Subsidiary Legislation Pursuant to the Cyber Security Act 2024

 

Introduction

In light of the Minister appointing 26 August 2024 as the commencement date for the Cyber Security Act 2024, the following regulations outline the specific requirements related to some of the obligations imposed by the Act:

1. Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 [P.U.(A) 219/2024] (“Period for Cyber Security Risk Assessment and Audit Regulations“);
2. Cyber Security (Notification of Cyber Security Incident) Regulations 2024 [P.U.(A) 220/2024] (“Notification of Cyber Security Incident Regulations“);
3. Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 [P.U.(A) 221/2024] (“Licensing of Cyber Security Service Provider Regulations“); and
4. Cyber Security (Compounding of Offences) Regulations 2024 [P.U.(A) 222/2024] (“Compounding of Offences Regulations“).

 

Key aspects of these regulations

Period for Cyber Security Risk Assessment and Audit Regulations

National Critical Information Infrastructure (“NCII“) entities are required to conduct a cybersecurity risk assessment at least once a year and perform an audit at least once every two years, or more frequently if directed by the Chief Executive.

Notification of Cyber Security Incident Regulations

An authorised person of the NCII must immediately, within 6 hours, notify a cybersecurity incident (“First Notification“). This notification should include the following details: 

1. Particulars of the authorised person; 

2. Details of the relevant NCII entity, the NCII sector, and the sector lead; 

3. The type and description of the incident, its severity, the date and time it was discovered, and the method of discovery.

Additionally, this regulation requires the authorised person to provide supplementary information within 14 days after the First Notification (“Second Notification“), including: 

1. Details of the NCII affected by the cybersecurity incident; 

2. The estimated number of hosts affected; 

3. Information about the cybersecurity threat actor; 

4. Artifacts related to the incident; 

5. Information on any incident related to, and the manner of its connection to, the cybersecurity incident; 

6. Details of the tactics, techniques, and procedures used in the incident; 

7. The impact of the incident on the NCII or any interconnected computer system; and 

8. Actions taken in response.

Both the First and Second Notifications must be submitted through the National Cyber Coordination and Command Centre System or by other means as determined by the Chief Executive.

Licensing of Cyber Security Service Provider Regulations

These regulations apply to: 

1. Managed security operation centre monitoring service; 

2. Penetration testing service.

These regulations do not apply if: 

1. The cybersecurity service is provided by a government entity or by a person, other than a company, to its related company; or 

2. The computer or computer system in respect of which the cybersecurity service is provided is located outside of Malaysia.

The regulations also prescribe that applications for a licence (and renewals) must be submitted electronically to the Chief Executive, accompanied by the fees prescribed in the Schedule to the Licensing of Cyber Security Service Provider Regulations.

Compounding of Offences Regulations

The regulations prescribe six offences under the Cyber Security Act as compoundable offences, as listed in the First Schedule.

 

Conclusion

These regulations under the Cyber Security Act 2024 set essential guidelines for NCII entities and cybersecurity service providers. They outline the requirements for risk assessments, incident notifications, and service licensing, as well as the offences that are compoundable. Compliance with these regulations is crucial for protecting Malaysia’s critical infrastructure and strengthening the nation’s cybersecurity framework.