Cybersecurity 2020

Last Updated March 16, 2020

Malaysia

Law and Practice

Author



Wong & Partners has a team consisting of seasoned practitioners who have complementary proficiency in IT and IP, and is well-versed in providing advice on complex and wide-ranging privacy and cybersecurity laws. A member firm of Baker McKenzie International, it includes partners and associates who are certified information privacy professionals by the International Association of Privacy Professionals (IAPP). The team has assisted clients from across all industry sectors in the full scope of transactional and advisory matters, including advising on regulatory requirements under Malaysia's Personal Data Protection Act 2010 (PDPA). It also has access to the legal expertise in Baker McKenzie's global network, placing it in a good position to provide multi-jurisdictional advice and on-the-ground support. The firm focuses on advising on the regulatory requirements of Malaysia’s data privacy laws, the processing of employee and customer data, and cross-border transfers and disclosure of such data, as well as the appointment of data processors, consent of data subjects and records retention, workplace privacy, marketing and loyalty programmes, network security and security breach response, foreign disclosure obligations, and data privacy compliance.

The Malaysian legal system is largely influenced by the British common law system, with the main legal framework set out in the Constitution of Malaysia. Legislation is passed by the Malaysian Parliament, which has superiority over judge-made precedents.

Malaysia was one of the earliest nations in South-East Asia to enact cyber-related laws, but there is yet to be a single, centralised cybersecurity law in Malaysia. The regulation of cybersecurity is scattered across various laws in Malaysia, including the Computer Crimes Act 1997, the Communications and Multimedia Act 1998, the Personal Data Protection Act 2010, and the Digital Signature Act 1997. For further information, see 2.1 Key Laws.

There is currently no general legal requirement for data breach reporting or notification. However, this position may change in the near future. Pursuant to the Public Consultation Paper No 1/2020 issued in February 2020, the Personal Data Protection Commissioner (Commissioner) proposed a new provision in the Personal Data Protection Act 2010 (PDPA) which imposes an obligation on the part of a data user to report data breach incident.

In fact, the Commissioner has previously published the Public Consultation Paper No 1/2018 which also proposed implementation of data breach notification. Nonetheless, the suggestion at that time was to impose such notification requirement as a condition to the certificate of registration issued by the Commissioner. Both public consultation papers have yet to come into force at the time of writing. 

One of the key regulators on cybersecurity is the Royal Malaysia Police (RMP), or specifically, the Cybercrime and Multimedia Investigation Branch under the Commercial Crime Investigation Department. The RMP has the general power to investigate criminal offences, including those under the Computer Crimes Act 1997.

The Malaysian Communications and Multimedia Commission is the regulator in connection with the Communications and Multimedia Act 1998 and the Digital Signature Act 1997. The Personal Data Protection Commissioner is accorded with the relevant power as a regulator with respect to the Personal Data Protection Act 2010. Some sectoral regulators are also involved in cybersecurity issues, such as the Central Bank of Malaysia and the Securities Commission Malaysia.

Royal Malaysia Police

The Royal Malaysia Police (RMP) has wide power under the Criminal Procedure Code and the Police Act 1967 to carry out its duties for the maintenance of law and order, the preservation of the peace and security of Malaysia, the prevention and detection of crime, the apprehension and prosecution of offenders, and the collection of security intelligence.

The RMP will usually commence an investigation upon receiving a first information report, commonly known as a police report, in relation to the commission of an offence. In this regard, the RMP may proceed to the location for investigation and may record a statement from any person acquainted with the facts and circumstances of the case, including the accused. Such investigation is required to be completed without unnecessary delay. Subsequently, a report of the investigation will be submitted to the public prosecutor unless otherwise directed.

The public prosecutor will decide whether to institute prosecution against the accused. In fact, the Computer Crimes Act 1997 provides that no prosecution shall be instituted without the written consent of the public prosecutor. If the public prosecutor so decides, the accused will be charged with the relevant offence(s) and the appropriate court will determine whether the accused is guilty of the offence(s). When an aggrieved party is not satisfied with the decision of the court, such party may appeal to a higher court, whether against the acquittal, the conviction or the sentencing.

Malaysian Communications and Multimedia Commission

Pursuant to the Communications and Multimedia Act 1998 (CMA), the Malaysia Communications and Multimedia Commission (MCMC) may conduct an investigation on a direction from the Communications and Multimedia Minister, a written complaint by a person, or the belief that an offence was, is or will be committed. The MCMC will consider the submissions made by the complainant and/or the respondent before making its decision. However, the MCMC has the right not to give an opportunity for the complainant and/or the respondent to appear before the MCMC with regard to the investigation.

At the conclusion of an investigation, the MCMC may prepare an investigation report and such report shall cover the conduct of the investigation concerned, any findings that the MCMC has made as a result of the investigation, the evidential materials on which those findings were based, and such other matters relating to, or arising out of, the investigation as the MCMC thinks fit or as the Communications and Multimedia Minister directs.

Any person who is aggrieved or whose interest is adversely affected by a decision or direction of the MCMC may typically appeal to the Appeal Tribunal for a review. The relevant procedure is set out in the Communications and Multimedia (Appeal Tribunal) (Appeal Procedure) Regulations 2009. Such person may also apply to the court for a judicial review of the decision or direction of the MCMC, provided that all other remedies under the CMA have been exhausted.

