The National Cyber Security Act 2024, enforced since 26 August last year, serves more than just a piece of legislation to emphasise that cybersecurity is now a board-level issue, with real consequences for non-compliance.
LGMS Berhad executive chairman Fong Choong Fook said that, for businesses in Malaysia particularly those linked to National Critical Information Infrastructure (NCII), the Act introduces sweeping obligations — and even steeper risks for those caught unprepared.
“The Madani Government’s message is clear: Organisations must act decisively to understand their legal exposure, shore up defences and engage with sector leads to stay ahead of regulatory requirements,” he said after having received an award from Digital Minister Gobind Singh Deo at a recent industry event.
“We are living in an era of constant cyber warfare,” he added. “Most attacks are automated, driven by AI and scripts, and no business — large or small — is immune. The Cyber Security Act is a necessary step, but it’s also a signal that our approach to risk needs to evolve.”
Fong also praised Digital Minister Gobind Singh Deo for his visionary leadership in championing the Cyber Security Act, describing it as a crucial milestone in Malaysia’s digital journey.
“The National Cyber Security Act 2024 is a commendable step forward in the fight against cybercrime,” said Fong. “Malaysia is fortunate to have a minister like Gobind who understands that safeguarding our digital frontiers is a national imperative.”
“In an era where cyber threats evolve faster than legislation, his foresight ensures Malaysia is not left behind. The global surge in cybersecurity incidents, both globally and domestically, makes it clear that this Act was urgently needed — and thanks to Gobind, Team KD (Kementerian Digital), Team Cyber Security Malaysia and Team MDEC amongst others, Malaysia now has a solid foundation to build a more secure digital future.”
The Act applies to 11 sectors deemed critical to national interests, from telecommunications and financial services to healthcare, plantations and agriculture.
Under the law, NCII entities are required to conduct annual risk assessments, implement biannual cybersecurity audits, and report incidents within six hours of detection. A follow-up report must then be submitted within 14 days.
More pressing, however, is the legal exposure faced by directors and senior officers.
Fong, who regularly handles data breach and cybersecurity cases, warned that accountability under the Act lies squarely with top management.
“If an NCII entity fails to comply — whether in reporting, audit, or readiness — the directors could face fines or even jail time,” he said. “Cybersecurity can no longer be treated as an IT issue. It’s a matter of governance and legal risk.”
One aspect of the Act is the broad powers granted to the Chief Executive of the National Cyber Security Agency (NACSA). These include the ability to compel disclosure of information and seize digital assets without a warrant, if there are reasonable grounds to suspect a threat.
In practice, this means entire server racks, laptops or storage systems could be removed during an investigation.
Fong emphasised that businesses should not only focus on their internal security posture, but also assess the cyber maturity of their supply chains.
“Supply chain attacks — where hackers target vendors or equipment providers to reach a primary target — are becoming more common. In such scenarios, liability may still fall on the NCII entity, even if the root cause was a subcontractor’s negligence,” he said.
“Review your contracts. Look closely at indemnity and limitation of liability clauses,” he advised. “Because if a breach originates from your supplier, and you don’t have the right provisions in place, you may have no recourse.”
“If you’re unsure whether your business falls under the Act, consult your sector lead,” he said. “But don’t wait for a breach to find out.”
Fong stressed that the risks posed by cyber threats are rising — and businesses must start treating cybersecurity as a fundamental pillar of operational resilience.
“This goes beyond compliance and addresses survival and staying safe in a digital world where hackers and criminals are waiting to take advantage of any vulnerability,” he emphasised.
Fong, regarded by industry as one of the Malaysia’s and Southeast Asia’s leading cybersecurity experts, has received multiple cybersecurity awards, including being named ‘Cyber Security Professional of the Year’ by Cyber Security Malaysia on a few occasions.
LGMS, the company he founded, has also been recognised for its cybersecurity expertise, having received industry accolades, including being the ‘Cyber Security Company of the Year’ for few years running.
Source: https://www.businesstoday.com.my/2025/05/15/gobinds-cyber-law-sets-bar-for-business-accountability-says-lgms/