The Malaysian Government has recently reaffirmed its commitment to present a draft Cybersecurity Bill ("Bill") – to address existing gaps in Malaysia's cybersecurity legal framework – to Parliament by 2024.
The key components that will be addressed by the Cybersecurity Bill include:
- the establishment of the National Cyber Security Agency ("NACSA") as the national cybersecurity regulator entrusted with the necessary enforcement powers to oversee cybersecurity matters in the country;
- the designation of Critical National Infrastructure Information ("CNII") sectors, together with CNII sector leads to act as intermediaries between NACSA and CNII owners;
- the identification of computers and computer systems that will be designated as CNIIs;
- the issuance of specific directions or codes of practice to define minimum cybersecurity standards for CNII owners;
- the introduction of baseline audit and risk assessment requirements for CNII owners, wherein CNII owners will be required to conduct audits and risk assessments and submit reports to NACSA;
- the introduction of mandatory cybersecurity incident notification requirements; and
- the introduction of licensing requirements for service providers offering certain cybersecurity services identified in the Bill.
Once the Bill is enacted, it will introduce new compliance obligations for CNII owners and cybersecurity service providers. Additionally, organisations providing services or engaging with CNII owners may also be indirectly impacted by the requirements outlined by the Bill.
While there has been no official confirmation by the Government regarding the types of organisations that will be designated as CNII owners under the Bill, it is likely that the Bill will align with the 11 CNII sectors currently identified in the Malaysia Cyber Security Strategy 2020-2024 policy document, which include companies operating within the sectors of banking and finance, information and communication, energy, transportation, water, health services, emergency services, agriculture and plantation, etc.
As such, all organisations must update themselves on the status and developments of the Bill, and in the interim implement measures to ensure compliance with the possible obligations to be imposed by the Government once the Bill is passed by Parliament.
