PETALING JAYA: Cybersecurity incidents go beyond data breaches and can potentially hamper a critical entity’s ability to operate, says the National Cyber ​​Security Agency (Nacsa).

Its Director General, Dr. Megat Zuhairy Megat Tajuddin, said that this is why it is important to protect entities under the National Critical Information Infrastructure (NCII) from a wide range of cybersecurity threats as a whole.

Citing the cybersecurity incident involving the Social Security Corporation (Socso) last year, Megat Zuhairy said the incident, if not handled well, could affect the body’s ability to disburse money, and that it was not just a personal data breach.

“So, in order to protect yourself from any data breach, you need to protect the entities as a whole,” he said when contacted yesterday.

On December 8 last year, Socso said it managed to overcome a cyberattack on its system by protecting information databases and websites.

Megat Zuhairy added that Nacsa has also collaborated with other relevant agencies to resolve these issues.

“When cyber incidents result in a data breach, we will notify the Personal Data Protection Department (JPDP).

“If it concerns issues related to cybercrime, we will contact the police,” he explained.

Megat Zuhairy also noted that NCII entities could face legal consequences if they do not take necessary measures to secure their systems against any attacks.

“The Cybersecurity Act of 2024 (Act 854) made it mandatory for NCII entities to take necessary steps to protect themselves by complying with minimum basic requirements. » Our National Cybersecurity Coordination and Command Center (NC4) monitors possible threats and attempts 24 hours a day. . And with our threat intelligence, we proactively communicate with entities,” he explained.

Megat Zuhairy said the same law also made it mandatory for NCII entities to conduct annual risk assessment and biannual audits.

“It’s not just about sensitive data, but it also involves NCII entities. The law also requires NCII entities to report to Nacsa immediately,” he said.

Under Law 854, within six hours of the discovery of a cybersecurity incident, or even a potential threat, a person authorized by the legislation must make an initial report to NC4.

Among other things, the law also states that if the cybersecurity incident is not notified within the prescribed period, the affected entity may be liable to a fine not exceeding RM500,000 or a penalty of maximum imprisonment of 10 years for its agents, or both.

The six-hour rule applies to attacks on information in sectors deemed critical to the nation, including defense, finance, water and health services.

The 11 NCII sectors are government; national defense and security; banking and finance; information and communications; energy; transportation; emergency services; water; health services; agriculture and plantations; and commerce, industry and the economy.

The Cybersecurity Act of 2024 was officially released by the Attorney General’s Office on June 26.

The Act aims to address the management of cybersecurity threats and incidents relating to the NCII.

Additionally, it includes provisions to regulate cybersecurity service providers through licensing.