Malaysia legislation
Section 22
Section 22
(a)
conduct a cyber security risk assessment in respect of the national critical information infrastructure owned or operated by the national critical information infrastructure entity in accordance with the code of practice and directive; and
(b)
cause to be carried out an audit by an auditor approved by the Chief Executive to determine the compliance of the national critical information infrastructure entity with this Act.
(2)
The national critical information infrastructure entity shall, within the period of thirty days after the completion of the cyber security risk assessment or audit under subsection (1), submit the cyber security risk assessment report or audit report to the Chief Executive.
(3)
Where it appears to the Chief Executive from the cyber security risk assessment report submitted under subsection (2) that the result of the cyber security risk assessment is not satisfactory, the Chief Executive may direct the national critical information infrastructure entity to take further initiatives to re-evaluate the cyber security risk to such national critical information infrastructure within the period as may be determined by the Chief Executive.
(4)
Where the Chief Executive finds that the audit report submitted under subsection (2) is insufficient, the Chief Executive may direct the national critical information infrastructure entity to rectify the audit report within the period as may be determined by the Chief Executive.
(5)
Upon receipt of the information from the national critical information infrastructure sector lead under subsection 20(5)
on the material change made to the design, configuration, security or operation of a national critical information infrastructure, the Chief Executive may by notice in writing direct the national critical information infrastructure entity which owns or operates the national critical information infrastructure to conduct a cyber security risk assessment or cause to be carried out an audit in respect of the national critical information infrastructure regardless whether a cyber security risk assessment or audit has been conducted or carried out under subsection (1) in respect of such national critical information infrastructure.
Act 854
(6)
The Chief Executive may direct a national critical information infrastructure entity to conduct a cyber security risk assessment or cause to be carried out an audit in addition to the cyber security risk assessment or audit under subsection (1) or (5).
(7)
Any national critical information infrastructure entity which contravenes subsection (1) or (2) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
(8)
Any national critical information infrastructure entity which fails to comply with the directions of the Chief Executive under subsection (3), (4), (5) or (6) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit.
Duty to give notification on cyber security incident