Personal Data Protection Commissioner

If the Personal Data Protection Commissioner (Commissioner) receives a complaint under Section 104 of the Personal Data Protection Act (PDPA), the Commissioner will carry out an investigation in relation to the relevant data user to determine whether the act specified in the complaint contravenes the PDPA, unless the complaint is trivial, frivolous, vexatious or not made in good faith. Such investigation will also be carried out if the Commissioner has reasonable grounds to believe that an act, practice or request infringing the PDPA has been or is being undertaken or engaged in.

An Appeal Tribunal has been established under the PDPA to provide an avenue for any aggrieved person to appeal against the decisions of the Commissioner. The procedures for an appeal are set out in the PDPA. It is worth noting that the decision of the Appeal Tribunal is final and binding on the parties to an appeal and may, with leave of the Sessions Court, be enforced in the same manner as a judgment. Where leave is given, the judgment may be entered in the terms of the decision.

While Malaysia is not a signatory to the Budapest Convention on Cybercrime, Malaysia has engaged in various multilateral co-operation on cybersecurity, such as being a member of the Cybersecurity Alliance for Mutual Progress (CAMP) via CyberSecurity Malaysia and the Malaysian Communications and Multimedia Commission.

At the subnational level, the Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 impose an obligation on any person operating a cyber cafe or cyber centre to maintain a customer entry record and a record of computer usage for each computer. More recently, the Sarawak Multimedia Authority Ordinance 2017 established the Sarawak Multimedia Authority to, among others, advise the Government of the State of Sarawak on cybersecurity for developing the digital economy in Sarawak.

CyberSecurity Malaysia, the national cybersecurity specialist agency, promotes the National Cyber Security Policy (NCSP) and plays an important role in information sharing for cybersecurity via the following:

  • Cyber Security Professional Development (CyberGURU) provides training services on information security, promotes knowledge sharing with leading industry experts and academics, and fosters local and international collaborations on cybersecurity; 
  • Cyber Security Malaysia – Awards, Conference & Exhibition (CSM-ACE) contributes to knowledge sharing via its public-private partnership-driven event that gathers industry experts and community to discuss the latest cybersecurity trends;
  • Cyber Safety Awareness for Everyone (CyberSAFE) educates and promotes cybersecurity awareness among the general public of the technological and social issues plaguing internet users – it provides updates on the safe usage of the internet for children, parents, organisations and the community;
  • the Critical National Information Infrastructure (CNII) Portal enables members of critical infrastructure to exchange knowledge and share information on security issues that affect critical infrastructure.

CNII is defined as those assets, systems and functions that are vital to the nations where their incapacity or destruction would have a devastating impact. CNII sectors are national defence and security, banking and finance, information and communications, energy, transportation, water, health services, government, emergency services, and food and agriculture.

Similar to several other countries, Malaysia does not have a single overarching piece of legislation governing the area of cybersecurity. Instead, the regulation of cybersecurity is scattered across various laws in Malaysia.

The concepts and principles set out in the Personal Data Protection Act 2010 (PDPA) closely resemble the principles in the EU 1995 Data Protection Directive, with some variations to mirror parts of the APEC Privacy Framework. Therefore, the PDPA is often described as a European-style privacy law.

In April 2019, the Deputy Prime Minister indicated that the government was studying the possibility of introducing an Act on cybersecurity. In fact, this is not the first time such an idea has been mooted. Back in June 2017, the Deputy Prime Minister at that time also announced that the government would introduce new legislation – to be known as the Cybersecurity Act 2017 – in order to solve the issue of a lack of comprehensive cybersecurity-specific legislation in Malaysia. However, significant development on an overarching cybersecurity legislation in Malaysia remains to be observed.

CyberSecurity Malaysia, the national cybersecurity specialist agency, introduced several draft guidelines in November and December 2019 for public comments. While these guidelines have no force of law, they provide useful guidance to Malaysian organisations on the implementation of appropriate security controls. These guidelines are:

  • Cyber Security Guideline for Industrial Control System;
  • Cyber Security Guideline for Secure Software Development Life Cycle;
  • Cyber Security Guideline for Internet of Things;
  • Cyber Security Guideline for Industry 4.0;
  • Cloud Security Implementation for Cloud Service Subscriber Guideline;
  • Guideline for Securing MyKAD EBA Ecosystem; and
  • Guideline on the Usage of Recommended AKSA MySEAL Cryptographic Algorithms.

In February 2020, the Personal Data Protection Commissioner (Commissioner) has published the Public Consultation Paper No 1/2020 on the review of the Personal Data Protection Act 2010 for public comments. Among others, the paper provides that the Commissioner is considering:

  • regulating the data processor directly to prevent the risk of data breach incident among the data processors;
  • obligating data users to appoint a data protection officer;
  • obligating data users to report data breach incidents;
  • issuing a clear policy on the endpoint security to reduce the risk of data breach incidents; and
  • issuing a guideline on the usage of cloud computing for data users.

The regulation of cybersecurity is scattered across various laws in Malaysia, including those listed below.

Computer Crimes Act 1997

The Computer Crimes Act 1997 (CCA) created several offences relating to the misuse of computers, including unauthorised access to programmes or data stored in any computer, unauthorised modification of the contents of any computer, unauthorised modification of the contents of any computer, and wrongful communication of any means of access to a computer to an unauthorised person. The maximum financial penalties imposed under the CCA range from MYR25,000 to MYR150,000, and an individual may face imprisonment of up to ten years for crimes committed under the CCA.

