KUALA LUMPUR: The National Cyber Security Agency (Nacsa) is expected to review and reappoint the National Critical Information Infrastructure (NCII) entity, following the enforcement of the Cybersecurity Act 2024. 

Nacsa's chief executive Dr Megat Zuhairy Megat Tajuddin, as reported by Utusan Malaysia, said that under the previous guidelines from the National Security Council Directive No. 26, there were currently 299 NCII entities.

"We will be reappointing these entities, and we anticipate that the number will increase as we have established clearer criteria for their designation. 

"We have also empowered sector heads to identify NCII entities within their respective areas," reported the Malay daily.

Megat Zuhairy said this to reporters during yesterday's Cyber Security Act 2024 briefing.

On Monday, the Act, passed by the Dewan Rakyat in April, officially came into force. (Link: https://www.nst.com.my/news/nation/2024/08/1096959/new-cyber-security-la...) 

The Prime Minister's Office, in a statement, said the Act was approved by His Majesty Sultan Ibrahim, King of Malaysia, on June 18. 

"Following subsection 1(2) of the Act, the Prime Minister (Datuk Seri Anwar Ibrahim) as the minister responsible for cybersecurity, has designated Aug 26 as the date the Act comes into effect. 

"The Act was approved by the King on June 18 and was published in the gazette on June 26," the statement read. 

Megat Zuhairy added that the list of NCII entities was confidential and will not be published on any platform, including the Nacsa website, to protect these entities from becoming targets of cyberattacks. 

"Only the list of sector heads will be available on the Nacsa website. We cannot publish the list of NCII entities because it is classified information, otherwise those entities could become targets for cyberattacks." 

He further explained that the Cyber Security Regulations (Cyber Security Incident Notification) 2024, requires NCII entities to report any cybersecurity incidents that have occurred or might have occurred through electronic means; NC4 email promptly. 

He said within six hours of discovering a cybersecurity incident, the authorised individual at the NCII entity must submit information through the NC4 system.

"This includes details such as the name of the authorised person, information about the affected NCII entity, the sector it belongs to, and the sector head. 

"Additional details required are information about the cybersecurity incident itself, including the type and nature of the incident, the severity of the incident, the date and time it was noticed, and the method of discovery," he said. 

He added after the initial reporting period, a more detailed report must be provided to Nacsa within 14 days. 

"This report should include information on the NCII entity affected by the incident, the number of hosts likely impacted, details of the threat actor, relevant artefacts related to the incident, and information about any related incidents or how the incident is connected to the cybersecurity event."

https://www.nst.com.my/news/nation/2024/08/1097740/nacsa-revamp-critical-infrastructure-list-under-new-cyber-security-act