Understanding the Cyber Security Act 2024: A Comprehensive Overview
The digital landscape is evolving at an unprecedented pace, bringing with it a myriad of opportunities and challenges. As cyber threats become increasingly sophisticated, governments worldwide are stepping up their efforts to safeguard critical information infrastructure. In this context, the Cyber Security Act 2024 (“Act”) was enacted, receiving royal assent on 18 June 2024 and subsequently gazetted on 26 June 2024. The Act, along with its subsidiary regulations, officially came into force on 26 August 2024. This article delves into the key components of the Act, focusing particularly on the Incident Notification Regulations and the Risk Assessment Regulations.
The Cyber Security Act 2024 and Its Subsidiary Regulations
The Cyber Security Act 2024 is a significant legislative framework aimed at enhancing the cybersecurity posture of national critical information infrastructure (NCII). It introduces four subsidiary regulations, collectively referred to as the Cyber Regulations:
- Cyber Security (Compounding of Offences) Regulations 2024
- Cyber Security (Notification on Cyber Security Incident) Regulations 2024 (“Incident Notification Regulations”)
- Cyber Security (Risk Assessment and Audit) Regulations 2024 (“Risk Assessment Regulations”)
- Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024
This article will primarily focus on the Incident Notification Regulations and the Risk Assessment Regulations, which are crucial for ensuring timely responses to cybersecurity incidents and maintaining robust security measures.
Incident Notification Regulations
Obligations in the Event of a Cyber Security Incident
Under the Incident Notification Regulations, entities classified as NCII are mandated to adhere to a threefold obligation when faced with an actual or suspected cyber security incident:
- Immediate Notification: This must occur immediately upon the discovery of the incident.
- Initial Submission: This involves submitting prescribed information within 6 hours of the Trigger Event.
- Supplemental Submission: This must be completed within 14 days following the Immediate Notification.
Additionally, ongoing updates regarding the incident may be required by the Chief Executive of the National Cyber Security Agency.
Who is Responsible for Notifications?
The responsibility for making the required notifications, submissions, and updates lies with the authorised person of the NCII entity. This ensures that the right individuals are accountable for maintaining communication during a cyber incident.
Timing of Notifications
The obligations arise as soon as the actual or suspected cyber security incident comes to the knowledge of the NCII entity, referred to as the Trigger Event. The timelines for notifications are as follows:
- Immediate Notification: As soon as the Trigger Event is identified.
- Initial Submission: Within 6 hours of the Trigger Event.
- Supplemental Submission: Within 14 days of the Immediate Notification.
Method of Submission
The notifications and submissions must be made electronically. In the case of disruptions, alternative communication methods may be determined by the Chief Executive.
Required Information for Submissions
The information required for each type of submission is as follows:
-
Immediate Notification: No prescribed particulars are needed.
-
Initial Submission: Must include:
- Details of the authorised person.
- Information about the NCII entity, including sector details.
- Description of the cyber security incident, including its severity and method of discovery.
- Supplemental Submission: Should include, to the fullest extent practicable:
- Details of the NCII affected.
- Estimated number of hosts impacted.
- Information about the cybersecurity threat actor.
- Artifacts related to the incident.
- Details on the tactics, techniques, and procedures used in the incident.
- Impact assessment and actions taken.
Risk Assessment Regulations
Obligations Under the Risk Assessment Regulations
The Risk Assessment Regulations impose two primary obligations on NCII entities:
- Conducting a Cyber Security Risk Assessment: This assessment must be performed at least once a year.
- Carrying Out a Cybersecurity Audit: This audit should occur at least once every two years, or more frequently if directed by the Chief Executive.
Who is Subject to These Obligations?
The obligations apply specifically to NCII entities that own or operate critical information infrastructure. This targeted approach ensures that those responsible for safeguarding essential services are held accountable.
Conclusion: A Timely and Necessary Framework
The enactment of the Cyber Security Act 2024 and its associated Cyber Regulations comes at a crucial time when cyber threats are rampant and evolving. The Incident Notification Regulations and Risk Assessment Regulations are designed to foster a proactive approach to cybersecurity, ensuring that entities are prepared to respond swiftly and effectively to incidents.
As technology continues to advance, it is imperative that legal frameworks adapt to address emerging threats. The Cyber Security Act 2024 represents a significant step towards securing Malaysia’s digital future, emphasizing the importance of robust security measures and timely incident reporting.
In conclusion, while this article provides an overview of the Cyber Security Act 2024 and its regulations, it is important to note that the information herein is for informational purposes only and should not be construed as legal advice. For specific situations, consulting qualified legal counsel is recommended.