PETALING JAYA: The Cyber Security Act 2024 (Act 854) takes effect from Monday (Aug 26), says the Prime Minister's Office (PMO).
It said in a statement that the Prime Minister has set Monday as the effective date of the Act's implementation, adding that this was done in his capacity as the minister responsible for cybersecurity.
The PMO added in a statement that Monday is also the effective date for the following regulations made under the Act, which are the;
> Cyber Security Regulations (Duration for Cybersecurity Risk Assessment and Audit) 2024.
> Cyber Security Regulations (Cybersecurity Incident Notification) 2024.
> Cyber Security Regulations (Licensing of Cybersecurity Service Providers) 2024 and the
> Cyber Security Regulations (Offence Compounding) 2024.
ALSO READ: Act will beef up data security and ensure privacy
It added in a statement that the above regulations were published in the Gazette on August 22.
The PMO then said that the Act enhances the nation's cybersecurity, and among other things provides for the establishment of the National Cybersecurity Committee (JKSN) and the duties and powers of the Chief Executive of the National Cybersecurity Agency (Nacsa).
This Act also provides for the functions and duties of the heads of the National Critical Information Infrastructure (NCII) sectors and NCII entities and the management of cybersecurity threats and cybersecurity incidents affecting NCII.
It also regulates cybersecurity service providers through licensing and provides for related matters.
Under the Cybersecurity Regulations (Duration for Cybersecurity Risk Assessment and Audit) 2024, it stipulates that an NCII entity that owns or operates an NCII must conduct a cybersecurity risk assessment at least once a year.
These Regulations also stipulate that an audit must be done at least once every two years or at a higher frequency as may be directed by the Chief Executive in any specific case.
Meanwhile, the Cybersecurity Regulations (Cybersecurity Incident Notification) 2024 require an authorised person from an NCII entity to immediately notify, via electronic means, of any cybersecurity incident that has occurred or may have occurred
ALSO READ: Act will beef up data security and ensure privacy
Subsequently, the authorized person must submit initial details within six hours of the NCII entity becoming aware of the cybersecurity incident through the “National Cyber Coordination and Command Centre System” (“NC4 System”).
In addition, the authorised person for the NCII entity must provide additional information within 14 days through the “NC4 System”.
Aside from that, the Cybersecurity Regulations (Licensing of Cybersecurity Service Providers) 2024 will apply to individuals and companies that provide cybersecurity services related to Managed Security Operation Centre Monitoring Services and Penetration Testing Services.
Cybersecurity Regulations (Offence Compounding) 2024 provides for the compounding of offences, namely subsections 20(6), 20(7), 22(7), 22(8), 24(4), and 32(3).