Malaysia's New Cyber Security Act 2024 – A Summary and Brief Comparative Analysis

Malaysia's Cyber Security Act 2024 ("CSA") came into effect on 26 August 2024, establishing regulatory standards for the nation's cyber defences and marking a significant step forward in resilience against cyber threats. The CSA not only provides a legislative framework for the protection of national critical information infrastructure ("NCII") but also introduces provisions for the management of cyber security threats and incidents as well as the regulation of cyber security service providers. Additionally, the CSA establishes the National Cyber Security Committee ("NACSA") as the relevant authority to implement and enforce its provisions.

In this Legal Update, we provide key takeaways from the CSA while taking a broader look at other approaches adopted by other jurisdictions in the Asia Pacific region.

A Summary of the CSA

Businesses operating or looking to operate in Malaysia, especially businesses in the telecommunications, technology, or other infrastructure sectors should be aware of the key features of the CSA.

The CSA has extra-territorial application, to the extent that it imposes requirements for any NCII that "is wholly or partly in Malaysia".¹ NCII entities may only be designated as such by a NCII sector lead or the Chief Executive of the NACSA ("Chief Executive"),² with registers kept and maintained in respect of these NCII entities.³ What this means is that there will be certainty as to whether a business has been designated as an NCII entity and is therefore subject to the CSA.

Once a business is designated as an NCII entity, it will be required to: (i) implement sector-specific codes of practice established pursuant to the CSA;⁴ (ii) conduct cyber security risk assessments and audits;⁵ and (iii) notify the Chief Executive of the occurrence of cyber security incidents.⁶ Failure to comply with any of these requirements is an offence punishable with a fine and/or imprisonment.⁷

The CSA establishes a licensing regime for individuals/entities providing prescribed cyber security services, or holding themselves out as providers of such services.⁸ There are currently two categories of prescribed cyber security services: (i) managed security operation centre monitoring services; and (ii) penetration testing services.⁹ To obtain a licence, an application must be made to the Chief Executive. The applicant must fulfil prerequisite requirements as may be determined by the Chief Executive and must not have been convicted of an offence involving fraud, dishonesty or moral turpitude.¹⁰ Aside from payment of a prescribed fee, the applicant must submit documents (including identification documents and a Statement of Qualification and Experience Form) and such other information, particulars, or documents as may be determined by the Chief Executive.¹¹ The Chief Executive may then approve the application (subject to such conditions as he thinks fit to impose and which may be subsequently varied or revoked by him)¹²; or refuse the application, stating the grounds for refusal.¹³ Where the licensing regime is applicable, failure to obtain a licence is an offence.¹⁴

Other matters regarding licensing addressed by the CSA include:

• The renewal of the licence, which: (i) must be done at least thirty days before the date of expiration of the licence (if not, it will be treated as a new licence)¹⁵; and (ii) is done through an application to the Chief Executive, accompanied by payment of a prescribed fee and such information, particulars, or documents as may be determined by the Chief Executive.¹⁶

• The revocation or suspension of the licence, which may be done by the Chief Executive on prescribed grounds – namely, where: (i) the licensee has failed to comply with any conditions of the licence; (ii) the licence has been obtained by fraud or misrepresentation; (iii) the licence was granted by the Chief Executive while he was unaware of a circumstance which would have caused him to refuse to issue or renew the licence; (iv) the licensee has ceased to carry on the licensed business; (iv) the licensee has been adjudged bankrupt, gone into liquidation, or is being wound up; (v) the licensee has been convicted of an offence under the CSA or an offence involving fraud, dishonesty or moral turpitude; and (vi) the revocation or suspension is in the interest of public or national security.¹⁷

• The transfer or assignment of the licence, which is an offence¹⁸ unless the transfer is approved upon application in writing to the Chief Executive and the Chief Executive is satisfied that the transferee has the necessary financial and technical resources to comply with the conditions of the licence.¹⁹

• The duty, imposed upon the licensee, to keep and maintain records of: (i) the name and address of the person engaging the licensee for the cyber security services; (ii) the name of any person providing the cyber security services on behalf of the licensee; (iii) the date and time that the cyber security services were provided by the licensee or on the licensee's behalf; (iv) details of the type of cyber security services provided; and (v) such other particulars as may be determined by the Chief Executive.²⁰ The licensee must retain these records for at least six years from the date the cyber security services were provided and produce them to the Chief Executive upon his direction.²¹ The failure to comply with this duty is an offence.²²

Businesses seeking to provide or engage cyber security services would do well to familiarize themselves with these provisions as well as the relevant subsidiary legislation.

