LGMS, Marcus Tan & Co Unveil Key Details of Malaysia’s Cyber Security Bill 2024

Earlier this month, the Dewan Negara passed the Cyber Security Bill 2024 after the third reading by Digital Minister Gobind Singh Deo.

The legislation, aimed at bolstering national cyber defenses, mandates adherence to specific standards and processes for combating cyber threats. During the bill’s debate, Minister Deo highlighted its critical role in protecting sectors like government, banking, transportation, and healthcare from cyber attacks that could significantly disrupt the country.

He also said that that the bill promotes a risk-based approach to future technologies, including blockchain, despite its vulnerabilities.

In this light, LGMS Executive Chairman Fong Choong Fook (left in pic) together with Managing Partner of Marcus Tan & Co Marcus Tan Kian Han hosted a session to detail insights for this new legislation. Here they are in point format:

• The bill impacts both individuals and businesses by mandating compliance with cybersecurity standards. It is noted that many cybersecurity incidents in Malaysia go unreported due to the lack of disclosure requirements, which the bill seeks to change.
• It will impact individuals and businesses, especially those within the Critical National Information Infrastructure (CNII). How to determine which entity is CNII? The chief executive will have the power to appoint CNII lead. The sector lead will further define which will fall and outside the CNII scope. It is heavily mentioned in the bill that the chief executive has immense power in this.
• The bill emphasizes the roles of the security committee and chief executive. It mandates the management of cybersecurity threats and incidents. Businesses within CNII must prepare for and respond to cybersecurity incidents.
• The bill was fast-tracked through the legislative process, indicating the government’s prioritization of cybersecurity. It was passed by the Dewan Rakyat/Negara and awaits royal assent, which is a formality as the bill will become law after 30 days regardless of the assent.
• Concerns are raised about the broad powers granted to the chief executive, including the ability to conduct enforcement actions without a warrant and the potential implications for privacy and legal rights. For example, if there is any action taken – the chief executive and committee can appoint any authorized officer to conduct the investigation, regardless of the rank. It refer to police office. It can be any police officer. This is not common because in other laws, normally when we say authorized officer – we refer to inspector and above. May have to amend this part
• The bill refers to chief executive of cybersecurity agency. But we are unsure of who the chief is yet.
• Directors may face personal liability for company offenses.
• Cybersecurity risk assessments and audits are mandated, with significant fines and jail terms for non-compliance.
• The bill is expected to create opportunities for cybersecurity service providers and stimulate sector growth due to increased demand for cybersecurity measures.
• The bill is anticipated to boost the cyber insurance market as businesses seek coverage for potential cybersecurity incidents.
• The bill introduces licensing requirements for individuals providing cybersecurity services, with further details to be prescribed by the minister. Most cybersecurity services are provided by companies (non-individuals), will be interesting to see how it will apply to a corporate.
• All kind of cyber security services that comes under the framework, the details are to be prescribed by the ministry. It is not out yet.
• National Cyber Security Agency (NACSA) – The bill references NACSA but does not define it, leading to questions about its role and the chief executive’s appointment.
• The bill’s impact on small businesses and their role in the supply chain for CNII sectors is unclear, necessitating further clarification. For example – if i am a supplier to a hospital where i supply computing services, do I fall under CNII under healthcare? Will upstream fall under CNII too? This is a question that needs to be answered. Nevertheless, if one is not CNII, the expert speaker believes indirect requirements may apply too i.e. CNII entities may require similar compliance from their suppliers and partners. Given that when there is a supply chain attack – the hacker will not attack the companies directly but go for upstream and downstream. FOr example, it’s tough to hack a bank, and hackers will hack the software and hardware supplier. SolarWinds attack is an example of supply chain attack
• The bill is seen as an enhancement of the PDPA (Personal Data Protection Act), aiming to protect personal data and hold entities accountable for cybersecurity breaches.
• Companies need to adhere to new regulations to strengthen their cybersecurity measures. Example – for healthcare, there is no clear framework previously on how patient data should be regulated. But with this bill, healthcare will fall under the sector affected too. Some companies suffer cyberattack that lead to data leak. Our data is available in the dark web. With this law in action, organization will now be more careful.
• Legalize the enhancement personal data protection. For example – 1) enhance security for online transaction and personal information stored by service providers. 2) Increased accountability for service providers 3) Right to be informed – individual will be informed in case of data breach and advised on protective measures
• The bill is expected to indirectly affect the quality and demand for cybersecurity education and training due to heightened compliance standards.
• The bill’s operation in the context of cyber warfare is not explicitly defined, leaving its applicability in such situations open to interpretation.
• Extra-territorial Application: The bill has extra-territorial application, meaning it applies to offenses committed outside Malaysia that affect Malaysian entities. This is crucial for dealing with cybercrimes originating from abroad.
• Impact on Foreign Entities Operating in Malaysia: The bill applies to foreign entities operating in Malaysia, ensuring that they comply with the same cybersecurity standards as local entities. This includes Malaysian entities operating overseas, highlighting the bill’s broad scope.
• Legal Support and Contradictions with Existing Legislation: There are potential contradictions between the cybersecurity bill and existing legislation like the PDPA and the Communications and Multimedia Act. The bill’s broad scope may overlap with these existing laws, raising questions about enforcement and compliance.
• Chief Executive’s Immunity: The chief executive appointed under the bill is not explicitly stated to be immune from prosecution, suggesting that they could be held accountable under certain circumstances.
• Licensing Requirements: The bill introduces licensing requirements for individuals providing cybersecurity services, with further details to be prescribed by the minister. This raises questions about the scope of cybersecurity services and the impact on companies providing these services.
• Cybersecurity Education and Training: The bill indirectly affects the demand for cybersecurity education and training due to heightened compliance standards
• Business Implications: Directors may face personal liability for company offenses under the bill, emphasizing the need for cybersecurity risk assessments and audits.
• The bill is expected to create opportunities for cybersecurity service providers and stimulate sector growth due to increased demand for cybersecurity measures.

All in all, the Cyber Security Bill 2024 represents a significant stride forward in Malaysia’s commitment to safeguarding its digital landscape.

With an emphasis on compliance, risk assessment, and the protection of critical sectors, the bill promises to reshape the cybersecurity framework across both public and private entities. As it moves towards becoming law, the bill not only addresses immediate security needs but also prepares Malaysia for emerging technological challenges.

Businesses and individuals alike will need to adapt to these new regulations, which are expected to enhance overall national security and stimulate growth within the cybersecurity industry. As implementation unfolds, continued dialogue and refinement may be necessary to balance security measures with privacy and legal rights, ensuring that Malaysia remains both secure and innovative in the face of global cyber threats.