THE enforcement of the Cybersecurity Act 2024 in late-August has changed dynamics of the cybersecurity landscape by marking a significant turning point for organisations and cybersecurity professionals.
LGMS Bhd executive chairman Fong Choong Fook (main image) described it as a ‘tsunami’ that will fundamentally alter how organisations approach cybersecurity.
Fong who was recognised by Cyber Security Malaysia as “Cybersecurity Professional of the Year 2022” said the so-called Act 854 introduces stringent requirements that compel organisations to re-assess their cybersecurity strategies comprehensively.
The Act has far-reaching implications, including regulatory oversight to sectors previously unregulated in terms of cybersecurity.
One of the most notable changes is the inclusion of 11 sectors deemed part of the National Critical Information Infrastructure (CNII).
These sectors encompass banking and finance, agriculture and plantation, healthcare services, transportation, science and technology, information and communication, energy, water, government services, emergency services as well as defence and security.
Cybersecurity specialist
“The inclusion of sectors like agriculture and healthcare which were not previously governed by cybersecurity regulations reflects the growing importance of digital economies and the need for robust cybersecurity measures across all sectors,” opined Fong.
He added that digital transformation within these industries has made them susceptible to cyber threats, hence necessitating regulatory intervention.
Fong was speaking at the recent Artificial Intelligence and Data Centre industry event organised by VSTECS Bhd which was overwhelmingly attended by representatives of the tech industry. VSTECS is spearheaded by its CEO J.H. Soong.
LGMS which is today one of the leading cybersecurity specialist groups in Malaysia and Southeast Asia had encountered cases where hospitals suffered cyberattacks that encrypted patient data and rendered medical devices inoperable.
“Patient data is one of the most critical assets for hospitals,” observed Fong. “We’ve witnessed situations where medical devices displayed blue screens and couldn’t function because they’ve been encrypted.”
Previously, such incidents often went unreported due to the absence of a legal requirement to disclose cyber breaches.
However, the new Act mandates that organisations report cyberattacks within six hours of discovery with a detailed report to be submitted within 14 days.
Failure to comply constitutes a punishable offence which can potentially result in fines ranging from RM200,000 to RM500,000 and imprisonment for management personnel for up to five years.
Crime for not reporting cyber breaches
“This law is going to change everything,” envisages Fong. “Management teams need to be aware that failure to report cyber breaches is a crime. If they choose not to report, they could face significant fines or even jail time.”
The Act also grants government officers the authority to conduct investigations within organisations with or without a warrant. As obstruction is considered an offence, organisations need to establish proper standard operating procedures (SOPs) to ensure compliance and cooperation.
In addition to reporting requirements, the Cybersecurity Act 2024 also introduces four new regulations, namely:
- Cybersecurity Risk Assessment and Audit: Organisations must conduct annual cybersecurity risk assessments and a minimum of one audit every two years. The specifics of what constitutes a risk assessment or audit will be defined by sector-specific regulators.
- Incident Response Regulation: Organisations are required to develop formal incident response processes. This includes establishing SOPs for handling cyberattacks and training employees on their roles during such incidents.
- Compoundable Offences: The regulations detail offences such as failure to report incidents and obstruction of government officers, outlining the penalties associated with each.
- Licensing of Cybersecurity Service Providers: Service providers offering penetration testing or security operation centre services must obtain a licence from the National Cyber Security Agency (NACSA). The application process commenced on Oct 1.
Fong further shared about the challenges many organisations face in enhancing their incident response capabilities.
“Many organisations focus heavily on prevention but fall short when it comes to responding to incidents,” he asserted. “Incident response is a field of expertise that requires more than just prevention measures; it requires a well-defined set of procedures and trained personnel.”
StarSentry is the solution
The audience also learnt about the StarSentry self-assessment tool designed to help organisations evaluate their compliance with the Act.
A breakthrough innovation developed by LGMS and spearheaded by its wholly-owned subsidiary Applied Security Intelligence Sdn Bhd (ASI), StarSentry enables companies to assess their current cybersecurity posture against the stringent requirements.
According to ASI’s CEO Yong Meng Hong (second from left), the Cybersecurity Product Innovation of the Year for two years running is able to guide users through a comprehensive questionnaire covering various aspects of cybersecurity such as risk management, incident response readiness and compliance protocols.
“By using StarSentry, organisations can identify gaps in their cybersecurity defences and receive tailored recommendations on areas needing improvement,” Yong pointed out.
‘The assessment results provide actionable insights, helping businesses prioritise their cybersecurity initiatives to meet regulatory standards effectively.”
LGMS is partnering with VSTECS Astar Sdn Bhd as an official distributor for StarSentry. By leveraging VSTECS’s extensive network of 3,600 channel partners, the partnership aims to empower businesses especially SMEs to safeguard their digital assets effectively. – Oct 17, 2024
