The rapid evolution of cyber threats has necessitated robust frameworks worldwide, and Malaysia has taken significant strides in this direction with the advent of the Cyber Security Act 2024 (CSA). Since the CSA’s commencement on 26 August 2024, multiple key developments have shaped the country’s cybersecurity landscape, impacting National Critical Information Infrastructure (NCII) Entities and other stakeholders. Among the most noteworthy developments are the announcement of NCII Sector Leads, the launch of the Cyber Security Service Providers (CSSP) licensing portal, and new obligations for NCII Entities related to cyber security assessments.
With the new cyber security framework in place, Malaysia aims to bolster its defenses by designating key infrastructure sectors and enforcing stricter regulation of service providers. These efforts are expected to address vulnerabilities and mitigate risks more effectively. The following sections detail the latest updates and requirements under the CSA, highlighting the necessary steps that NCII Entities must follow to remain compliant.
1. NCII Sector Leads Announced
On 11 September 2024, Malaysia’s National Cyber Security Agency (NACSA) announced the complete list of NCII Sector Leads appointed by the Prime Minister under Section 15 of the CSA. These appointments cover all 11 designated NCII sectors, serving as a pivotal move in strengthening the country’s cyber security defenses. The selected sector leads are responsible for coordinating activities within their domains, ensuring that the NCII Entities adhere to the stipulated guidelines and best practices.
The sector leads will oversee various aspects, including policy implementation, compliance monitoring, and risk assessment. By appointing dedicated leaders for each critical sector, Malaysia aims to facilitate a more structured and coordinated approach to national cyber security. These leaders will work closely with NCII Entities to ensure prompt and effective action against any emerging threats.
2. CSSP License Application Formally Begins
As of 1 October 2024, the CSSP licensing portal has gone live, and service providers can now apply for their licenses. The introduction of this licensing system marks a significant milestone in regulating cyber security service providers in Malaysia. All entities involved in providing or advertising cyber security services are required to obtain a CSSP license to operate legally. A grace period extends until 31 December 2024, allowing currently unlicensed providers adequate time to comply.
The licensing process aims to standardize the quality and reliability of cyber security services available in the market. By enforcing licensing regulations, NACSA intends to mitigate risks related to subpar or fraudulent services, ensuring that all providers meet the essential criteria for protecting critical information infrastructure. Service providers must demonstrate their capability and adherence to cyber security best practices before being granted a license.
3. Obligations of NCII Entities to Complete National Cyber Security Baseline Self-Assessment
Following the designation of NCII Entities, the Chief Executive of NACSA issued Directive No. 4/2024 on the National Cyber Security Baseline (NCSB). This directive mandates all designated NCII Entities to complete the National Cyber Security Baseline Self-Assessment (NCSB Self-Assessment). Effective from 1 October 2024, this self-assessment serves as a blueprint to ensure a fundamental level of cyber security protection across all NCII Entities.
The NCSB includes six key domains and branches into 15 essential cyber security categories/aspects, further distributed into 33 specific elements. NCII Entities must complete the NCSB Self-Assessment within two weeks of their designation, ensuring that their internal cyber security measures align with national standards. The completed self-assessment reports are submitted to both the Chief Executive of NACSA and the relevant sector leads for analysis and feedback.
4. Identify Cyber Security Risks
The first step for NCII Entities in ensuring compliance with the CSA is to identify cyber security risks faced by their infrastructure. This involves determining each potential threat to the extent reasonably possible and creating an inventory of all assets connected to the NCII. Assessment of vulnerabilities within the computer systems and connected assets is a critical part of this step. Identified risks could originate from various sources, including internal or external threats, which need thorough evaluation to understand their potential impact.
By undertaking this comprehensive identification process, NCII Entities can preemptively address risks before they manifest into significant issues. Regular audits and updates to the risk inventory are crucial for maintaining an up-to-date understanding of the threat landscape. This step sets the foundation for subsequent analysis and mitigative actions, ensuring that the entity remains vigilant and proactive in its cyber security approach.
5. Analyze Probability and Impact
After identifying potential cyber security threats, NCII Entities must analyze the probability and impact of each identified risk. This evaluation involves examining the likelihood of occurrence and the possible consequences those risks pose to the entity’s critical infrastructure. Analyzing these aspects enables entities to prioritize risks based on their severity and potential disruption to operations.
The probability and impact analysis should be thorough, incorporating various scenarios and assessing the entity’s preparedness in mitigating such events. This helps in understanding which risks need immediate attention and resources. The data from this analysis will inform subsequent action plans and enable NCII Entities to adopt a more strategic approach to managing cyber security risks effectively.
6. Determine Actions for Each Risk
Upon completing the previous steps, NCII Entities must determine appropriate actions for each identified risk. This involves developing comprehensive risk management plans that outline the measures to mitigate, transfer, accept, or avoid these risks. The strategies should be tailored to address the specific nature and impact of each threat, ensuring that the most critical risks are prioritized and managed effectively.
Regular review and updating of these risk management plans are essential to reflect changes in the threat landscape and the entity’s operating environment. Collaboration with the designated sector leads and adherence to NACSA’s guidelines will be crucial for the successful implementation of these plans. The goal is to establish a resilient infrastructure capable of withstanding and recovering from cyber security incidents, thereby safeguarding the nation’s critical information assets.