Communications and Multimedia Act 1998

The Communications and Multimedia Act 1998 (CMA) provides a regulatory framework for the converging areas of communications and multimedia in Malaysia. In particular, it regulates various activities carried out by licensees registered under the CMA and ensures that information is secure, the network is reliable and service is affordable across Malaysia. The CMA includes certain provisions that deal with cybersecurity, such as prohibitions on the unlawful interception of communications and prohibitions on the creation of a system designed to fraudulently use or obtain any network facilities, network service, applications service or content application service.

Personal Data Protection Act 2010

The Personal Data Protection Act 2010 (PDPA) governs the processing of personal data in commercial transactions. Data users are generally required to adhere to the seven principles under the PDPA. The most relevant principle pertaining to cybersecurity is the security principle, where data users are required to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Further requirements and guidelines on the security principle are provided in the Personal Data Protection Regulations 2013 and the Personal Data Protection Standard 2015.

Digital Signature Act 1997

The Digital Signature Act 1997 (DSA) is an enabling law that promotes the development of e-commerce by securing electronic transactions using digital signatures. Put simply, digital signature is an electronic signature used to verify the identity of the sender of a message and to ensure the correctness and validity of information in electronic transactions. The DSA gives legal recognition to digital signatures and verifies the use of digital signatures through certificates issued by licensed certification authorities.

National Cyber Security Policy

Other than the legislation mentioned above, the National Cyber Security Policy (NCSP) is designed to address risks to the Critical National Information Infrastructure (CNII) concerning the networked information systems of ten sectors – ie, defence and security, transportation, banking and finance, health services, emergency services, energy, information and communications, government, food and agricultural, and water.

There are eight "policy thrusts" under the NCSP to ensure the effectiveness controls over vital assets. These policy thrusts are to be implemented by the relevant government agencies and ministries in order to ensure effective governance and a proper regulatory framework.

In Malaysia, the regulators involved in cybersecurity matters include those listed below.

Royal Malaysia Police

Pursuant to the Computer Crimes Act 1997, the Royal Malaysia Police generally enforces unauthorised access to programmes or data stored in any computer, unauthorised modification of the contents of any computer, unauthorised modification of the contents of any computer, and wrongful communication of any means of access to a computer to an unauthorised person.

Malaysia Communications and Multimedia Commission

The Malaysia Communications and Multimedia Commission (MCMC) generally ensures that online information is secure, the network is reliable and service is affordable across Malaysia. The MCMC also deals with cybersecurity issues under the Communications and Multimedia Act 1998, such as prohibitions on unlawful interception of communications and prohibitions on the creation of a system designed to fraudulently use or obtain any network facilities, network service, applications service or content application service.

Under the Digital Signature Act 1997, the MCMC also regulates use of digital signature which is an electronic signature used to verify the identity of the sender of a message and to ensure the correctness and validity of information in electronic transactions.

For other regulators, see 2.3 Overarching Cybersecurity Agency, 2.4 Data Protection Authorities or Privacy Regulators, 2.5 Financial or Other Sectoral Regulators, and 2.6 Other Relevant Regulators and Agencies.

CyberSecurity Malaysia

CyberSecurity Malaysia (CSM), previously known as the National ICT Security and Emergency Response Centre, is the appointed national cybersecurity specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia. As a specialist agency, the CSM has the mission of leading the development of a safer and more resilient cyber-ecosystem to enhance national security, economic prosperity and social harmony. The following specialised cybersecurity services are provided by the CSM:

  • cybersecurity responsive services;
  • cybersecurity proactive services;
  • outreach and capacity building;
  • strategic study and engagement; and
  • industry and research development.

National Cyber Security Agency

The National Cyber Security Agency (NACSA) is a dedicated agency under the National Security Council (under the Prime Minister's Department) to co-ordinate and manage cybersecurity threats to all critical national information infrastructure. Its objectives include securing and strengthening Malaysia's resilience in facing the threats of cyber-attacks, by co-ordinating and consolidating the nation's best experts and resources in the field of cybersecurity. NACSA is also committed to the following:

  • developing and implementing national-level cybersecurity policies and strategies;
  • protecting critical national information infrastructures;
  • undertaking strategic measures in countering cyberthreats;
  • spearheading cybersecurity awareness, acculturation and capacity-building programmes;
  • formulating strategic approach towards combatting cybercrimes;
  • advising on organisational cyber-risk management;
  • developing and optimising shared resources among agencies; and
  • fostering constructive regional and global networks among entities with shared interests in cybersecurity.

The main regulator with oversight of data protection matters is the Personal Data Protection Commissioner (Commissioner), who is appointed to exercise the functions and powers granted under the Personal Data Protection Act 2010 (PDPA) on such terms and conditions as it considers appropriate. The Commissioner is advised by a Personal Data Protection Advisory Committee.

The Commissioner's functions include advising the Minister on national policy for the protection of personal data, implementing and enforcing the legal protection of personal data, undertaking research – or causing it to be carried out – into the processing of personal data, and monitoring developments in the area, as well as monitoring and supervising compliance with the PDPA and promoting awareness and dissemination of information to the public about the PDPA.

