Subsidiary Legislation Pursuant to the Cyber Security Act 2024
Introduction
In light of the Minister appointing 26 August 2024 as the commencement date for the Cyber Security Act 2024, the following regulations outline the specific requirements related to some of the obligations imposed by the Act:
Key aspects of these regulations
Period for Cyber Security Risk Assessment and Audit Regulations
National Critical Information Infrastructure (“NCII“) entities are required to conduct a cybersecurity risk assessment at least once a year and perform an audit at least once every two years, or more frequently if directed by the Chief Executive.
Notification of Cyber Security Incident Regulations
An authorised person of the NCII must immediately, within 6 hours, notify a cybersecurity incident (“First Notification“). This notification should include the following details:
Particulars of the authorised person;
Details of the relevant NCII entity, the NCII sector, and the sector lead;
The type and description of the incident, its severity, the date and time it was discovered, and the method of discovery.
Additionally, this regulation requires the authorised person to provide supplementary information within 14 days after the First Notification (“Second Notification“), including:
Details of the NCII affected by the cybersecurity incident;
The estimated number of hosts affected;
Information about the cybersecurity threat actor;
Artifacts related to the incident;
Information on any incident related to, and the manner of its connection to, the cybersecurity incident;
Details of the tactics, techniques, and procedures used in the incident;
The impact of the incident on the NCII or any interconnected computer system; and
Actions taken in response.
Both the First and Second Notifications must be submitted through the National Cyber Coordination and Command Centre System or by other means as determined by the Chief Executive.
Licensing of Cyber Security Service Provider Regulations
These regulations apply to:
Managed security operation centre monitoring service;
Penetration testing service.
These regulations do not apply if:
The cybersecurity service is provided by a government entity or by a person, other than a company, to its related company; or
The computer or computer system in respect of which the cybersecurity service is provided is located outside of Malaysia.
The regulations also prescribe that applications for a licence (and renewals) must be submitted electronically to the Chief Executive, accompanied by the fees prescribed in the Schedule to the Licensing of Cyber Security Service Provider Regulations.
Compounding of Offences Regulations
The regulations prescribe six offences under the Cyber Security Act as compoundable offences, as listed in the First Schedule.
Conclusion
These regulations under the Cyber Security Act 2024 set essential guidelines for NCII entities and cybersecurity service providers. They outline the requirements for risk assessments, incident notifications, and service licensing, as well as the offences that are compoundable. Compliance with these regulations is crucial for protecting Malaysia’s critical infrastructure and strengthening the nation’s cybersecurity framework.