Last review date: 31 December 2024

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒         other

• Develop and implement a security policy, which shall comply with the security standard set out from time to time by the Commissioner.
• Ensure that the data processor complies with the security standard.

Last review date: 31 December 2024

Yes.

☒         network information security requirements (broader than telecommunications)

☒         financial services requirements

☒         telecommunication requirements

☒         providers of critical infrastructure

☒         other

If yes, please provide brief details of the relevant law or regulation.

The CSA requires designated national critical information infrastructure (NCII) entities to, among others, implement the sector-specific code of practice (to be developed by the relevant NCII sector lead), to conduct cyber security risk assessments at least once a year on the NCII it owns or operates, and to conduct audits at least once every two years.

There are also other more sector-specific requirements:

• The Guidelines on Technology Risk Management issued by the Securities Commission Malaysia require capital market entities to develop and implement a cyber security framework. The framework should include governance and adequate cyber security controls that align with their risk appetite and business profile. Additionally, specific requirements such as cyber security measures and monitoring, incident response and recovery, simulation exercise, etc., are also provided.
• The Directive on the Participating Organisations' IT Security Standards issued by Bursa Malaysia requires companies that carry on the business of trading in securities on Bursa Malaysia's stock market to comply with the prescribed IT security standards, covering the governance of technology risks, operations security, network and communications security, and information security incident management, etc.
• The Policy Document on Risk Management in Technology issued by the Central Bank of Malaysia as of 2023 requires selected financial institutions to ensure that there is an enterprise-wide focus on effective cyber risk management to reflect the collective responsibility of business and technology lines for managing cyber risks. Further specific requirements such as cyber resilience framework, cybersecurity operations, distributed denial of service, data loss prevention, cyber response and recovery, etc. are also provided.
• The Guidelines on Information and Network Security for the Communications and Multimedia Industry issued by the Malaysian Communications and Multimedia Commission (MCMC) provides a best practice framework for network facilities providers, network services providers, applications service providers, and content applications service providers, which covers governance, cyber risk management, cyber resilient technology infrastructure, cybersecurity operations, incident response and recovery, etc. These are not mandatory at this time.

On a related note, the Communications and Multimedia (Amendment) Act 2024 has also been passed by the Malaysian Parliament in December 2024 and is expected to become law in the near future. It, among others, provides powers for the MCMC to instruct any person to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any network security risk (i.e., any risk or threat, if exploited or not mitigated, could pose a significant risk of damage or disruption to the operation of any network facilities, network service or applications service). Non-compliance with such instruction can amount to an offense.

Last review date: 31 December 2024

☒         Data privacy

☒         Securities or public company

☒         network information security

☒         financial services

☒         telecommunications

☒         critical infrastructure

Last review date: 31 December 2024

Yes.

Effective 1 June 2025, the PDPA will require a data user/controller to provide notifications on personal data breaches (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data). 

Last review date: 31 December 2024

☒         data protection authorities

☒         affected individuals

Effective 1 June 2025, the PDPA will require a data user/controller to notify the:

• Commissioner "as soon as practicable" if they have reason to believe that a personal data breach has occurred, and
• affected data subjects "without unnecessary delay" if the personal data breach causes or is likely to cause significant harm to them.

The PDPD is proposing specific thresholds for the notification triggers, the manner and form of notifications, and the specific timeframe of notifications. The data breach notification regulations/guidelines (setting out guidance on personal data breach notifications) are expected to be released in early 2025 and will provide more guidance in this regard.

Last updated: 31 December 2024

N/A

Last review date: 31 December 2024

Yes.

☒         cybersecurity authorities

☒         financial services requirements

☒         telecommunication requirements

☒         providers of critical infrastructure

☒         other

The CSA requires a designated national critical information infrastructure (NCII) entity to make notifications to the:

• NACSA Chief Executive, and
• relevant NCII sector lead

if it knows that a cyber security incident (i.e., an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cyber security of that computer or computer system or another computer or computer system) has or might have occurred in respect of the NCII it owns or operates.

Entities operating under certain sectors may also be subject to data breach notification requirements (e.g., banks and insurers) to their respective sector-specific regulators.