The PDPA confers powers to the Commissioner to do all things necessary pertaining to the performance of its functions under the PDPA, such as conducting inspections on data users' personal data systems, publishing reports that set out any recommendations arising from such inspections, serving enforcement notices on data users for a breach of any of the provisions of the PDPA, and directing data users to take specified steps to ensure that they comply with the PDPA.

The Commissioner's authorised public officers also have various powers of enforcement under the PDPA, including conducting investigations into any offence under the PDPA, conducting searches and seizures of data users' computerised data, documents, equipment, systems and properties, with or without a warrant, requiring the production of computers, books, accounts, computerised data or other documents kept by data users; and arresting without warrant any person who an authorised public officer reasonably believes has committed or is attempting to commit an offence under the PDPA.

Central Bank of Malaysia

The Central Bank of Malaysia or Bank Negara Malaysia (BNM) plays the role of promoting monetary stability and financial stability conducive to the sustainable growth of the Malaysian economy. In this regard, the BNM has issued various standards and guidelines, including the Policy Document on Risk Management in Technology (BNM Policy Document) that came into effect on 1 January 2020.

All licensed banks, licensed insurers, licensed takaful operators, prescribed development financial institutions, approved issuer of electronic money and operators of a designated payment system are legally required to comply with the BNM Policy Document, including those listed below:

  • establish a cyber-resilience framework, including a comprehensive cyber-incident response plan and comprehensive cybercrisis management policies and procedures;
  • establish clear responsibilities for cybersecurity operations;
  • ensure their technology systems and infrastructure are adequately protected;
  • establish a clear data loss prevention strategy and processes;
  • ensure their security operations centre has adequate capabilities for proactive monitoring of its technology security posture; and
  • immediately notify the BNM of any cyber-incidents affecting the institution within one working day upon confirming the cyberthreat.

Securities Commission Malaysia

The Securities Commission Malaysia (SC) regulates the Malaysian capital market and is responsible, among others, to take all reasonable measures to monitor, mitigate and manage systemic risks arising from the capital market. In October 2016, the SC has issued the Guidelines on Management of Cyber Risk (SC Guidelines).

All capital market entities are legally required to comply with the SC Guidelines, which set out the following:

  • roles and responsibilities of the board of directors and management in the oversight and management of cyber-risk;
  • cyber-risk policies and procedures that should be developed and implemented by capital market entities;
  • requirements for managing cyber-risk; and
  • reporting requirements to the SC on the day of occurrence of the incident.

Under CyberSecurity Malaysia, there are further specialised agencies that are tasked with different roles and responsibilities, including those listed below:

MyCERT and Cyber999

The Malaysia Computer Emergency Response Team (MyCERT) is formed to address the computer security concerns of Malaysian internet users and aims to reduce the probability of cybersecurity attacks. MyCERT offers assistance to users who are affected by intrusion, identity theft, malware infection, cyber-harassment and other computer security-related incidents.

MyCERT operates Cyber999, which is a computer security incident handling and response help centre pertaining to the detection, interpretation and response to computer security incidents. It also alerts internet users in Malaysia whenever there is a widespread cybersecurity threat or malware outbreak.

MyVAC and MySEF

The Malaysia Vulnerability Assessment Centre (MyVAC) plays the role of strengthening the nation's defence against cybercrimes and the exploitation of information systems. MyVAC provide assessment services covering areas such as vulnerability assessment and penetration testing, security posture assessment, industrial control system, secure software development cycle, and the internet of things (IoT).

The Malaysian Security Evaluation Facility (MySEF) offers expertise in security evaluation of ICT products and systems. This includes Common Criteria Evaluation & Certification (MyCC), Technology Security Assurance (TSA), ICT Product Security Assessment (IPSA), and Cloud Security Audit Service (CSAS).

In Malaysia, the ISO/IEC 27001 has been identified as the baseline and leading standard for information security. The critical national information infrastructure sectors are encouraged to be ISO/IEC 27001 Information Security Management Systems (ISMS) certified. The ISO/IEC 27001 ISMS is an international standard that deals with information technology systems risk.

See 3.1 De Jure or De Facto Standards.

Written Information Security Plan

There is currently no express legal requirement for the establishment of a written information security plan, although the Personal Data Protection Regulations 2013 require data users to develop and implement a security policy for the internal regulation of personal data.

Under the Policy Document on Risk Management in Technology issued by the Central Bank of Malaysia (BNM Policy Document), financial institutions are also required to establish a technology risk management framework to safeguard their information infrastructure, systems and data. Further, the Guidelines on Management of Cyber Risk issued by the Securities Commission Malaysia (SC Guidelines) require capital entities to put in place clear and comprehensive cyber-risk policies and procedures.

Incident Response Plan

While there is currently no general legal requirement to have an incident response plan, certain sectoral regulators have imposed such requirement on the applicable organisations.

Pursuant to the Personal Data Protection Code of Practice for the Malaysia Aviation Sector, licensees and permit holders under the Malaysian Aviation Commission Act 2015 are required to implement security measures including an incident response plan. In this regard, the licensees and permit holders should anticipate what to do in the event of a data breach and be ready to respond.

