Malaysia’s Long-awaited Cybersecurity Bill is on The Horizon

The implementation of Cybersecurity Bill 2024 in Malaysia

Cybersecurity is paramount in safeguarding computer systems, networks, and data from digital threats. Malaysia’s Cybersecurity Bill 2024 represents a significant step towards fortifying the nation’s digital defenses. The bill aims to bolster the availability and security of computer systems, safeguard information integrity and confidentiality, and effectively manage cybersecurity threats.

A recent survey conducted by the Independent Director Council highlighted phishing as a predominant threat in the Asia-Pacific region, with Malaysia facing additional risks such as ransomware, unpatched vulnerabilities, identity theft, and attacks targeting Internet of Things (LOT) devices.

In this regard, we represented a victim of phishing involving approximately RM12 Million. In the High Court case of SPHERE MANAGEMENT (MAURITIUS) LIMITED & ORS v. CIMB BANK BERHAD & ORS [2021] MLRHU 2163 it was highlighted that the victim being the Plaintiff based in Mauritius was deceived to make payments amounting to approximately RM12 Million to a Malaysian company. It was later found that the Malaysian Company was operated by a fraudster. The Plaintiff instituted an action against CIMB Bank and contended that the Bank must be made responsible of the fraudulent transaction as they facilitated the transfer of money without proper verification.

In an increasingly digitized world, cybersecurity has become a critical concern for governments worldwide. Malaysia, like many other countries, has recognized the importance of cybersecurity and has taken steps to enhance its cybersecurity framework. The recent passage of the Cybersecurity Bill in
Malaysia marks a significant milestone in the country’s efforts to strengthen its digital defenses. However, the Act has sparked debates about the balance between security imperatives and individual rights.

Understanding the Cybersecurity Bill 2024

The bill includes provisions that apply to the federal government, state government, and extraterritorial jurisdictions. It establishes the National Cyber Security Committee and outlines the duties and powers of the Chief Executive of the National Cyber Security Agency. It also defines the functions and duties of the national Critical Information Infrastructure (CII) sector leads and entities. The bill addresses the management of cybersecurity threats and incidents affecting national CII, as well as regulations for cybersecurity service providers. It includes provisions for enforcement inter alia seizure, and examination of persons related to cybersecurity matters.

On 27 March 2024, the Dewan Rakyat, the lower house of the Malaysian Parliament, passed the bill after its second reading. The bill was tabled for the first reading on 25 March 2024.

The bill seeks to improve the availability and manageability of computer systems, preserve the integrity of these systems, and ensure the integrity and confidentiality of information stored, processed, or transmitted through them.

The Analysis

The bill proposes mandatory licensing for various forms of expressive activities. Individuals providing “cybersecurity services” in Malaysia would need prior approval based on potentially changing or revocable standards, with penalties of up to ten years’ imprisonment. The definition of “cybersecurity services” is broad and extends beyond typical interpretations, including activities such as publishing or sharing source code online for public interest, conducting academic research, or distributing free digital security tools to journalists and human rights advocates.

The bill grants extensive powers to the Chief Executive of the committee, including the authority to designate individuals as “authorized officers” with powers akin to those of the police. These powers allow for searches and seizures of individuals and premises without the necessity of obtaining a warrant. Although the bill initially seems to mandate the use of warrants, it contains a broad exception that permits an authorized officer to forgo obtaining a warrant if they assert (without external verification or review) that there is “reasonable cause” not to require one. Additionally, the “Chief Executive” as defined in the bill can issue production demands without the need for a warrant.

The Pros and Cons

PRO

• Enhanced cybersecurity: The bill aims to strengthen Malaysia’s cybersecurity posture, making it more resilient against cyber threats.

• Regulatory framework: It provides a clear regulatory framework for cybersecurity services, ensuring standards and accountability.

• Protection of critical infrastructure: The bill focuses on protecting critical information infrastructure, which is vital for national security and economic stability.

CONS

• Potential overreach: The bill grants broad powers to authorities, raising concerns about potential abuse and infringement of privacy rights.

• Restrictions on freedom: The bill’s provisions for licensing and regulation of cybersecurity services could potentially restrict freedom of expression and innovation.

• Compliance challenges: Compliance with the bill’s requirements could be
  challenging for businesses, especially Small and Medium Enterprises (SMEs), due to the cost and complexity of cybersecurity measures.

In the nutshell

While the cybersecurity bill in Malaysia demonstrates the country’s commitment to enhancing cybersecurity, however, there is a pressing need for careful consideration of its provisions to ensure they strike the right balance between security and individual rights. Amendments may be necessary to address concerns regarding potential overreach and limitations on freedom of expression and privacy. You can read the bill HERE and view its legislative history, only available in Malaysian, HERE.

References
[01] https://techwireasia.com/12/2023/what-is-behind-the-worsening-state-of-cybersecurity-in-malaysia/
[02] https://www.nst.com.my/business/corporate/2024/03/1030905/lgms-boss-hails-tabling-cybersecurity-bill
[03] https://www.dataguidance.com/news/malaysia-cybersecurity-bill-2024-passes-parliament
[04]https://www.malaysianbar.org.my/article/news/press-statements/press-statements/press-releaseamendments-to-cyber-security-bill-2024-necessary-to-ensure-just-and-meaningful-implementation

If you have any queries, please contact our via e-mail, we are available for a scheduled conference call.
You may download the PDF version from here.