Malaysia’s Cyber Security Authorities: A Complete Guide (2024)
In the final quarter of 2022, Malaysia encountered an alarming average of 84 million cyber attacks daily.
Sounds frightening.
But, why do your systems manage to stay secure?
Thanks to the watchful guardians who tirelessly defend our nation against digital threats.
In Malaysia, there is no single regulatory authority dedicated to cyber security currently. Instead, cyber security is dealt with by various law enforcement agencies, regulators, government departments, and statutory bodies.
Join us as we explore the roles of these unsung heroes who safeguard the virtual borders of our country.
General Authorities
CyberSecurity Malaysia (CSM)
Source: Wikimedia Commons
CyberSecurity Malaysia (CSM) operates as Malaysia’s dedicated agency for cyber security, falling under the jurisdiction of the Ministry of Communications and Digital (KKD).
CSM is initially established as NISER (National ICT Security and Emergency Response Centre) on January 24, 1998. It marked the first significant step in addressing national information security concerns.
Over time, as the government granted NISER additional responsibilities in implementing the National Cyber Security Policy (NCSP), it underwent a name change to CyberSecurity Malaysia to better signify its expanded roles.
With a primary objective of bolstering Malaysia’s self-reliance in cyberspace, CSM is committed to providing a diverse array of cyber security services and programmes, including:
-
- Cyber Security Responsive Services
- Cyber Security Proactive Services
- Industry and Research Development
- Outreach and Capacity Building
- Strategic Study and Engagement
Remark: For detailed information on these specialised initiatives and services of CSM, please visit its official website or refer to its corporate profile.
In the array of services offered, those falling under Cyber Security Responsive Services hold particular relevance in our daily lives, and the Malaysia Computer Emergency Response Team (MyCERT) is one of its integral components.
MyCERT operates the Cyber999 Help Centre which serves as a crucial platform for Malaysian internet users to report various computer security incidents. These incidents include cyber harassment, malware, intrusion, hack attempts, and other breaches in information security.
Source: Responding to Security Incident: MyCERT approach and case study
Malaysian internet users can lodge reports regarding cyber security incidents to Cyber999 through various platforms:
Platform | Details |
---|---|
Online Form | Click here |
Cyber999 Mobile App | Available on Google Play Store & Apple Store |
cyber999@cyber security.my | |
Phone Call |
|
SMS | Content: CYBER999 REPORT Send to: 15888 |
Secure Messaging via Pretty Good Privacy (PGP) Encryption | Encryption of sensitive emails for secure communication with MyCERT staff |
Fax | Print and fax your complaint to Cyber999 at +603-8945 3442 |
Please refer to the website of Cyber999 for more information.
Remarkably, CSM and its subsidiaries do not operate as law enforcement agencies and lack the authority to impose penalties or fines on offenders. The primary responsibility for law enforcement lies with the police.
Nevertheless, CSM and its subsidiaries did play an active role in preventive and restorative measures concerning cyber security. They collaborate with law enforcement agencies, leveraging CSM’s specialised expertise to fulfil their respective roles.
National Cyber Security Agency (NACSA)
Source: Official website of National Cyber Security Agency (NACSA)
The National Cyber Security Agency (NACSA) serves as Malaysia’s central hub for cyber security affairs under the National Security Council. Besides its regulatory mandates, NACSA does not possess enforcement powers to penalise offenders.
Established in February 2017 to bolster our national cyber security ecosystem, NACSA coordinates top experts and resources in the field to execute the following job scopes:
- Develop and implement national cyber security policies
- Protect the networks, systems and data of the government and Critical National Information Infrastructures (CNII) agencies
- Spearhead cyber security awareness, acculturation and capacity-building programmes
- Foster constructive regional and global networks among entities with shared interests in cyber security
- Operate a cyber security incident reporting platform to receive complaints from individuals and organisations
One of the notable responsibilities among these job scopes is the protection towards Critical National Information Infrastructures (CNII) agencies.
As evident from its name, the CNII agencies are the critical sectors in Malaysia. Specifically, it refers to the 10 sectors below:
|
|
---|
Typically, malicious cyber activities target a nation’s vital pillars. Hence, CNII agencies will mostly be the prime targets for cyber threats in Malaysia.
As breaching these digital fortresses can profoundly impact our country’s operations, this is where NACSA steps in. NACSA implements proactive measures to safeguard CNII agencies’ networks, systems, and data whilst enhancing interagency coordination to combat cybercrimes.
However, given the critical and highly interdependent nature of CNII agencies, it’s actually crucial for these entities to take proactive steps in fortifying their systems beyond relying solely on NACSA and other relevant authorities.
At VeecoTech, we offer comprehensive cyber security assessments. While addressing vulnerabilities across various platforms, including web applications, mobile apps, systems, and networks, we also evaluate your business’s adherence to industry best practices and standards.
We know that the journey of combating cyber threats demands continuous effort. Hence, we provide thorough assessment reports upon completion of the assessments to empower you in strengthening your systems for the future.
