Cybersecurity Act : Is Your Critical Infrastructure Compliant with the 24/7 Monitoring Mandate?

The landscape of cybersecurity in Malaysia has been fundamentally transformed. With the gazetting of the Cybersecurity Act 2024 (Act 854), the nation has established a comprehensive legal framework to protect its most vital systems. For any organization designated as part of Malaysia’s National Critical Information Infrastructure (NCII), the message is clear: the standards for security are higher than ever, and the responsibility for continuous vigilance is now a legal duty.

At the heart of this new law is a powerful mandate for continuous, proactive monitoring. The days of periodic security checks are over. The Act requires designated NCII entities to be able to detect and respond to cyber threats and incidents around the clock. For business and agency leaders, this raises a critical question: "How do we meet this stringent, 24/7 operational requirement effectively and efficiently?"

For many, the answer lies in a strategic partnership with a Managed Security Service Provider (MSSP).

Decoding the Demands of the Cybersecurity Act 2024

The Cybersecurity Act 2024 was enacted to enhance Malaysia's national cybersecurity, with a strong focus on protecting the eleven sectors designated as National Critical Information Infrastructure (NCII). These sectors include banking and finance, transportation, energy, and healthcare, among others.

Under this Act, organizations designated as an NCII Entity are no longer just encouraged to practice good security hygiene; they are legally obligated to do so. The law establishes several key duties that necessitate a robust, always-on security monitoring capability:

• Duty to Implement a Code of Practice: NCII entities must implement specific measures, standards, and processes to ensure the cybersecurity of their critical systems. This forms the baseline for their security posture.

• Duty to Conduct Risk Assessments & Audits: Designated entities must regularly conduct cybersecurity risk assessments (at least annually) and cause audits to be carried out (at least every two years) to determine compliance with the Act.

• Duty to Give Notification on Cyber Security Incidents: This is one of the most critical operational duties. An NCII entity must notify the Chief Executive of the National Cyber Security Agency (NACSA) and its sector lead of any cybersecurity incident "immediately after the NCII Entity becomes aware" of it.

Fulfilling the duty of rapid incident notification is impossible without first having the capability to detect the incident. This is where the need for a 24/7 Security Operations Centre (SOC) becomes not just a best practice, but an operational necessity for compliance.

The In-House 24/7 SOC: A Formidable Challenge

The Act requires the ability to respond to cyber threats and incidents at any time. Building an in-house, 24/7 SOC to meet this need is a massive undertaking with significant challenges:

• Massive Cost: It requires a huge upfront capital investment in enterprise-grade security platforms like Security Information and Event Management (SIEM) systems, followed by high recurring operational costs.

• Talent Scarcity: A true 24/7 operation requires a team of at least 8-12 highly skilled, certified cybersecurity analysts to cover all shifts, including nights, weekends, and holidays. Finding, training, and retaining this talent is a major financial and managerial burden.

• Distraction from Core Mission: For an energy company, a bank, or a hospital, its core mission is not running a 24/7 security war room. The immense effort required to do so can distract from an organization's primary business objectives.

The MSSP: A Strategic Solution for NCII Compliance and Security

Partnering with a modern MSSP allows an NCII entity to meet its legal obligations under the Cybersecurity Act 2024 efficiently and effectively. An MSSP delivers the three pillars of a compliant security operation—people, process, and technology—as a service.

• Instant 24/7/365 Vigilance: An MSSP immediately provides a fully staffed, 24/7 SOC. This satisfies the implicit operational requirement for continuous monitoring under the Act, ensuring expert eyes are watching your critical infrastructure around the clock.

• Advanced Detection and Threat Hunting: A mature MSSP brings the enterprise-grade technology and, more importantly, the expert analysts required to perform advanced detection. This proactive monitoring and threat hunting is essential for identifying cybersecurity incidents early, enabling you to meet the notification duties under the Act.

• Expertise for Audits and Reporting: When the time comes for a mandatory audit, an MSSP provides the detailed logs, performance metrics, and expert analysis required. This gives your leadership, board, and regulators the clear visibility needed to demonstrate due diligence and effective risk governance.

Beyond Compliance: Building True Resilience

For leaders of Malaysia’s National Critical Information Infrastructure, the Cybersecurity Act 2024 has raised the stakes. Meeting the mandate for continuous monitoring is non-negotiable.

While building this capability in-house is a daunting prospect, a strategic partnership with an MSSP can transform this regulatory burden into a powerful security advantage.

AKATI Sekurity’s MSSP services are specifically designed to help organizations meet and exceed the stringent requirements of Malaysia's new cybersecurity laws. We provide the certified technology, expert personnel, and 24/7 vigilance required for compliance, allowing you to focus on your core mission with confidence.

To learn how our 24/7 MSSP monitoring can secure your critical infrastructure and ensure compliance with the Cybersecurity Act 2024, contact AKATI Sekurity today.