Cybersecurity Policy (Malaysia)

A Cybersecurity Policy in Malaysia sets out the standards and procedures the organisation expects its people to follow.

The Computer Crimes Act 1997 (CCA 1997) is Malaysia's primary legislation criminalising cybercrime, including unauthorised access to computer systems (Section 3), unauthorised access with intent to commit or support offences (Section 4), and unauthorised modification of computer contents (Section 5). A Cybersecurity Policy implements the organisational controls that assist in preventing CCA 1997 offences and demonstrates due diligence in the event of a breach.

The Personal Data Protection Act 2010 (PDPA 2010) Security Principle under Section 9 requires data controllers in Malaysia to implement practical steps to protect personal data from loss, misuse, unauthorised access, disclosure, alteration, or destruction. The Department of Personal Data Protection (JPDP) under the Ministry of Communications audits compliance with the Security Principle, and failures may result in fines of up to RM500,000 and imprisonment for up to 3 years under Section 130 of the PDPA 2010. A well-implemented Cybersecurity Policy is the primary vehicle through which organisations demonstrate Security Principle compliance.

Bank Negara Malaysia (BNM) has issued the Risk Management in Technology (RMiT) Policy Document 2019, which imposes specific cybersecurity requirements on financial institutions licensed under the Financial Services Act 2013 and the Islamic Financial Services Act 2013. The RMiT requires financial institutions to establish a Technology Risk Management framework, implement security controls aligned with internationally recognised standards, and report cybersecurity incidents to BNM within prescribed timeframes.

The Malaysian Communications and Multimedia Commission (MCMC) under the Communications and Multimedia Act 1998 (CMA 1998) regulates telecommunications and internet service providers, requiring licensees to implement security measures and report significant cybersecurity incidents. The National Cyber Security Agency (NACSA) established under the National Cyber Security Policy 2006 coordinates national cybersecurity strategy and collaborates with organisations in critical information infrastructure (CII) sectors including energy, water, transport, and financial services.

The legal framework governing the Cybersecurity Policy (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Cybersecurity Policy (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.

A Malaysia Cybersecurity Policy is required for any organisation that operates computer systems, processes personal data, or relies on digital infrastructure to conduct its business.

A Cybersecurity Policy is needed when a Malaysian company processes personal data of customers or employees under the Personal Data Protection Act 2010 (PDPA 2010). The Security Principle under Section 9 of the PDPA 2010 requires data controllers to implement practical security steps, and a documented Cybersecurity Policy is the primary evidence of compliance with this requirement during JPDP audits.

A Cybersecurity Policy is required when a financial institution regulated by Bank Negara Malaysia (BNM) under the Financial Services Act 2013 or the Islamic Financial Services Act 2013 implements the Risk Management in Technology (RMiT) Policy Document 2019. The RMiT mandates a formal Technology Risk Management framework including cybersecurity governance, security operations, and incident response capabilities.

A Cybersecurity Policy is necessary when an organisation seeks ISO/IEC 27001 certification for its Information Security Management System (ISMS). ISO/IEC 27001:2022 requires documented information security policies as a mandatory control under Annex A, Control 5.1. Many Malaysian enterprises and government-linked companies require their vendors and service providers to hold ISO/IEC 27001 certification.

A Cybersecurity Policy is needed when an organisation is a Critical Information Infrastructure (CII) operator in sectors such as energy (Tenaga Nasional Berhad), water (Syabas), telecommunications (Telekom Malaysia), or transport (MAHB), as the National Cyber Security Policy mandates cybersecurity governance requirements for CII operators coordinated through NACSA.

A written Cybersecurity Policy is required when an organisation needs to demonstrate due diligence to auditors, investors, insurers, or contractual counterparties that it manages cybersecurity risk. Cyber insurance policies issued by Malaysian insurers increasingly require documented cybersecurity governance as a condition of coverage.

Parties in Malaysia should prepare a Cybersecurity Policy (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A thorough Malaysia Cybersecurity Policy must contain the following essential elements to satisfy legal compliance and governance requirements.

Scope and Purpose: The organisational scope of the policy — which entities, systems, data types, and personnel are covered — and the policy's stated objectives, linking to the organisation's obligations under the PDPA 2010, the CCA 1997, and applicable regulatory frameworks such as BNM RMiT.

Information Security Governance: The organisational structure for cybersecurity governance, including the designation of a Data Protection Officer (DPO) as required by the PDPA 2010, the Chief Information Security Officer (CISO) or equivalent role, and the reporting lines to senior management and the board.

Access Control: Rules governing user access provisioning and de-provisioning, password requirements (minimum length, complexity, rotation frequency), multi-factor authentication (MFA) for privileged accounts, and the principle of least privilege — limiting access to data and systems to the minimum necessary for each user's role.

Data Classification and Handling: A data classification scheme categorising information assets by sensitivity (e.g., Public, Internal, Confidential, Restricted), and specific handling, storage, transmission, and disposal requirements for each classification level, particularly for personal data subject to the PDPA 2010.

Incident Response: The procedure for detecting, reporting, containing, and recovering from cybersecurity incidents, including escalation procedures, notification timelines to affected individuals (under PDPA 2010 Amendment 2023 breach notification requirements), and notification to regulators such as JPDP, BNM, or MCMC.

Network and Systems Security: Requirements for firewall deployment, patch management (including critical patch application timelines), antivirus and endpoint detection, network segmentation, and encryption of sensitive data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

Employee Training and Awareness: Mandatory cybersecurity awareness training frequency, topics to be covered (phishing recognition, social engineering, password hygiene, device security), and the consequences of policy violations under the organisation's disciplinary procedures.

Vendor and Third-Party Risk Management: Requirements for assessing cybersecurity risks of vendors and third-party service providers with access to the organisation's systems or data, consistent with BNM RMiT third-party risk management obligations and the PDPA 2010 data processor arrangement requirements.

Policy Review: The frequency of policy review (minimum annually or following a significant security incident), the process for approving updates, and version control documentation.

Additional compliance elements for a Cybersecurity Policy (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.