Explore our Cyber Security Assessment Packages for extensive cyber security solutions!
Personal Data Protection Department (PDPD)
Source: Official website of Department of Personal Data Protection
The Personal Data Protection Department (PDPD) was established under the purview of the Ministry of Communications and Multimedia (KKMM) on May 16, 2011.
This department plays a vital role in safeguarding individuals’ personal data, especially in commercial transactions and ensuring compliance with the stipulations of the Personal Data Protection Act 2010 (PDPA).
Key functions of the PDPD include:
- Overseeing matters related to consumer data registration and user forums to ensure their alignment with PDPA.
- Promoting programme policies and activities for a positive image of PDPD through strategic planning.
- Providing technical support and advisory assistance for ICT implementation to PDPD’s personal data protection personnel.
- Handling administrative and financial matters for PDPD.
In the enforcement of PDPA, this department is mandated to register all Data Users, and also to address and investigate complaints related to PDPA violations.
Additionally, the PDPD collaborates with the Attorney General’s Chambers of Malaysia (AGC) to prosecute data users who breach the PDPA.
Cyber Court
Source: New Straits Time
The establishment of the Special Cyber Court marks a crucial step in addressing the escalating threat of cybercrime in Malaysia.
Launched on September 1, 2016, at the Kuala Lumpur court complex, the cyber court aspires to equip the legal system with adequate resources to address various cybercrime offences, including:
|
|
---|
Operating as an e-court, the Special Cyber Court is equipped with essential tools to manage evidence in cybercrime cases. It has specialised judges for cybercrime and computer-related civil matters, all undergoing mandatory training for essential IT knowledge and skills.
Given the prevalence of cybercrime in our country, the government plans to establish Special Cyber Courts in other states too. The project will commence in Selangor and Johor, with plans to extend the coverage to all remaining states in the coming years.
Malaysian Communications and Multimedia Commission (MCMC)
Source: Wikimedia Commons
The Malaysian Communications and Multimedia Commission (MCMC) was founded on November 1, 1998, under the Communications and Multimedia Act (CMA).
Wielding a range of powers granted by the CMA, MCMC assumes a pivotal role in overseeing and enforcing regulations within the communications and multimedia industry.
Within the realm of cyber security, the most pertinent functions of MCMC include:
- Regulating and promoting the government’s national policy objectives for the communications and multimedia industry in Malaysia.
- Ensuring the integrity of all licensed entities within the industry.
- Providing advice to the Minister on matters related to national policy objectives specific to communications and multimedia activities.
- Regulating all communications and multimedia-related activities which are not explicitly covered by the communications and multimedia law.
Remark: You can check out other roles of MCMC on its official website.
In addition to its primary functions, MCMC also plays a crucial role in technical regulation. Under sections 96, 184, and 185 of the CMA, MCMC is entrusted with the development and enforcement of various voluntary technical codes.
These codes serve to standardise the technical aspects of the industry, whilst fostering collaboration among diverse communication and multimedia networks in the country.
One such framework mentioned in the Technical Code of Requirements for Information and Network Security is MS ISO/IEC 27001:2007. ISO 27001 stands as the leading international framework for information security. The advantages of adopting this framework include:
Moreover, the Malaysian government has initiated the adoption and certification of CNII agencies (the critical sectors in Malaysia), both in the public and private domains, to adhere to the ISO 27001 standard.
MCMC itself also holds the responsibility of ensuring proper enforcement and accurate reporting on the implementation of this standard. In the future, these initiatives will extend to non-CNII sectors.
Now, here we come to the exciting part – our Cyber Maturity Pre-Assessment is featuring the ISO 27001 framework! This assessment will evaluate your organisation’s compliance with industry best practices and standards, with a specific focus on the ISO 27001 framework.
To further strengthen the digital defences of CNII and non-CNII sectors, we provide Vulnerability Assessment and Penetration Test as well.
Find out more about our Cyber Security Assessment Package here!
Sector-specific Authorities (Finance)
Next, we’ll delve into two authorities dedicated to addressing cyber security issues within the financial sector.
It’s important to highlight that failure to adhere to the guidelines issued by these authorities may subject an organisation to regulatory sanctions.
These may range from warnings, public or private reprimands, orders to rectify non-compliance, monetary penalties, to even imprisonment.
In instances of severe non-compliance, legal proceedings may be initiated by these authorities against the organisation.
Bank Negara Malaysia (BNM)
Source: LogoTypes101
Bank Negara Malaysia (BNM) is the central bank of Malaysia. It is mandated to foster monetary and financial stability in Malaysia as per the Central Bank of Malaysia Act 2009.
The main responsibilities of Bank Negara Malaysia include:
- Issuing currency in Malaysia
- Regulating and supervising financial institutions under its jurisdiction
- Monitoring money and foreign exchange markets
- Promoting a resilient, advancing, and inclusive financial system
- Holding and managing Malaysia’s foreign reserves
- Promoting an exchange rate regime aligned with economic fundamentals
- Serving as the Government’s financial adviser, banker, and agent
In regard to cyber security risks, BNM acts as the regulatory authority that issues guidelines and regulatory standards to oversee financial services technology.
