Cybersecurity Bill Passed

On 27 March 2024, the Dewan Rakyat (i.e., the House of Representatives) passed the Cybersecurity Bill 2024 (“Bill”), which is aimed at enhancing and safeguarding Malaysia’s cybersecurity landscape through the introduction of provisions which, among others, require entities in National Critical Information Infrastructure (“NCII”) sectors to comply with specific standards and measures, as well as processes when handling cybersecurity incidents.
 
The Bill provides for, among others, the following:
 
Establishment of the National Cyber Security Committee
The Bill establishes the National Cyber Security Committee (the “Committee”) which has a number of functions, including, among others, to plan and decide on, and to monitor the implementation of, policies relating to national cybersecurity, to advise the Federal Government on national cybersecurity policies, and to give directions to the Chief Executive of the National Cyber Security Agency (the “Chief Executive”) and NCII sector leads on matters relating to national cybersecurity.
 
Duties of the Chief Executive
Pursuant to the Bill, the Chief Executive has duties to, among others, implement the policies, strategies, and strategic measures made and directions given by the Committee or the Federal Government on national cybersecurity matters, and coordinate and monitor the implementation of policies, strategies, and strategic measures by NCII sector leads, NCII entities, and government entities. The Chief Executive is also granted a number of statutory powers to enforce and regulate cybersecurity matters, including specific powers of enforcement and the power to order investigations of cybersecurity incidents in NCII entities.
 
Regulatory Framework for NCII Sector
The Bill introduces a regulatory framework for the NCII sector and provides for the appointment of NCII sector leads by the Minister responsible for cybersecurity (“Minister”). NCII sector leads are empowered to, among others, designate any entity which owns or operates any NCII as a designated NCII entity, and prepare codes of practice.
 
Designated NCII entities are subject to a number of obligations including, among others, to:
  • provide information to the relevant NCII sector lead when requested;
  • comply with any relevant codes of practice issued by NCII sector leads;
  • conduct cybersecurity risk assessments and audits; and
  • notify the relevant NCII sector lead and the Chief Executive when it becomes aware of a cybersecurity incident.
 The eleven NCII sectors set out in the Bill are as follows:
  • Government
  • Banking and finance
  • Transportation
  • Defence and national security
  • Information, communications and digital
  • Healthcare services
  • Water, sewage and waste management
  • Energy
  • Agriculture and plantation
  • Trade, industry and economy
  • Science, technology and innovation 
Licensing Regime for Cybersecurity Service Providers
The Bill also introduces a new licensing regime for providers of prescribed cybersecurity services, but the specific scope of cybersecurity services subject to the licensing regime has yet to be prescribed by the Minister.
 
Extra-territorial Application
The Bill is also stated to have extra-territorial effect and applies to any person, whatever their nationality or citizenship, outside and within Malaysia, and where an offence under the Bill is committed outside of Malaysia, it may be dealt with as if the offence was committed within Malaysia. In particular, the Bill is stated to apply if, for the offence in question, the NCII is wholly or partly in Malaysia.
 
Comments
As the Bill has only passed the Dewan Rakyat, it must still be read and debated in the Dewan Negara (i.e., the Senate) and may therefore still be subject to amendments. Nonetheless, interested parties, in particular those in any of the NCII sectors, should take heed of the Bill as it may introduce a host of cybersecurity-related obligations and requirements along with potentially hefty fines for non-compliances with the same. In particular, the obligation on designated NCII entities to notify the authorities upon the occurrence of a cybersecurity incident is particularly relevant given the ever-increasing number of cyberattacks in today’s increasingly digital world. Once the Bill passes into law, designated NCII entities must also ensure they keep abreast of any codes of practice issued by the relevant NCII sector lead and ensure compliance with the same to avoid hefty fines.
 
Providers of cybersecurity services are also advised to take note of the potential introduction of a licensing regime and to watch for updates on the specific cybersecurity services which will be prescribed by the Minster as being subject to the licensing regime.
 
 
Alert by Charmayne Ong (Partner), Jillian Chia (Partner), Natalie Lim (Partner), Beatrice Yew (Associate) and Cheam Tat Sean (Associate) of the Technology, Media, and Telecommunications Practice of Skrine.

 
This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.