The Cyber Security Act 2024 (CSA) has brought a distinct approach for Malaysia, which shifts the focus of the country’s critical information infrastructure. Officially, the Act came into force on August 26th, 2024, and has since begun revolutionizing cybersecurity in Malaysia. Read on to learn about it and the improvements it’s making.
Overview of the Cybersecurity Act 2024
Changes in the approach to protecting certain target institutions in Malaysia’s framework come as the CSA introduces a novel piece of framework, the National Critical Information Infrastructure (NCII), which will span multiple institutions that play a critical role in the well-being and economy of the state. Key provisions of the act include:
Mandatory Risk Assessments and Audits
It specifies that NCCI entities shall conduct a cybersecurity risk assessment once every year and two audits at different intervals throughout the sector’s codes. These practices hinge on the need to identify existing gaps and impose requirements.
Incident Reporting Obligations
Under the CSA, the entities exposed to cyber attack incidents shall inform NC4 of any cyber breach within six hours of discovery. Detailed reports containing more information about the incidents must be forwarded within two weeks.
Licensing of Cybersecurity Service Providers (CSSPs)
CSSPs who provide services to the NCII enterprises should secure a license. This requires impairment with international standards. People who provide services without a license have severe consequences. For example, they may be fined from MYR 100,000 to MYR 500,000 and imprisoned for up to ten years.
Enforcement and Penalties
Under the Act, the authorities in charge are given the power to impose penalties, revoke licenses, and prosecute any individual or body that disobeys the law. The penalties are so severe as mentioned above.
Industry and Public Perspectives
Industry Response
The industry working in NCII has always responded optimally to conflicts in the market. Several of them, however, appreciate the need to enhance cybersecurity in Malaysia. The weight associated with compliance demands has raised eyebrows, particularly for the smaller entities with fewer resources. For example, periodic audits, upgrading systems, and licensing costs have been mentioned as deterrents.
Still, large companies that have internal cybersecurity architecture view CSA as useful and necessary.
Public Confidence
In the eyes of the citizens, the Cyber Security Act is a positive move toward enhancing governance for the management of cyber threats. The public can do more to keep themselves safe, like using recommended data removal service, and following opt-out guides to keep their information off the internet, but the new CSA does bring more confidence to them for their online safety.
The cyberattack news that hit the headlines a few years back has caused some users’ disappointment in internet services, so many Malaysians view the Act as a helpful tool.
Challenges in Implementation
Compliance Complexity
The CSA’s requirements, particularly for NCII entities, involve extensive documentation, regular reporting, and adherence to sector-specific codes of practice. Some businesses have expressed difficulties.
Skill and Resource Gaps
The demand for qualified cybersecurity professionals has surged following the CSA’s enactment, highlighting a critical skills gap in the industry.
Balancing Security and Usability
Striking a balance between robust cybersecurity measures and operational efficiency remains a challenge.
Malaysia’s CSA will change the online threat landscape for them, and people are taking the new act positively. Let’s see how it actually changes cybersecurity for the country.
