The Cyber Security Act 2024 (Akta Keselamatan Siber 2024) of Malaysia introduces several key regulations aimed at strengthening cybersecurity within the country, which will come into effect on August 26, 2024. These regulations primarily focus on licensing cybersecurity service providers, mandating cybersecurity audits and risk assessments, and establishing strict protocols for handling cybersecurity incidents. Here's a summary of the core components:
1. Licensing of Cybersecurity Service Providers
Any entity offering managed security operation center monitoring or penetration testing services is required to obtain a license from the National Cyber Security Agency.
Licensing fees for companies are set at RM 1000 annually for each service, while individuals will pay RM 400 annually.
The regulations do not apply to government entities, related companies providing services internally, or services offered to systems located outside of Malaysia.
2. Cybersecurity Risk Assessment and Audits
Critical Information Infrastructure (CII) entities must conduct a cybersecurity risk assessment at least once a year.
These entities must also perform cybersecurity audits every two years, or more frequently if directed by the Chief Executive.
3. Incident Reporting Requirements
Entities responsible for national critical information infrastructure are required to immediately notify the National Cyber Coordination and Command Centre of any cybersecurity incidents.
Full details must be submitted within six hours of detection, with a comprehensive report due within 14 days. Additional updates must be provided as required.
4. Compounding of Offences
Specific offences under the Cyber Security Act 2024 are compoundable, with offenders offered the option to settle fines through electronic payments, failing which legal prosecution will be initiated.
Impacts on Malaysian Companies
Increased Compliance Costs: Companies providing cybersecurity services or operating in critical sectors will need to comply with the new licensing requirements, audits, and regular assessments.
Incident Response Burden: CII entities must establish rapid reporting mechanisms and allocate resources for ongoing cybersecurity monitoring and compliance.
Penalties for Non-Compliance: Companies failing to adhere to these regulations face fines, penalties, or even imprisonment, which could impact operations and reputation. (CSA_2024-REGULATIONS).
This new framework aims to enhance Malaysia’s cybersecurity resilience and place more responsibility on companies to safeguard their digital infrastructure.
Comments