The regulatory environment in which Malaysian organizations operate has become much stricter. Thanks to the Cyber Security Act 2024 and increased regulation.
If you are in charge of IT security, this article is for you. These errors could jeopardize your company.
Treating compliance as a one-time project
Many companies view compliance as a temporary project that is a result of:
- An audit
- Certification project
- Regulator investigation.
When the policies are documented and the controls seem to be in effect, then the momentum ends.
The Malaysia Cyber Security Act 2024 has special stipulations for entities regarded as National Critical Information Infrastructure (NCII). They need to regularly perform:
- Risk assessment
- Audits
- Incident reporting.
Cyber security compliance should be continuous. You need to introduce things like:
- An organized compliance calendar
- A system with accountable control owners
- Quarterly internal inspections.
Perform compliance as a business-as-usual process.
Poor governance and board supervision
Cyber security is often fully delegated to the IT department with no formal board-level reporting. This introduces holes in accountability and strategy.
In addition to technical checks, the regulators require leadership checks. Indicatively, financial institutions supervised by Bank Negara Malaysia are expected to have effective governance frameworks regarding technology risk management.
As a leader, you must also implement an official cybersecurity governance structure that includes:
- Reporting lines
- Key risk indicators
- Board reporting frequency.
Documented oversight is very important.
Inadequate incident reporting preparedness
The Cyber Security Act 2024 establishes rigorous reporting requirements for major cyber events. But one of the biggest mistakes during a crisis is assuming that the security team can figure it out.
Practically, reporting failures is attributed to:
- Delayed classification
- Ambiguity in escalation routes
- The absence of pre-established communication protocols.
You are expected to create an incident reporting playbook that is in line with statutory definitions. Carry out simulation exercises with all teams, including:
- Legal
- Compliance
- Communications
- Executive teams.
Time-bound regulatory reporting requires practiced coordination.
Mismatch between ISO Certification and legal requirements
ISO offers a powerful control framework. But it does not necessarily comply with national legal requirements.
You ought to conduct an official gap analysis between ISO controls and the Cyber Security Act 2024, and sector-specific requirements. Other than certification standards, legal compliance might also necessitate:
- Further documentation
- Reporting
- Governance evidence.
Failure to manage the third-party risk
Compliance risk can also be introduced by outsourcing:
- IT services
- Cloud providers
- System integrators.
The regulatory setting in Malaysia is becoming highly focused on third-party accountability. Vendors do not always perform due diligence.
Where personal data is involved, you need to enforce practices of vendor oversight with requirements of the Personal Data Protection Act 2010. Establish the following:
- Formal vendor risk evaluations
- Security clauses in contracts, reevaluations
- Gathering of evidence.
Poor documentation and audit evidence
Some companies have the right controls in place. But without a traceable paper trail. During audits, they find it difficult to generate evidence of:
- Risk assessment
- Control testing
- Management review.
You are advised to consolidate compliance records in a governance, risk, and compliance (GRC) framework. Keep records for:
- Version control
- Approval
- Risk registers
- Audit trails.
Verbal commitments cannot be the basis of compliance.
The takeaway
Cyber security compliance can be complicated. But you can keep up with the help of professional compliance experts.