Aside from the offences discussed above, the CSA provides penalties for NCII entities where they fail to provide information or updates regarding their NCII to NCII sector leads,²³ or where they fail to comply with the directions of the Chief Executive regarding cyber security exercises²⁴ or cyber security incidents.²⁵

For the purposes of enforcement, the CSA grants the NACSA broad powers of investigation (equivalent to that of a police officer, to the extent necessary to carry out an investigation in relation to any cyber security incident),²⁶ search and seizure (with a warrant from a Magistrate or if the authorized office has reasonable cause to believe the delay in obtaining a warrant would adversely affect the investigation or result in tampering, removal, damage, or destruction of evidence),²⁷ and prosecution (with the consent of the Public Prosecutor).²⁸

A Comparative Analysis

With the promulgation of the CSA, Malaysia joins several other jurisdictions in the Asia Pacific region with specific cyber security legislation such as the PRC, Singapore, Japan, and Australia.

The CSA is broadly similar to the Singapore Cybersecurity Act 2018 ("SG CA"), so entities already familiar with the SG CA would be well-positioned to comply with corresponding obligations under the CSA.

There are, however, some differences. For example, the CSA has its scope defined generally with reference to sectors deemed to provide essential services (for example, "Banking and finance") whereas the SG CA goes further to stipulate a non-exhaustive list of essential services (for example, under "Services related to banking and finance": "Banking services, including cash withdrawal and deposits, corporate lending, treasury management, and payment services", "Payment clearing and settlement services", and "Currency issuance"). The penalties for non-compliance under the CSA are also generally harsher than those in the SG CA – for instance, the CSA provides that a breach of the duty of NCII entities to notify the Chief Executive of cyber security incidents may result in a fine not exceeding MYR 500,000 (about USD 113,000) or imprisonment of up to ten years or both; whereas the corresponding penalty under the SG CA is a fine not exceeding SGD 100,000 (about USD 74,066) or imprisonment of up to two years or both.

The Singapore Parliament recently passed amendments to the SG CA.²⁹ These amendments, which have not yet come into force, significantly broaden the scope of the SG CA, extending regulation to matters such as virtual critical information infrastructure ("CII") (in addition to physical computer and computer systems), certain CII located wholly outside Singapore, computers and computer systems controlled by external suppliers which are interconnected with or communicate with CII, and certain other entities (in addition to CII owners) as most IT systems these days are no longer "on prem". Malaysia may well follow suit and implement similar changes to the CSA in the future.

Overall, the trend in the Asia Pacific region is towards increasing cyber security regulation through legislation. Even in Hong Kong, where no such legislation has been introduced, steps have been taken to do so – the proposed Protection of Critical Infrastructure (Computer System) Bill was submitted by the Hong Kong government to the Legislative Council for discussion on 2 July 2024, and was gazetted on the 6 December 2024 (see our previous Legal Update: Hong Kong Proposes a Legal Framework for Regulating Critical Infrastructures).

Conclusion

The CSA signifies a pivotal step in Malaysia's efforts to enhance its national cybersecurity defences, reflecting the nation's commitment to safeguarding its critical infrastructure against escalating cyber threats. As regional trends show an increasing focus on regulatory frameworks,the Malaysia CSA aligns with global best practices while showcasing tailored features and stricter enforcement mechanisms. More broadly, the CSA, the SG CA, and the Hong Kong developing legislative landscape all highlight the growing importance of cybersecurity and the focus of governments in the region to build digital resilience.