Malaysia passes Cyber Security Bill 2024

PrintMailRate-it

​​​​

In April 2024, Malaysia’s Parliament passed the Cyber Security Bill 2024 (the “Bill”). The Bill aims to establish a robust regulatory framework for enhancing national cybersecurity. In this article, we delve into the key provisions of the Bill, with a particular focus on its extraterritorial application and the potential impact on foreign companies operating within Malaysia.
     

Background and Purpose

The Bill represents a significant step towards safeguarding Malaysia’s digital infrastructure. Its primary objective is to address cybersecurity threats by mandating compliance with specific measures, standards and processes.
    
The overarching goal is to protect National Critical Information Infrastructure (“NCII”) which is defined as “…a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively”
       

Extraterritorial Application

One notable feature of the Bill is its extraterritorial effect. It applies not only to individuals within Malaysia but also to those outside the country.
    
Specifically, if an offense under the Bill pertains to an NCII—whether wholly or partly located in Malaysia—the law applies regardless of the offender’s physical location.
     
Foreign companies operating in Malaysia should take note of this extraterritorial reach, as their activities related to NCIIs within the country may fall under the Bill’s purview.
      

Key Provisions

The Bill designates specific sectors as NCII Sectors:
  • Government 
  • Banking and finance 
  • Transportation 
  • Defence and national security 
  • Information, communication and digital 
  • Healthcare services 
  • Water, sewerage and waste management 
  • Energy 
  • Agriculture and plantation 
  • Trade, industry and economy 
  • Science, technology and innovation

Entities operating in these sectors must comply with the regulatory requirements outlined in the Bill. Each NCII Sector will have a designated sector lead responsible for regulating compliance within that sector.
     
Both private and public entities designated as NCII Entities will be subject to compliance once the Bill comes into force. The newly introduced duties are:
  • Duty to provide information relating to national critical information infrastructure to the relevant NCII sector lead
  • Duty to implement the code of practice prepared by the relevant NCII sector lead
  • Duty to conduct cyber security risk assessment and audit
  • Duty to give notification on cyber security incident
      
Furthermore, the Bill introduces licensing requirements for providers of cybersecurity services. Compliance with these requirements is essential for service providers.
    
Lastly, the Bill establishes the National Cyber Security Committee, responsible for overseeing cybersecurity matters.
    

Implications for Foreign Companies under Malaysia’s Cyber Security Bill 2024

The proposed licensing requirements for providers of cybersecurity services will be relevant for foreign companies offering such services within Malaysia as they must obtain the necessary licenses to operate legally.
    
Entities operating in sectors designated as NCII will face numerous new compliance requirements. Foreign companies involved in these sectors need to align their practices with the specified security measures and standards stipulated in the Bill and – not yet enacted – implementation rules.
     
The Bill empowers regulatory authorities to impose administrative fines for non-compliance. These fines can be substantial and may vary based on the severity of the violation. Authorities can also issue cessation orders, requiring an entity to cease specific activities related to cybersecurity if they pose a risk to national security or critical infrastructure. Certain violations may lead to criminal charges. Foreign companies failing to meet their obligations could face legal proceedings and potential imprisonment for responsible individuals. Compliance with the Bill will be crucial for foreign companies seeking to operate in Malaysia. In addition to fines and potential imprisonment in serious cases, failure to comply may result in restricted market access or exclusion from critical sectors.
     

Operational Challenges

The Bill imposes compliance obligations that, depending on the specific circumstances, may require foreign companies to store certain data locally, impacting their existing data management practices. The Bill mandates timely reporting of cybersecurity incidents. Foreign companies must establish incident response protocols and report breaches promptly, and they should conduct thorough due diligence before entering the Malaysian market. Understanding the Bill’s requirements and assessing risks will become an integral part of market entry and operations strategy. 
    
In summary, foreign companies operating in Malaysia must proactively assess their cybersecurity practices, obtain necessary licenses, and comply with the requirements imposed on them under the Bill. Failure to do so could have serious consequences for companies’ future business in the country. As the bill awaits royal assent, affected entities should prioritize alignment with its provisions to avoid adverse effects on their operations.

From The Newsletter

Contact

Contact Person Picture

Felix Engelhardt

Manager

+60 3 2276 2755

Send inquiry

Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu