(Tax Update) Overview of Cyber Security Act 2024

On August 26, 2024, Pasarana Malaysia Bhd confirmed a cybersecurity incident involving unauthorized access to parts of its internal systems due to a ransomware attack.

On the same day, four new subsidiary legislations under the Cyber Security Act 2024 came into effect, focusing on risk assessments, licensing of service providers, offence compounding, and incident notification.

Key Highlights of the Cyber Security (Notification of Cyber Security Incident) Regulations 2024

Immediate Notification: Entities must promptly report any known or suspected cybersecurity incidents.
First Reporting Within 6 Hours: Initial information, including details about the incident's type, severity, and discovery method, must be submitted within six hours of becoming aware of the incident.
Supplementary Information Within 14 Days: Additional details regarding the incident and its impact must be provided within fourteen days.
Ongoing Updates: Further updates may be required as directed by the Chief Executive.
Submission Method: Reports should be submitted via the National Cyber Coordination and Command Centre System or other methods as directed in case of system disruptions.

Key Features of the Cyber Security (Compounding of Offences) Regulations 2024

Compoundable Offences: The regulations identify certain offences eligible for compounding, typically involving compliance failures by entities managing critical information infrastructures.
Compounding Process: The Chief Executive of NACSA may offer to compound offences, with a 30-day period for offenders to make electronic payments to avoid prosecution.

Definition and Scope of NCII Entities

National Critical Information Infrastructure (NCII) entities in Malaysia are organizations that own or operate computer systems whose disruption or destruction could significantly impact essential services, such as security, defense, foreign relations, economy, public health, public safety, or public order.

These entities are categorized within eleven sectors: government, banking and finance, transportation, defense and national security, information and communication, healthcare, water and waste management, energy, agriculture, trade, and science and technology.

Key Takeaways

Mandatory Compliance: NCII entities and cybersecurity service providers must strictly adhere to these regulations to avoid severe penalties, including fines and imprisonment.
Efficient Enforcement: The regulations enable streamlined enforcement, allowing certain offences to be swiftly resolved through compounding.
Proactive Management: Companies must integrate these new requirements into their cybersecurity strategies to ensure compliance and mitigate legal and operational risks.

The Cyber Security Act 2024 and its accompanying regulations mark a significant enhancement of Malaysia’s cybersecurity framework, aiming to protect the country's digital landscape.

Visit Us

Wisma KTP, 53 Jalan Molek 1/8, Taman Molek, 81100 Johor Bahru
Wisma THK, 41, Jalan Molek 1/8, Taman Molek, 81100 Johor Bahru

KTP (Audit, Tax, Advisory)

An approved audit firm and licensed tax firm operating under the KTP group based in Johor Bahru providing audit, tax planning, advisory and compliance services to clients

THK (Secretarial, Bookkeeping, Payroll, Advisory)

A licensed secretarial firm in Johor Bahru providing fast reliable incorporation, secretarial services, corporate compliance services, outsourcing bookkeeping, and payroll services to clients