ESSENTIAL INSIGHTS FOR CYBER SECURITY SERVICE PROVIDERS: A GUIDE TO LICENSING REQUIREMENTS AND PENALTY AVOIDANCE
Introduction
As cyber security threats continue to evolve, the need for well-regulated cyber security service providers becomes increasingly paramount.
To safeguard businesses and individuals, Malaysia has introduced licensing requirements under the Cyber Security Act 2024 and its subsidiary legislation (“CSA 2024”), to be administered by the National Cyber Security Agency (“NACSA“).
This article explores the key aspects of who needs a license, the scope of services regulated, and the compliance process. Whether you are a local or international cyber security service provider, this overview will help you navigate the licensing landscape in Malaysia.
Key Takeaways:
Any individual or entity (regardless of whether local or foreign) providing or advertising cyber security services in Malaysia to Malaysian-based companies must be licensed under CSA 2024. Operating without a valid licence can result in a fine of up to RM 500,000,00 and/or imprisonment of up to 10 years.
Provision of cyber security services under certain circumstances and/or conditions may be exempted from the licensing requirements.
Cyber security providers have until 31st December 2024 to obtain their licences, after which penalties may apply.
NACSA will publish a list of licensed cyber security service providers on its licensing portal after approvals are completed.
Licences cannot be transferred or assigned without approval from the Chief Executive of the NACSA. Violations can result in a fine up to RM 200,000.00 and/or imprisonment for up to 3 years.
Licensing Requirements
Any person (which includes individuals, bodies of persons, whether incorporated or unincorporated) who intends to (i) provide any cyber security service (as discussed under the next heading) or (ii) advertise or in a way hold himself out as a cyber security service provider, is required to obtain a cyber security service provider licence.
Definition of Cyber Security Services
“Cyber security services” is defined under CSA 2024 to include:
(a) Managed Security Operation Centre Monitoring Service –This service involves (i) monitoring the cyber security level of a computer or system by acquiring, identifying or scanning information to detect threats; or (ii) determining necessary measures for responding to and recovering from cyber security incidents and preventing future occurrences; and
(b) Penetration Testing Service – This service focuses on assessing and evaluating cyber security by (i) identifying vulnerabilities and demonstrating potential exploits; (ii) testing an organization’s ability to identify and respond to incidents through simulated penetration attempts; (iii) measuring vulnerabilities and recommending mitigation strategies to reduce risk; or (iv) utilizing social engineering techniques to assess organizational vulnerability to cyber threats.
A cyber security service provider can be licensed to provide both services through a single licence application, subject to the payment of the corresponding fees.
Extra-territorial application
It is pertinent to note that, unlike certain legislation in Malaysia, CSA 2024 contains a specific provision for extra-territorial application, which means that any foreign person (which includes individuals, body of persons, incorporated or unincorporated) intending to carry out any of the cyber security services listed in (a) or (b) above in Malaysia will be required to obtain a licence under CSA 2024. Failure to do so would be deemed an offence punishable pursuant to CSA 2024 and other applicable Malaysian law.
Subcontractors and third party(ies)
Additionally, the NACSA has also indicated that if the main contractor or main service provider of a contract relating to the provision of provides cyber security services in turn engages a subcontractor or third party(ies) to provide all or part of the cyber security services of the said contract, such subcontractor or third party(ies) are required to be licensed pursuant to CSA 2024 as well.
Penalties
Provision of cyber security services without a valid licence is punishable with fines of up to five hundred thousand ringgit (RM 500,000.00) and/or imprisonment of up to ten (10) years.
Exemptions
Notwithstanding the foregoing, the following categories of persons are exempted from obtaining a licence for the provision of cyber security services:
(a) Related companies: Local and foreign persons providing cyber security services exclusively to their related company, regardless of whether they are located within or outside of Malaysia, are exempted from the licensing requirements of CSA 2024. Related company means companies that are subsidiaries, holding companies or subsidiaries of the holding companies.
(b) Computers/ Computer systems located outside Malaysia: Where a person provides cyber security services to computers or computer systems located outside of Malaysia, such person is exempted from the licensing requirements of CSA 2024.
(c) Provision of tools: The NACSA has implied that tools (including hardware and software) with cyber security functions are not subject to the licensing requirements of CSA 2024.
(d) Company employees: Employees providing services on behalf of their company are not required to obtain a licence under CSA 2024. However, NACSA has indicated that companies must still provide information relating to the qualifications or experience of (i) employees with supervisory responsibilities or (ii) the individual providing such cyber security services.
(e) Government Entity: Government entities are exempted from the licensing requirements of CSA 2024.
Licensing Grace Period
Licensing applications can be submitted from 1st October 2024 onwards.
Additionally, cyber security service providers are granted a grace period until 31st December 2024 to operate without a licence. After this grace period, beginning 1st January 2025, any non-compliance may result in convictions for contravening CSA 2024.
Verification of Licence Holders
The NACSA has indicated that a list of licensed cyber security service providers will be published on its licensing portal once the approval process has been completed.
Transfer and Assignment Restrictions
Licences cannot be transferred or assigned to any other person unless approval from the Chief Executive of the NACSA is obtained.
Contravention of the above is punishable with fines of up to two hundred thousand ringgit (RM 200,000.00) and/or imprisonment of up to three (3) years.
Conclusion
Navigating the licensing requirements for cyber security services in Malaysia presents both challenges and opportunities for both local and international cyber security service providers. By understanding who needs a licence, the scope of regulated services, and the implications of non-compliance, cyber security service providers can strategically position themselves in a competitive market. Early compliance not only mitigates risks but also enhances trust and credibility with potential clients. Ultimately, a commitment to compliance will protect providers from legal repercussions while strengthening their reputation and operational capabilities in serving clients both locally and internationally.
If you have any questions or need further assistance with navigating these new laws and regulations regarding your cyber security service licensing, feel free to contact us for any inquiry.
Key Contacts
(1) YEOW JIE HAN (Partner)
Corporate Commercial, Intellectual Property & Technology
+6017 368 3975
(2) TEOH KAI LIN (Legal Associate)
Corporate Commercial, Intellectual Property & Technology
+6013 330 1063