,000 and/or three years imprisonment.
Enforcement powers
The enforcement of this Bill is largely conducted by authorised officers. Authorised officers are given authority cards by the Minister responsible for cyber security, and shall have all the powers of a policeman when conducting investigations under this Bill.
As such, authorised officers’ powers include:
- conducting search and seizures with a Magistrate’s warrant, or without a warrant if obtaining a warrant would adversely affect the investigation;
- access computer data;
- freedom from liability for seizure-related damages;
- power to require the attendance of any person, for investigation purposes; and
- power to require any person to produce documents or information, for investigation purposes.
Besides that, disrupting the Chief Executive or an authorised officer’s investigation is an offence, punishable with a fine of up to RM100,000 or imprisonment for up to two years.
Conclusion
With the ever-increasing importance of protecting digital information, the Cyber Security Bill 2024 sets out a much needed comprehensive framework for the protection of the national critical information infrastructures’ cyber security. The next step forward would be ensuring the NCSC, Chief Executive and NCII Sector Leads diligently carry out the implementation of this Bill.