In the middle of this year, on June 26, the Cyber Security Act 2024 (Act 854) was gazetted by the Attorney General's Office and came into effect on August 26, 2024. This Cyber Security Act includes the introduction of various new laws regarding the digital security of people's data and also infrastructure government data and securities.
This act contains various information and documents can be viewed through the NACSA website, but here we would like to show some details about this act that may be of interest to readers.
National Cyber Security Committee
Under this act, a National Cyber Security Committee will be developed and will be chaired by the Prime Minister and will consist of 10 other ministers and the Chief Secretary.
The function of this committee is to introduce plans, policies and strategies regarding national cyber security. It is also to give instructions to the Chief Executive of NACSA and also the heads of the national critical information infrastructure (NCII) in matters related to national cyber security issues.
For the Chief Executive of NACSA, which is currently held by Ir Dr. Megat Zuhairy Megat Tajuddin, his job is to advise, recommend and implement the best policies and strategies in how to handle national cyber security.
He is also responsible for collecting and evaluating information and data regarding the national critical information infrastructure, the government and so on, and if necessary, disseminating information about any issues that may occur and need to be known to the public.
The Chief Executive of NACSA will also develop a National Cyber Coordination and Command Center System to deal with issues such as cyber attacks on the national information infrastructure and cyber security incidents that are becoming more common in Malaysia.
The Chief Executive of NACSA can also employ security experts to develop a national cyber security policy to ensure the national critical information infrastructure remains secure, and introduce a code of conduct that enables the NCCCCS to operate as efficiently as possible.
All this is to ensure that all branches of the national critical information infrastructure (NCII) remain secure. To facilitate the understanding of NCII, it is a sector where a lot of public and government data revolves, and requires the highest cyber security care in Malaysia. It includes:
Government
Banking and finance
Transport, defense and national security
Information, communication and digital
Health services
Water, sewage and waste management
Energy
Agriculture and farming
Trade, industry and economy
Science, technology and innovation
Each NCII sector will be led by a government body or individual, and all NCII sectors will be led by the Digital Minister (Gobind Singh Deo for now) and each NCII sector will be directed to conduct an audit in terms of preparedness to deal with hacking and attack issues cyber from inside and outside the country.
Cyber Security Service Provider Licensing
For third-party cyber security service providers, these companies will now be required to apply for a Cyber Security Service Provider license starting August 26, 2024. This is now mandatory regardless of whether you provide the service as an individual or as a company.
Annual fees have been set for individuals as well as companies, at a price of RM400 and RM1000 for both security operations center monitoring services and penetration testing services. License renewals are also set at the same prices.
In the meantime, companies that provide cyber security services can also be fined up to RM500 thousand or imprisoned for up to 10 years if they commit a number of offenses such as operating without a license, not complying with the conditions of the operator's license, failing to update the cyber security services offered and also providing licenses to other individuals or companies without permission.
NCII companies that do not conduct annual audits and do not improve the company's cyber security can also be fined up to RM200 thousand or imprisoned for three years. They can also be fined RM500 thousand and the same imprisonment if any cyber security incidents such as hacking and cyber attacks are not disclosed as soon as possible.
If you are interested in knowing more about the Cyber Security Act 2024, you can read it through the website of the Attorney General's Office which shows in-depth details.