Malaysia legislation
Section 39
Section 39
The principal Act is amended by inserting after section 52
the following sections:
“Supply infrastructure information security 52a. (1) Any licensee as directed by the Commission providing supply of electricity to consumers shall be responsible for the preservation of confidentiality, integrity and availability of its information, information systems and supporting network infrastructure pertaining to its duties and other matters as provided under this Act.
(2)
The licensee shall—
(a)
take the necessary measures, establish and implement standards and employ the relevant information security controls to prevent, avoid, remedy, recover or restore its information, document, instrument or records stored in its computers and for its operational system by its computers from any risk of—
(i)
threat or unauthorised access; and
(ii)
intrusion or removal;
(b)
take necessary measures to ensure the resiliency of its supporting network infrastructure to minimise business impact against various threats to its activities under the licence; and
(c)
ensure that the reliability, continuity and quality of electricity supply, its performance of duties and conformity to the provisions of this Act and any regulations made thereunder shall not be jeopardized thereby, and shall report to the Commission within the time specified by the Commission, and in the event of any incident which interferes or affects the performance of the activities under the licence, report such incident immediately to the Commission and other relevant authorities.
(3)
Any licensee who fails, neglects to comply with or contravenes any provision of this section commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
(4)
For the purposes of this section—
“supporting network infrastructure” refers to relevant connection, network devices, hardware and software that provides network services in supporting business functions;
“information security controls” refers to means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management or legal in nature;
“resiliency” means an ability of an organization to resist being affected by an incident.
Electricity Supply (Amendment)
45
Obligation to give information 52b. (1) The Commission may authorize any of its officer to obtain any information pertaining to the licensee or any other person under this Act and shall be given access to such information whether stored in a computer or otherwise.
(2)
Any officer authorized by the Commission under subsection (1), shall have the power to require the production of records, accounts, data, computerized data and documents kept by a licensee or any other person and to inspect, examine and to download from them, make copies of them or take extracts from them.
(3)
For the purposes of this section, “access” includes being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data.
(4)
Any person who refuses to give any information which may reasonably be required of him under subsection (1) and which he has in his knowledge or power to give commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.”.
Amendment of section 53