An example is the Guidelines on Data Management and Management Information System (MIS) Framework for Development Financial Institutions.
To ensure effective data and IT security measures for banks and financial institutions, this guideline mandates these financial entities to pursue MS ISO/IEC 27001 certification for critical systems like payment and settlement systems.
Moreover, BNM possesses the authority to enforce sanctions, encompassing criminal, civil, and administrative actions. These measures span from:
- Issuance of warning letters
- Joint raids with other authorities
- Pursue legal action in the courts
- Impose financial penalties and imprisonment sentences
These enforcement powers are derived from various legislations, including but not limited to the Financial Services Act 2013 (FSA), the Islamic Financial Services Act 2013, and the Money Services Business Act 2011.
Securities Commission Malaysia (SC)
Source: gradmalaysia
Securities Commission Malaysia (SC) is a self-funded statutory body that directly reports to the Minister of Finance. Established on 1 March 1993 under the Securities Commission Act 1993 (SCA), SC is tasked with regulating and developing the Malaysian capital market.
The main responsibilities of SC are shown below:
|
|
---|
Aside from this, SC has also issued the Guidelines on Management of Cyber Risk. This guideline explicitly outlines the roles and responsibilities of the board of directors and management of capital market entities in governing cyber risk.
The guideline also encompasses the policies and procedures that should be implemented to address cyber risks, as well as measures for the prevention, detection, and recovery from a cyber breach.
While SC does not extensively regulate cyber security, this guideline may provide valuable insights into the ways to mitigate cyber risks for the relevant authorities.
Notably, SC is endowed with civil, criminal, and administrative enforcement powers under the Capital Markets and Services Act 2007 (CMSA), the Securities Commission Act 1993 (SCA), and the Securities Industry (Central Depositories) Act 1991.
Conclusion
While these authorities set the rules and regulations to establish a baseline for cyber security, cyber security assessments bring a proactive twist to securing our businesses online.
These assessments enable businesses to find out their specific vulnerabilities, risks, and how well they follow industry best practices.
After all, it’s a collaborative effort to create a safer digital space.
Ready to fortify your systems? VeecoTech is here for you, providing top-notch cyber security solutions. Reach out to us today!
FAQ
What distinguishes CyberSecurity Malaysia (CSM) from the National Cyber Security Agency (NASCA) in terms of their cyber security roles?
CSM and NASCA play distinct yet complementary roles.
CSM is primarily focused on providing proactive and reactive cyber security services and conducting research, aiming to actively safeguard the nation’s digital infrastructure.
In contrast, NASCA is a national-level agency with a strategic focus on formulating and coordinating policies and strategies to enhance Malaysia’s cyber security resilience.
What are the key responsibilities of the Personal Data Protection Department (PDPD) in Malaysia?
PDPD is tasked with ensuring the protection of individuals’ personal data especially in commercial transactions and ensuring compliance with the stipulations of the Personal Data Protection Act 2010 (PDPA).
How does the Cyber Court handle cyber-related legal matters in Malaysia?
The Cyber Court specialises in addressing legal issues related to cybercrimes, providing a dedicated platform for prosecuting and adjudicating cyber offences.
What role does the Malaysian Communications and Multimedia Commission (MCMC) play in cyber security?
MCMC oversees the communications and multimedia industry while ensuring its alignment with the national policy objectives.
It also develops and enforces voluntary codes related to technical regulation for enhanced cyber security in our country.
How do the functions of Bank Negara Malaysia (BNM) and Securities Commission Malaysia (SC) differ in dealing with cyber security issues?
BNM primarily regulates the financial sector, with a focus on banks. Its role in cyber security involves formulating policies and strategies to safeguard critical systems like payment and settlement systems.
SC, on the other hand, oversees the capital market, implementing measures to strengthen cyber security within this sector to ensure market integrity and protect investors.
References:
About Us: Malaysian Technical Standards Forum Bhd (MTSFB)
Central Bank of Malaysia Act 2009
Corporate Profile of CyberSecurity Malaysia
Guidelines on Data Management and Management Information System (MIS) Framework for Development Financial Institutions
Malaysia Cyber Security Strategy 2020-2024
Malaysia: Cybersecurity – OneTrust Data Guidance
Official website of Bank Negara Malaysia (BNM)
Official website of CyberSecurity Malaysia (CSM)
Official website of Cyber999
Official website of Department of Personal Data Protection (PDPD)
Official website of Malaysian Communications and Multimedia Commission (MCMC)
Official website of National Cyber Security Agency (NACSA)
Official website of Securities Commission Malaysia (SC)
Special Court for Cyber Crimes – The Star
Special Cyber Court And E-Court – Lee & Poh Partnership
Technical Code: Requirements for Information and Network Security
The International Comparative Legal Guide to: Cybersecurity 2019
What is ISO 27001? A quick and easy explanation – Advisera
Leave A Comment