The National Cyber Security Agency (Nacsa) is set to undertake a revamp of its critical infrastructure listings under the newly enacted Cybersecurity Act 2024. This sweeping legislation, which was ratified by Malaysia’s Dewan Rakyat in April and officially came into effect on August 26, 2024, brings with it a series of pivotal changes aimed at enhancing national cybersecurity.
As part of the implementation of the Cybersecurity Act 2024, Nacsa will review and update the list of entities designated as National Critical Information Infrastructure (NCII). Dr. Megat Zuhairy Megat Tajuddin, the Chief Executive of Nacsa, highlighted in a recent briefing that the agency will reassess the 299 entities currently listed under the guidelines of the National Security Council Directive No. 26.
Revising the National Critical Information Infrastructure (NCII) List with Cybersecurity Act 2024
Dr. Megat Zuhairy indicated that the new criteria established by the Cybersecurity Act 2024 are designed to provide greater clarity and precision in the designation of NCII entities. “We anticipate that the number of NCII entities will likely increase as the new criteria are more comprehensive and detailed. Additionally, sector heads have been given the authority to identify NCII entities within their own sectors,” he explained.
The Cybersecurity Act 2024 introduces several critical measures aimed at strengthening the nation’s cybersecurity framework. Officially endorsed by His Majesty Sultan Ibrahim, King of Malaysia, on June 18, and published in the gazette on June 26, the Act mandates a more robust approach to cybersecurity management and response.
The Cybersecurity Act 2024 introduces four key regulations to enhance cybersecurity protocols. The regulation on the Compounding of Offences allows for resolving certain offenses through financial penalties instead of judicial proceedings. This approach aims to streamline the handling of minor infractions and reduce the burden on the court system.
Another crucial regulation, Notification on Cybersecurity Incidents, mandates that entities designated as National Critical Information Infrastructure (NCII) must promptly report any cybersecurity incidents via the NC4 email system. Initial notifications are required within six hours of discovering an incident, with more detailed reports to be submitted within 14 days, ensuring timely and thorough communication of security breaches.
The Act also emphasizes the importance of Risk Assessment and Audit. Regular risk assessments and audits are required to ensure that cybersecurity measures remain current and effective, providing a proactive approach to managing potential vulnerabilities.
Finally, the Licensing of Cybersecurity Service Providers regulation establishes a licensing system for entities offering cybersecurity services. This system ensures that only qualified and competent providers are authorized to deliver essential cybersecurity support, thereby upholding high standards in the industry.
Sector-Specific Regulations and Confidentiality Measures
The Cybersecurity Act 2024 impacts 11 distinct sectors, each identified as essential to the nation’s critical information infrastructure. These sectors include government, banking and finance, transportation, defense and national security, information and communication technology, healthcare services, water management, sewerage and waste management, energy, agriculture and plantation, trade and industry, and science and technology.
Dr. Megat Zuhairy emphasized the confidentiality of the NCII list, noting that it will not be publicly disclosed to avoid exposing these entities to potential cyber threats. Instead, only the list of sector heads will be made available on the Nacsa website. “The list of NCII entities is classified to prevent them from becoming targets of cyberattacks,” he stated.
One of the significant changes under the Cybersecurity Act 2024 is the stringent reporting requirements for NCII entities. According to the Cyber Security Regulations (Cyber Security Incident Notification) 2024, any cybersecurity incident must be reported through the NC4 system within six hours of detection. The initial report must include details such as the name of the authorized contact, information about the affected entity, the nature and severity of the incident, and the method of its discovery.
Following the initial report, a more detailed account must be submitted to Nacsa within 14 days. This process aims to ensure that cybersecurity incidents are promptly and thoroughly addressed, enhancing the overall resilience of the NCII sectors.
The Cybersecurity Act 2024 also outlines several legal provisions to support its enforcement. Authorized officers are granted powers to access computerized data, conduct searches, and require the attendance of individuals with relevant knowledge about cybersecurity incidents. These provisions are designed to facilitate thorough investigations and ensure compliance with the Act.
Furthermore, the Act includes measures to protect against interference and ensure the integrity of the investigative process. For instance, individuals who obstruct or impede authorized officers in their duties face substantial fines and potential imprisonment.