PETALING JAYA: Cyber ​​security incidents extend beyond data breaches and can hamper a critical entity’s ability to operate, says the National Cyber ​​Security Agency (Nacsa).

Its Chief Executive, Dr. Megat Zuhairy Megat Tajuddin, said that is why it is important to protect entities within the National Critical Information Infrastructure (NCII) from a wide range of cyber security threats as a whole.

Citing the cyber security incident involving the Social Security Organization (Socso) last year, Megat Zuhairy said that the incident, if not handled well, could affect the body’s ability to pay money and it is not just about personal data breach .

“So to protect against any data breach, you have to protect the entities as a whole,” he said when contacted yesterday.

On December 8 last year, Socso said it was able to overcome a cyber attack on its system by protecting its databases and websites.

Megat Zuhairy added that Nacsa also collaborated with other relevant agencies to address such issues.

“When cyber incidents lead to a data breach, we will inform the Department for Personal Data Protection (JPDP).

“If there are issues related to cybercrime, we will contact the police,” he explained.

Megat Zuhairy also mentioned that NCII entities could face legal consequences if they do not take necessary measures to secure their systems against any attacks.

“The Cyber ​​Security Act of 2024 (Act 854) made it mandatory for NCII entities to take steps to protect themselves by meeting the minimum baseline.” Our National Cyber ​​Command and Coordination Center (NC4) monitors potential threats and attempts 24 hours a day. . And through our threat intelligence, we proactively communicate with entities,” he explained.

Megat Zuhairy said the same law also made it mandatory for NCII entities to conduct an annual risk assessment and biannual audits.

“It’s not just about sensitive data, it also involves NCII entities. The law also obliges NCII entities to immediately report to Nacsa,” he said.

Under Act 854, within six hours of discovering a cyber security incident or even a potential threat, a person authorized under the legislation will have to make an initial report to NC4.

Among other things, the law also states that if the cyber security incident is not reported within the stipulated time, the entity concerned may be liable to a fine not exceeding RM500,000 or imprisonment for its officers for not more than 10 years, or both .

The six-hour rule applies to attacks on information in sectors deemed critical to the nation, including defense, finance, water and health services.

The 11 NCII sectors are governmental; national defense and security; banking and finance; information and communications; energy; transport; emergency services; water; health services; agriculture and plantation; and trade, industry and economy.

The Cyber ​​Security Act 2024 was officially published by the Attorney General’s Chambers on 26 June.

The Act aims to address the management of cybersecurity threats and incidents related to NCII.

Additionally, it includes provisions to regulate cybersecurity service providers through licensing.