How Malaysia is regulating the rise in cybersecurity threats

There is no doubt that cybercrime is increasing, but this unsavoury trend is having a tangible financial impact on organizations globally, costing a total of USD8 trillion in 2023, equivalent to the third largest GDP in the work behind only the US and China. By 2027, that number is expected to triple to around USD24 trillion according to projections by the FBI and IMF.

Cybercrimes have become a ‘daily nuisance’ for businesses and individuals 

In Malaysia, the situation has only gotten bleaker.

Recent reports show that the Southeast Asian nation was the world’s eighth most breached country in Q3 alone, with nearly half a million leaked accounts from data breaches – a 144% increase from the number leaked in Q2. Moreover, businesses across Malaysia faced 74,000 attacks per day in 2023 alone amounting to 26.85 million for the year. 

For ordinary Malaysians – 76% of whom have faced some form of online or phone scam in their lives – such attacks, high profile or not, have proven to become a ‘daily nuisance’ of sorts. It certainly has not helped that many businesses are currently not mandated by law to communicate data breaches to consumers, which has eroded public trust in existing cybersecurity infrastructure.

Malaysia’s approach

As businesses continue to struggle with cybercrime, the government has followed through on its promise to table the Cyber Security Bill this year – having passed it in late March through the Lower House of Parliament. Prime Minister Anwar Ibrahim has touted the bill as the way forward to strengthen the country’s cybersecurity capabilities. Current provisions aim to strengthen the National Cyber Security Agency and create the National Cyber Security Committee, which will oversee breach notifications for government and private organizations deemed a National Critical Information Infrastructure (NCII), which range from public utility companies to financial institutions. 

Organizations operating in the city-state are legally obliged to notify the Personal Data Protection Commission no later than 3 days from the moment a breach occurs – and communicate them with affected individuals if they are deemed to cause “significant harm”. 

As with matters of enforcement, the success of implementing the Cyber Security Bill – once it’s enacted into law – will heavily depend on the government’s clear communication of standards to NCII organizations. In turn, the latter will have to streamline disclosure mechanisms internally, and relay relevant processes to employees who are involved in the process to avoid confusion and miscommunication.

At the time of writing, Malaysia’s Cyber Security Bill has not specified time-based parameters for organizations to report to the National Cyber Security Committee in the event of a cyber incident. Creating a mechanism that encourages urgency in reporting will help strengthen businesses’ cybersecurity capabilities to protect their reputation and increase consumer trust, which can be achieved through a tailored cybersecurity communications plan.

Additionally, compelling organizations to carry out risk assessments on their cybersecurity capabilities would be a win-win for creating a more secure business environment and enhancing data privacy and protection efforts. The Malaysian government can look to the European Union’s landmark Cyber Resilience Act, which is expected to take effect in late 2025. 

While regulatory frameworks need to be combined with the right technology to address cyber threats, enacting the appropriate laws that prepare organizations for the inevitable serves as a robust starting point in creating a more prosperous and secure business landscape.