The BNM Policy Document requires financial institutions to establish and implement a comprehensive Cyber Incident Response Plan (CIRP). Members of the cyber-emergency response team must be conversant with the CIRP and remain contactable at all times. An annual cyber drill exercise shall also be conducted to examine the effectiveness of the CIRP. At a minimum, the CIRP must cover the following:

  • establish a cyber-emergency response team with a clear governance process, reporting structure, and roles and responsibilities as well as the invocation and escalation procedures in the event of an incident;
  • ensure effective and expedient processes for identifying points of compromise, assessing the extent of damage and preserving sufficient evidence for forensics purposes;
  • identify and implement remedial actions to prevent or minimise damage to the financial institution, remove the known threats and resume business activities; and
  • conduct post-incident review incorporating lessons learned and develop long-term risk mitigations.

The SC Guidelines also requires the cyber-risk policies and procedures by the capital market entities to address, among others, the following:

  • prevention, detection and recovery from a cyber breach;
  • identification, detection, assessment, prioritisation, containment, response to, and escalation of cyber breaches for decision-making; and
  • communications procedures that will be activated by the entity in the event of a cyber breach, which include reporting procedures, information to be reported, communications channels, list of internal and external stakeholders and communication timeline.

Appointment of Chief Information Security Officer

There is currently no general legal requirement for an appointment of a chief information security officer. Nonetheless, financial institutions are required by the BNM Policy Document to designate a Chief Information Security Officer, by whatever name he or she is called, to be responsible for the technology risk management function of the financial institution, and who shall:

  • have sufficient authority, independence and resources;
  • be independent from day-to-day technology operations;
  • be aware of current and emerging technology risks that could potentially affect the financial institution's risk profile;
  • be appropriately certified; and
  • be responsible for ensuring the financial institution's information assets and technologies are adequately protected.

Involvement of Board of Directors

There is currently no general legal requirement for the involvement of board of directors in respect of cybersecurity. However, there are certain sectoral requirements in this regard.

Under the BNM Policy Document, the board of a financial institution must:

  • establish and approve the technology risk appetite that is aligned with the financial institution's risk appetite statement;
  • ensure and oversee the adequacy of the financial institution's IT and cybersecurity strategic plans covering a period of a minimum of three years;
  • be responsible to oversee the effective implementation of a sound and robust technology risk management framework and cyber-resilience framework;
  • designate a board-level committee which shall be responsible for supporting the board in providing oversight over technology-related matters; and
  • allocate sufficient time to discuss cyber-risks and related issues, including the strategic and reputational risks associated with a cyber-incident.

For capital market entities, the board is required by the SC Guideline to provide oversight and accord sufficient priority to manage cyber-risk as part of the entity's overall risk management framework. In this regard, the board must:

  • ensure that the entity's policies and procedures relating to cyber-risk are presented for the board's deliberation and approval;
  • ensure that the approved cyber-risk policies and procedures are implemented by the management;
  • monitor the effectiveness of the implementation of the entity's cyber-risk policies and ensure that such policies and procedures are periodically reviewed and improved where required;
  • ensure that adequate resources are allocated to manage cyber-risk, including identifying a responsible person who is accountable for the effective management of cyber-risk;
  • ensure that the management continues to promote the awareness on cyber-resilience at all levels within the entity;
  • ensure that the impact of cyber-risk is adequately assessed when undertaking new activities such as investments decision, merger and acquisition, adoption of new technology and outsourcing arrangements; and
  • ensure that the board keeps itself apprised of new or emerging trends of cyberthreats and understands the potential impact of such threats to the entity.

Internal Risk Assessments, Vulnerability Scanning, Penetration Tests

There is currently no general legal requirement to conduct internal risk assessments, vulnerability scanning and penetration tests, although this is a recommended practice.

In any event, the BNM Policy Document requires a financial institution to conduct risk assessments on, among others, technology projects, cloud services (prior to adoption), technology assets in relation to end-of-life technology systems, advanced technologies and algorithms deployed in its digital services, and potential cyber-attacks. A financial institution is also required to appoint a technically competent external service provider to carry out regular network resilience and risk assessments at least once in three years to consider all major risks and to determine the current level of resilience.

Further, a financial institution shall establish standard operating procedures for vulnerability assessment and penetration testing activities. In fact, a financial institution must conduct intelligence-led penetration tests on its internal and external network infrastructure. Such penetration testing shall reflect extreme but plausible cyber-attack scenarios based on emerging and evolving threat scenarios. Suitably accredited penetration testers and service providers shall be engaged to perform this function.

Under the SC Guidelines, capital market entities must ensure that there is an adequate assessment on the impact of cyber-risk when undertaking new activities such as investments decision, merger and acquisition, adoption of new technology and outsourcing arrangements. Comprehensive assessments shall also be conducted on a regular basis to identify potential vulnerabilities and cyberthreats relating to the personnel, parties with whom the entity deals with, systems and technologies adopted, business processes and outsourcing arrangements. This may include penetration testing of existing systems and networks.

Multi-Factor Authentication, Anti-Phishing Measures, Ransomware, Threat Intelligence

There is currently no general legal requirement for organisations to take positive steps with regard to multi-factor authentication, anti-phishing measures, ransomware, and threat intelligence.

While it is merely a recommendation for financial institutions to design and implement multi-factor authentication, the BNM Policy Document still requires implementation of controls to authenticate financial transactions that is effective in mitigating phishing. Further, a financial institution must subscribe to reputable threat intelligence services to identify emerging cyberthreats, uncover new cyber-attack techniques and support the implementation of countermeasures.

