<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=306561&amp;fmt=gif">
Skip to content

Malaysia's Act 854: What It Means for Cybersecurity Leaders in the Country and Beyond

The gazetting of Cyber Security Act 2024 on 26 June 2024 by Attorney General's Chambers marks a significant step forward in bolstering Malaysia's cyber defences and increasing our resilience to emerging threats.

Malaysia's cybersecurity landscape is evolving with the introduction of Act 854, marking a crucial moment for cybersecurity, IT, and data security leaders in the region. As cyber threats continue to rise in both number and complexity, robust cybersecurity measures are becoming essential. This new legislation brings significant changes that impact not only Malaysia but also the broader Southeast Asian (SEA) region.

We peruse the act and boil it down to bite-sized insights for you.


New Responsibilities for National Critical Information Infrastructure (NCII) Entities

Act 854 designates certain entities as National Critical Information Infrastructure (NCII) entities.

Act 854 defines NCII as a computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively.

NCII entities are now responsible for maintaining an up-to-date register of their infrastructures and providing detailed information about them. This step aims to improve the management and protection of vital digital assets, ensuring that the most important components of the nation's digital ecosystem are prioritized for security.


Enforcing Cybersecurity Practices

A key aspect of Act 854 is the mandatory implementation of specific cybersecurity measures, standards, and processes. These practices are detailed in a code of practice that NCII entities must follow. Non-compliance can lead to hefty fines and even imprisonment, highlighting the Malaysian government's serious approach to cybersecurity. This serves as a strong reminder to all entities of their duty to uphold high security standards.


Regular Cybersecurity Assessments and Audits

Act 854 also requires NCII entities to perform regular cybersecurity risk assessments and audits by approved auditors. The results must be submitted to the Chief Executive of National Cyber Security Agency (NACSA). This focus on regular assessments is intended to identify and address vulnerabilities proactively. Entities that fall short in their assessments may be required to undergo further evaluations, promoting continuous improvement in cybersecurity measures.


Mandatory Incident Reporting

Timely reporting of cybersecurity incidents is another vital component of Act 854. NCII entities must notify the Chief Executive of NACSA, and sector leads about any incidents or potential incidents within a specified timeframe. This requirement ensures that incidents are managed swiftly and effectively, minimizing damage and allowing for a coordinated response to threats.


Licensing for Cybersecurity Service Providers

To ensure the quality of cybersecurity services, Act 854 mandates that all providers must be licensed. This includes meeting specific qualifications and adhering to conditions set out in their licenses. By regulating the market, this measure aims to enhance the overall quality and reliability of cybersecurity services available to NCII entities.


What This Means for Industry Leaders

For cybersecurity leaders in Malaysia and Southeast Asia, Act 854 presents both challenges and opportunities. The strict requirements and enforcement mechanisms highlight the critical importance of cybersecurity. Leaders must navigate these regulatory changes, ensuring their organizations comply with the new standards while also seizing the opportunity to enhance their cybersecurity posture.

Eddie Hau, the Chief Information Security Officer at Sunway Group says, “This act will definitely be a wakeup call not only for NCII, but also for most of the enterprises and SMEs. It sends a message on the importance of ensuring the due-care practices, where an organisation is required to take reasonable steps to maintaining cybersecurity hygiene to protect and preserve the sensitive information.”

Hau adds, “It is always a challenge to ensure the quality of the implementation of the cyber security act, where the enforcer would have to put more effort in ensuring compliance of the act through continuous verification, validation, improvement, and effectiveness measurement.” Hau highlights that these are the keys to ensure the sustainability of cybersecurity hygiene practices by the organisation who involved or part of the scope.

In summary, Act 854 is a significant legislative development with immediate and far-reaching impacts on Malaysia's cybersecurity landscape. It calls on all cybersecurity leaders to strengthen their defences, ensure compliance, and contribute to a more secure digital future. As the digital world continues to grow, the ability to manage and mitigate cyber risks will be crucial for the success and resilience of organizations across the region.


If you want to learn more about how Act 854 affect small business, read this takeaway by Sivanathan Subramaniam, the General Manager, Cyber Security & Resilience at CTOS.

If you would like to join us at CISO Malaysia 2025, get in touch with Eleen Meleng or Rhys Ghorashi to learn more about how you can get involved.