Cyber Security Act 2024

(Malaysia)

Ensure compliance. Avoid penalties. Protect your digital infrastructure.

What Penang Businesses Need to Know About Malaysia's Cyber Security Act 2024

Introduction: The New Cybersecurity Mandate for Malaysian Businesses

In June 2024, Malaysia enacted the Cyber Security Act 2024 (Act 854) to strengthen the protection of National Critical Information Infrastructure (NCII). If your business operates in sectors like banking, logistics, ICT, healthcare, manufacturing, or government services - you may fall under its scope. Companies in Penang that handle sensitive systems or offer cybersecurity services are legally required to follow strict rules on risk assessment, incident reporting, and licensing.

Our team helps local organizations interpret and comply with this Act - so you can operate securely and legally.

Who Must Comply?

You're likely affected if you are:

  • A critical service provider in sectors such as: Energy, water, telecommunications, finance, transport, or healthcare

  • A third-party IT or cybersecurity vendor handling NCII systems

  • A company with cloud, data centers, or SOC infrastructure in Malaysia

Even overseas companies operating NCII systems located in Malaysia are subject to the Act.

Key Requirements Under the Cyber Security Act

Annual Risk Assessment

All NCII entities must perform and submit annual cybersecurity risk assessments to NACSA.

Cybersecurity Audit (Every 2 Years)

Organizations must undergo formal audits at least once every two years—or more frequently if ordered by authorities.

Mandatory Incident Reporting

  • Initial notification to NACSA and sector lead: within 6 hours

  • Detailed report: within 14 days

    (Include scope, actors involved, severity, systems affected, response actions)

Use of Licensed Cyber Security Providers

You must only use NACSA-licensed Cyber Security Service Providers (CSSPs) for:

  • Security Operations Center (SOC) services

  • Penetration Testing

  • Digital forensics and similar services

Record-Keeping & Government Cooperation

All service providers must retain logs of services and clients for at least 6 years and cooperate with inspections or investigations.

Penalties for Non-Compliance

Offense

Description

Maximum Penalty

Subsection 20(6)

Non-compliance by a NCII entity

with requests or requirements related

to information disclosure, material

changes, or reporting.

RM100,000 or 2 years or both

Subsection 20(7)

Non-compliance by a NCII sector

lead with the requirement to notify

the Chief Executive of NACSA about

certain information.

RM100,000

Subsection 22(7)

Failure of an NCII entity to conduct

or submit required cyber security risk

assessments or audits.

RM200,000 or 3 years or both

Subsection 22(8)

Failure to comply with direction from

the Chief Executive regarding

additional risk assessments or audits.

Fine up to RM100,000.

Subsection 24(4)

Non-compliance with directions from

the Chief Executive related to cyber

security exercises.

Fine up to RM100,000.

Subsection 32(3)

Failure by a licensee to maintain or

provide records of cyber security

services as required.

RM100,000 or 2 years or both

Subsection 21(5)

Failure to comply implement code of

practice.

Fine up to RM500,000 or max 10

years or both.

Subsection 23(2)

Failure to report Cybersecurity

incident to NACSA

Fine up to RM500,000 or max 10

years or both.

How We Help - Cybersecurity Compliance for Penang Businesses

Our Penang-based IT team provides end-to-end support to ensure your business complies with the Cyber Security Act 2024.

Our Services:

Cybersecurity Compliance Advisory

  • NCII readiness assessment

  • Gap analysis vs. NACSA standards

  • Incident response planning

Audit & Risk Services

  • Annual risk assessments

  • Bi-annual audit support

  • Documentation & compliance reporting

Technical Cybersecurity Services

(via licensed CSSP partners)

  • Penetration testing

  • SOC monitoring

  • Threat detection and incident response

Training & Awareness

  • Internal staff training

  • SOP development for incident response

  • Phishing Campaign

Next Steps

Is Your Business Ready?

Use our quick checklist:

  • Have you identified if you’re an NCII entity?

  • Are you prepared to report incidents in under 6 hours?

  • Have you conducted a formal risk assessment in the past 12 months?

  • Are your cybersecurity vendors NACSA-licensed?

If you answered "no" to any of the above - we can help.

Need a cybersecurity compliance check or audit-ready risk assessment?

Schedule a free 30-minute consultation today.

We support businesses across Northern Malaysia.

Need help with a tech issue or have questions about cybersecurity? Our expert team is always ready to assist you with practical solutions and friendly support.

Dedicated Phone Number

+604-619 2740

Mobile Phone Number

+6012-330 8765 (Mr Lim Boon Hung)

+6016-410 0209 (Mr Lim Boon Wee)

Lintang Mayang Pasir 3, Bandar Bayan Baru, 11950 Bayan Lepas, Pulau Pinang, Malaysia

Fatninjas Kaizen Sdn. Bhd.

Penthouse 1-21-01, Suntech @ Penang Cybercity (2324), Lintang Mayang Pasir 3, 11950 Bayan Baru, Penang, Malaysia.

© Fatninjas Kaizen Sdn. Bhd. (Registration No. 202401022851 / 1568700H). All Rights Reserved.

Fatninjas Kaizen Sdn. Bhd. is a duly authorized franchisee operating under the SRKK FATNINJAS brand. All rights and responsibilities associated with the franchise agreement are fully upheld in accordance with the terms set forth by SRKK FATNINJAS.