Insider Threat Programme

The law currently does not require organisations to implement an insider threat programme.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

Although there is currently no express legal requirement for these in the context of cybersecurity, the Personal Data Protection Act 2010 and the Personal Data Protection Standards 2015 impose obligations on data users to obtain the appropriate security warranties from vendors and service providers, and to bind third parties contractually to protect personal data from misuse, unauthorised access, loss, modification and disclosure.

For financial institutions, the BNM Policy Document requires the board and senior management to exercise effective oversight and address associated risks when engaging a vendor or service provider that provides technology-related functions involving confidential information. A financial institution must conduct proper due diligence on competency, system infrastructure and financial viability of such vendors and service providers before engaging them.

According to the SC Guidelines, the cyber-risk policies and procedures of capital market entities shall address the management of outsourcing, system development and maintenance arrangements with a third-party vendor or service provider. In fact, the capital market entities will remain responsible for ensuring compliance with the requirements on prevention, detection, and recovery in relation to cyber breaches and incidents under the SC Guidelines.

Use of Cloud, Outsourcing, Offshoring

Pursuant to the Personal Data Protection Standard 2015, any transfer of personal data through cloud computing service requires a written consent from an officer authorised by the top management of the data user. Further, any such transfer must also be duly recorded. These requirements are stipulated in relation to the security principle to prevent any unauthorised or accidental disclosure, alteration and destruction of personal data.

The BNM Policy Document also requires financial institutions to conduct a comprehensive risk assessment and separately identify critical and non-critical systems prior to cloud adoption. In particular, a financial institution is required to consult the BNM prior to the use of public cloud for critical systems. Appropriate safeguards on customer and proprietary data when using cloud services must be implemented in order to protect against unauthorised disclosure and access. This includes retaining management of the relevant cryptographic keys.

Training

There is currently no general legal requirement to provide training on cybersecurity, although this is encouraged by CyberSecurity Malaysia to generate a well-founded risk management and security-focused culture.

Under the BNM Policy Document, financial institutions are required to provide all staff with adequate and annual education on technology and cybersecurity awareness. In particular, staff involved in technology operations, cybersecurity and risk management must be provided with adequate and continuous training in order to ensure their competency in performing their roles and responsibilities. Board members shall also be provided with regular training and information on technology developments to enable the board to effectively discharge its oversight role.

Capital market entities are also required by the SC Guidelines to ensure their board, management, employees and agents undergo appropriate training on a regular basis to enhance their awareness and preparedness to deal with a wide range of cyber-risks, incidents and scenarios.

There are also collaborations between CyberSecurity Malaysia and international certification bodies to conduct information security courses and provide certification to information security professionals in Malaysia, such as the International Information Systems Security Certification Consortium (ISC), DRI International and DRI Malaysia, the International Council of Electronic Commerce Consultant (EC-Council), and so on. These certification bodies will promote the culture of cybersecurity for those involved in the processes.

In addition, CyberSecurity Malaysia is the co-founder of the Organisation of Islamic Cooperation – Computer Emergency Response Team (OIC-CERT), and is also actively involved in the Asia Pacific Computer Emergency Response Team (APCERT). Malaysia also regularly participates in information security events conducted by international organisations such as the International Telecommunication Union (ITU), the APEC Telecommunications and Information Working Group (APEC TEL), the Meridian Conference, the Forum of Incident Response and Security Team (FIRST) and the Anti-Phishing Working Group (APWG).

Under the security principle of the Personal Data Protection Act 2010, data users have an obligation to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. In this regard, data users are legally required to develop and implement a security policy.

Further requirements on the security principle are provided in the Personal Data Protection Standard 2015. These are the minimum requirements set by the Personal Data Protection Commissioner (Commissioner) in respect of personal data processed electronically and non-electronically. Data users must abide by these minimum security standards – and, in fact, are also required to ensure their respective data processors also abide by these same standards.

There is currently no general requirement on reporting breaches to the authorities or to customers. However, this position may change in light of the recent Public Consultation Paper No 1/2020, which suggests the imposition of a mandatory requirement for data users to report data breach incidents to the Commissioner.

Malaysia is a member of the Common Criteria Recognition Arrangement (CCRA) through CyberSecurity Malaysia. The CCRA is an international arrangement under which Malaysia has undertaken to ensure that information technology products can be evaluated by competent and independent licensed laboratories in order to determine the fulfilment of particular security properties, to a certain extent or assurance. The Malaysia Common Criteria Evaluation and Certification Scheme (MyCC) was established to evaluate and certify the security functionality of information technology products against the Common Criteria, ISO/IEC 15408.

The National Cyber Security Policy (NCSP) is designed to address risks to the Critical National Information Infrastructure (CNII) concerning the networked information systems of ten sectors – ie, defence and security, transportation, banking and finance, health services, emergency services, energy, information and communications, government, food and agricultural, and water.

There are eight "policy thrusts" under the NCSP to ensure the effectiveness controls over vital assets. These policy thrusts are to be implemented by the relevant government agencies and ministries in order to ensure effective governance and a proper regulatory framework.

