August 27, 2024
KUALA LUMPUR – Within six hours of discovering a cybersecurity incident, or even a potential threat, an authorised person under a newly-enforced law will have to make an initial report to the National Cyber Coordination and Command Centre System (NC4).
The six-hour rule applies to attacks on information in sectors deemed critical to the nation, including defence, finance, water, and healthcare services.
This new step follows the enforcement of the Cybersecurity Act 2024 (Act 854) that began yesterday.
Act 854 aims to enhance national cybersecurity, said the Prime Minister’s Office (PMO) in a statement.
ALSO READ: Hackers target Malaysia frequently
The six-hour rule comes under the Notification of Cybersecurity Incident Regulations. It mandates an authorised person from any National Critical Information Infrastructure (NCII) entity to immediately report via electronic means, any cybersecurity threats detected.
Within those critical six hours, the information furnished by the authorised person must include the nature of the incident and severity of the threat.
The authorised person for the NCII entity must also provide additional information within 14 days through the NC4 System — including number of hosts affected, techniques used in the attack, and its impact.
NCII refers to computers or systems whose disruption would harm essential services or the effective functioning of federal or state governments.
ALSO READ: Experts call for balance in quick reporting under new Act
The 11 NCII sectors are government; banking and finance; transportation; defence and national security; information, communication, and digital; healthcare services; water; sewerage and waste management; energy; agriculture and plantation; trade, industry, and economy; and science, technology, and innovation.
The PMO said, in accordance with subsection 1(2) of Act 854, the Prime Minister, in his capacity as the minister responsible for cybersecurity, has set yesterday as the effective date of the implementation of Act 854.
Act 854 received royal assent from the Yang di-Pertuan Agong on June 18, and was published in the federal gazette on June 26.
The Act was passed in the Dewan Rakyat in March.
ALSO READ: Cyber Security Act 2024 and linked Regulations to take effect from today
The Prime Minister has also set Aug 26 as the effective date for regulations set under Act 854 as follows:
> Risk Assessment and Audit Regulations;
> Notification of Cybersecurity Incident Regulations;
> Licensing of Cybersecurity Service Provider Regulations; and
> Compounding of Offences Regulations.
The above regulations were published in the Federal Gazette on Aug 22, noted the PMO.
The PMO pointed out that Act 854 was enacted to enhance the nation’s cybersecurity by providing for the setting-up of the National Cybersecurity Com-mittee.
It also clearly spells out the duties and powers of the chief executive of the National Cyber Security Agency (Nacsa).
Act 854 also makes clear the functions and duties of the heads of the NCII sectors and NCII entities.
Meanwhile, the Risk Assessment and Audit Regulations under Act 854 stipulate that an NCII entity must conduct a cybersecurity risk assessment at least once a year and carry out an audit at least once every two years; or at a higher frequency as may be directed by the chief executive in any specific cases.
The Licensing of Cybersecurity Service Provider Regulations will apply to individuals and companies that provide cybersecurity services related to Managed Security Operation Centre Monitoring Services and Penetration Testing Services.
The Compounding of Offences Regulations provide for the compounding of offences, namely subsections 20(6), 20(7), 22(7), 22(8), 24(4), and 32(3) in Act 854.
In countering cyberattacks, the Prime Minister is the head of a 13-member National Cyber-security Committee.
The committee comprises the ministers in charge of the Finance, Foreign Affairs, Defence, Home Affairs, and Communications and Digital portfolios. It also comprises senior government officials such as the chief secretary to the government, the Armed Forces General, and Inspector-General of Police, among others.
Among the roles of the committee is to determine policies, approaches and strategies related to the country’s cybersecurity; advise the government on policies and strategic measures to strengthen cybersecurity; instruct the chief executive and sector leads; and monitor the enforcement of the Act.