PETALING JAYA: Cybersecurity incidents extend beyond data breaches and may potentially hamper a critical entity’s ability to operate, says the National Cyber Security Agency (Nacsa).

Its chief executive, Dr Megat Zuhairy Megat Tajuddin, said that is why it is important to safeguard the entities under the National Critical Information Infra-structure (NCII) from a wide range of cybersecurity threats as a whole.

ALSO READ: Stricter steps needed to curb data breaches

Citing the cybersecurity incident involving the Social Security Organisation (Socso) last year, Megat Zuhairy said the incident, if not managed well, could affect the body’s ability to disburse money, and it was not just about the breaching of personal data.

“So in order to protect from any data breach, you need to protect the entities as a whole,” he said when contacted yesterday.

On Dec 8 last year, Socso said it was able to overcome a cyberattack on its system by protecting information databases and websites.

Megat Zuhairy added that Nacsa also collaborated with other relevant agencies to address such issues.

“When cyberincidents lead to a data breach, we will inform the Personal Data Protection Department (JPDP).

“If they are cybercrime-related issues, we will contact the police,” he explained.

Megat Zuhairy also noted that NCII entities could face legal consequences if they fail to take the necessary steps to secure their systems against any attacks.

“The Cyber Security Act 2024 (Act 854) has made it mandatory for NCII entities to take necessary measures to protect themselves by fulfilling the minimum baseline.“Our National Cyber Coordination and Command Centre (NC4) is on 24 hours monitoring possible threats and attempts. And through our threat intelligence, we proactively communicate with the entities,” he explained.

Megat Zuhairy said the same Act also made it mandatory for NCII entities to do yearly risk assessment and biannual audits.

“It is not just about sensitive data, but it involves NCII entities too. The Act also mandates NCII entities to immediately report to Nacsa,” he said.

Under Act 854, within six hours of the discovery of a cyber security incident, or even a potential threat, an authorised person under the legislation will have to make an initial report to the NC4.

Among others, the Act also stipulates that if the cybersecurity incident is not notified within the prescribed period of time, the entity concerned may be liable to a fine not exceeding RM500,000 or imprisonment of its officers not more than 10 years, or both.

The six-hour rule applies to attacks on information in sectors deemed critical to the nation, including defence, finance, water, and healthcare services.

The 11 NCII sectors are government; national defence and security; banking and finance; information and communications; energy; transportation; emergency services; water; health services; agriculture and plantation; and trade, industry and economy.

The Cyber Security Act 2024 was officially gazetted by the Attorney General’s Chambers on June 26.

The Act is aimed at addressing the management of cybersecurity threats and incidents concerning NCII.

Additionally, it includes provisions to regulate cybersecurity service providers through licensing.