Pursuant to the National Security Council's Directive No 24, all CNII agencies have the roles and responsibilities to:

  • implement ISO/IEC 27001: 2013 Information Security Management System (ISMS) certification or equivalent to reduce the risk of cybersecurity incidents and to maintain the confidentiality, integrity and availability of the information infrastructure; and
  • establish cyber-incident response procedures and business continuity management procedures.

The CyberSecurity Malaysia Information Security Management System Audit and Certification (CSM 27001) Scheme was established in conjunction with the National Cyber Security Policy to reduce the likelihood of service attacks.

Under the Policy Document on Risk Management in Technology issued by the Central Bank of Malaysia, a financial institution must ensure its technology systems and infrastructure, including critical systems outsourced to or hosted by third-party service providers are adequately protected against all types of distributed denial of service attacks (DDoS). In this regard, the following measures shall be taken by a financial institution:

  • subscribe to DDoS mitigation services that include automatic "clean pipe" services to filter and divert any potential malicious traffic away from the network bandwidth;
  • assess the capability of the provider to expand network bandwidth on-demand, adequacy of the provider's incident response plan and its responsiveness to an attack; and
  • implement mechanisms to mitigate against domain name server (DNS)-based layer attacks.

Financial Institutions

According to the Policy Document on Risk Management in Technology issued by the Central Bank of Malaysia (BNM), all financial institutions are legally required to:

  • establish a cyber-resilience framework that clearly articulates the institution's governance for managing cyber-risks, its cyber-resilience objectives and its risk tolerance, with due regard to the evolving cyberthreat environment;
  • establish clear responsibilities for cybersecurity operations that shall include implementing appropriate mitigating measures in the financial institution's conduct of business corresponding to the different phrases of the cyber-attack life-cycle;
  • ensure their technology systems and infrastructure are adequately protected against all types of distributed denial of service attacks through the specified measures;
  • establish a clear data loss prevention strategy and processes to ensure that proprietary information is identified, classified and secured;
  • ensure their security operations centre, whether managed in-house or by third party service providers, has adequate capabilities for proactive monitoring of its technology security policy;
  • establish comprehensive cybercrisis management policies and procedures that incorporate cyber-attack scenarios and responses in the organisation's overall crisis management plan, escalation processes, business continuity and disaster recovery planning;
  • establish and implement a comprehensive cyber-incident response plan; and
  • immediately notify the BNM of any cyber-incidents affecting the institution.

Capital Market Entities

Pursuant to the Guidelines on Management of Cyber Risk issued by the Securities Commission Malaysia (SC), all capital market entities are, among others, legally required to:

  • have in place clear and comprehensive cyber policies and procedures that commensurate with their risk profile;
  • ensure that comprehensive strategies and measures are in place to manage cyber-risk including prevention, detection and recovery measures;
  • conduct regular and comprehensive assessments as part of the entities' compliance programme to identify potential vulnerabilities and cyberthreats in their operating environment;
  • develop and implement preventive measures to minimise the entities' exposure to cyber-risk;
  • ensure that the board, management, employees and agents undergo appropriate and regular training to enhance their awareness and preparedness to deal with a wide range of cyber-risks, incidents and scenarios;
  • continuously monitor for any cyber-incidents and breaches within the entities' systems and network;
  • ensure timely detection of and response to cyber breaches within a clearly defined escalation and decision-making processes;
  • report to the SC on any detection of a cyber-incident on the day of its occurrence; and
  • ensure that all critical systems are able to recover from a cyber breach within the entities' defined recovery time objective.

Other than sectoral obligations on financial institutions and capital market entities, there is currently no general legal requirement to report or notify data breach in Malaysia. While the Personal Data Protection Commissioner has issued two public consultation papers on the proposed implementation of a data breach notification in 2018 and 2020, there is no indication as to how a data security incident or breach is to be defined.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

There are currently no specific security requirements that apply to medical devices.

There are currently no specific security requirements that apply to industrial control systems (ICS), including supervisory control and data acquisition (SCADA). Nonetheless, it may be useful to refer to the Cyber Security Guideline for Industrial Control System, a draft version published by CyberSecurity Malaysia in November 2019, which provides a high-level reference on security controls that need to be implemented to secure an ICS facility.

There are currently no specific security requirements that apply to the internet of things (IoT). Notwithstanding, CyberSecurity Malaysia has published a draft version of the Cyber Security Guideline for Internet of Things in December 2019, which may serve as a helpful guidance to implement security controls in order to achieve a secure IoT ecosystem.

While there is yet to be a general obligation to report data security incident or breach, there are sectoral requirements that obligate certain organisations to report to the relevant regulators.

Pursuant to the Policy Document on Operational Risk Integrated Online Network (ORION) issued by the Central Bank of Malaysia (BNM), the reporting obligation of a financial institution will be triggered, when a cyberthreat has successfully compromised or could potentially compromise the IT equipment, system, operations, data, services or users of a financial institution. Cyberthreat is defined as a cyber-related vulnerability that could, if exploited, jeopardise the operations dependent on the usage of the computer or network. The types of cyberthreat include malicious software, virus, ransomware, distributed denial of service, hacking, and web defacement. A financial institution is required to report to the BNM within one working day upon confirming the cyberthreat.

Under the Guidelines on Management of Cyber Risk issued by the Securities Commission Malaysia (SC), the reporting requirement of a capital market entity will be triggered upon the detection of a cyber-incident that may have or has had an impact on the information assets or systems of the entity. A capital market entity is required to report to the SC on the day of the occurrence of the incident.

There is no applicable information in this jurisdiction.

In general, no specific practices or tools for network monitoring and other cybersecurity defensive measures are permitted or restricted. However, certain laws may prohibit the unlawful interception of communications and/or require monitoring to be conducted in compliance with certain parameters. For example, the Communications and Multimedia Act 1998 expressly prohibits the unauthorised interception and disclosure of communications.

While the Personal Data Protection Act 2010 (PDPA) imposes a number of requirements under the security principle, these obligations only extend to personal data and do not afford protection for other types of data. Saved for certain sectoral requirements that provide a more comprehensive cybersecurity framework, there are gaps arising from the lack of an overarching cybersecurity legislation in Malaysia.

There is currently no express requirement to share cybersecurity information with the government. Moreover, there is currently no express legal provision with regard to authorised sharing of cybersecurity information. Nonetheless, the Personal Data Protection Act 2010 allows a data user to disclose personal data of data subjects, if such disclosure is necessary for the purpose of preventing or detecting crime or for the purpose of investigations. Such disclosure is also allowed, if it was required or authorised by law or by the order of a court.

There are various voluntary information sharing opportunities in Malaysia. For instance, Cyber Security Malaysia – Awards, Conference & Exhibition (CSM-ACE) provides an opportunity for industry experts and community to share information on cybersecurity and to discuss the latest cybersecurity trends. Further, the Critical National Information Infrastructure (CNII) Portal also enables members of critical infrastructure to exchange knowledge and share information on security issues that affect them.

See also 1.5 Information Sharing Organisations.

As regulation is largely sectoral, the enforcement and investigation of cybersecurity or data breaches will fall within the purview of several different authorities, depending on the circumstances of the breach. For example, a cybersecurity breach at a financial institution may involve the Central Bank of Malaysia and the Malaysian Communications and Multimedia Commission.

With regard to the data breach involving 46.2 million mobile subscribers discovered in late 2017, it was reported that the police has completed the investigation papers on the data breach and has sent the papers to the Attorney General's Chambers for consideration in October 2019. It was further noted in November 2019 that the Personal Data Protection Department has co-operated with CyberSecurity Malaysia to investigate in the aspect of digital forensic expertise whether the data leakage was due to sabotage by internal employees or external factors.

More recently, an airline was charged in February 2020 under the Personal Data Protection Act 2010. This was in respect of a data breach exposing the personal details of its passengers as discovered in September 2019. The airline has pleaded not guilty and the development of the case remains to be observed.

For criminal offences, the prosecutor is required to prove that the accused has committed the offence on a standard beyond reasonable doubt. For civil proceedings, the plaintiff is required to prove the case against the defendant on a lesser standard (ie, balance of probabilities).

In February 2018, a private litigation was instituted against the Malaysian Communications and Multimedia Commission (MCMC) and Nuemera Sdn Bhd. This was in respect of a massive data leak involving 46.2 million personal data of Malaysians discovered in 2017. However, it was later reported that the case has been settled although the terms of settlement have not been disclosed.

Notwithstanding, the Personal Data Protection Commissioner (Commissioner) recently acknowledged the lack of an express right for a data subject to take private litigation against a data user. In the Public Consultation Paper No 1/2020, the Commissioner indicated his willingness to consider proposing a specific provision to provide such right in the Personal Data Protection Act 2010.

While there is no express provision on class actions, it is permitted to bring a representative proceeding in Malaysia. There are three key requirements in respect of bringing a representative proceeding:

  • the plaintiff and those represented by it are members of a class and that these members have a common interest;
  • the plaintiff and those it represents have a common grievance; and 
  • the relief sought is in its nature beneficial to them all.

In Malaysia, there have been no class actions, collective redress or representative proceedings brought in the area of cybersecurity to date.

As there is currently no overarching cybersecurity legislation in Malaysia, there are few corporate transactions focusing on cybersecurity compliance in their due diligence.

There is currently no express legal requirement for an organisation to disclose its cybersecurity risk profile or experience.

All significant issues have already been addressed.

Wong & Partners, member firm of Baker McKenzie International

Level 21, The Gardens South Tower
Mid Valley City
Lingkaran Syed Putra
Kuala Lumpur 59200
Malaysia

+ 603 2298 7888

+ 603 2282 2669

www.wongpartners.com
Author Business Card

Law and Practice

Author



Wong & Partners has a team consisting of seasoned practitioners who have complementary proficiency in IT and IP, and is well-versed in providing advice on complex and wide-ranging privacy and cybersecurity laws. A member firm of Baker McKenzie International, it includes partners and associates who are certified information privacy professionals by the International Association of Privacy Professionals (IAPP). The team has assisted clients from across all industry sectors in the full scope of transactional and advisory matters, including advising on regulatory requirements under Malaysia's Personal Data Protection Act 2010 (PDPA). It also has access to the legal expertise in Baker McKenzie's global network, placing it in a good position to provide multi-jurisdictional advice and on-the-ground support. The firm focuses on advising on the regulatory requirements of Malaysia’s data privacy laws, the processing of employee and customer data, and cross-border transfers and disclosure of such data, as well as the appointment of data processors, consent of data subjects and records retention, workplace privacy, marketing and loyalty programmes, network security and security breach response, foreign disclosure obligations, and data privacy compliance.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.