It is 02:14 on a Saturday. An analyst in a Malaysian bank's security operations centre sees authentication traffic that should not exist: a service account signing in from a host it has never touched. Nobody knows yet whether this is a breach, a misconfiguration, or a false positive. Under the Cyber Security Act 2024, that uncertainty is not a reason to wait. It is the moment the reporting clock starts.

Most national critical information infrastructure (NCII) entities have built their incident response around a question their lawyers ask first: are we sure? Act 854 inverts the order. Section 23 requires an NCII entity to notify the Chief Executive of NACSA and its sector lead the moment a cyber security incident "has or might have occurred." Knowledge triggers the duty, not confirmation. Suspicion is enough. Get the threshold wrong and the exposure is not theoretical. Contravening Section 23 carries a fine of up to RM500,000, imprisonment of up to ten years, or both.

What actually counts as reportable

The mistake most teams make is treating reportability as a severity question. It is not. The test in Section 23 is whether a cyber security incident has, or might have, occurred in respect of the NCII you own or operate. That phrasing pulls suspected events into scope before anyone has measured their impact. Ransomware, unauthorised access, data exfiltration, a service disruption hitting a designated system: all qualify. So does the 02:14 alert nobody has confirmed yet. You do not get to finish your impact assessment before deciding whether the duty has been triggered. The "might have" wording decides it for you.

The reporting duty fires on suspicion, not on certainty. The clock starts when you notice the incident, not when you understand it.

The clock has three stops

The notification chain set out in the Cyber Security (Notification of Cyber Security Incident) Regulations 2024 runs in parallel with your investigation, not after it. There are three stops, and each one is a hard deadline measured from the moment you became aware.

Stop one. Immediately.
The moment the incident comes to your knowledge, an authorised person you have designated must notify NACSA and your sector lead electronically. There is no form to perfect and no detail threshold to clear. The obligation is to raise your hand, fast.

Stop two. Within six hours.
That authorised person submits the first set of prescribed particulars through the National Cyber Coordination and Command Centre System, NACSA's reporting channel known as NC4S. The particulars are specific: the type and description of the incident, its severity, the date and time it occurred where known, and how it was discovered, alongside details of your entity and sector lead.

Stop three. Within fourteen days.
The authorised person submits supplementary information to the fullest extent practicable: which NCII systems were affected, the estimated number of hosts involved, what is known about the threat actor, the impact on your infrastructure and any interconnected systems, and the actions taken.

Treat it the way an aircraft captain treats a warning light. You do not wait until the engine fails to call it in. You declare, then you diagnose. Act 854 codifies that sequence for critical infrastructure.

What the board needs to know

Three facts matter at board level.

First, the clock is short and it runs on wall time, not business hours. Six hours from a 02:14 Saturday alert expires at 08:14 the same morning. If your notification depends on a person who is asleep, unreachable, or unsure they hold the authority, you have already missed it.

Second, the duty sits with a named role, not a department. The regulations require an authorised person to make the notification. That person carries personal and organisational consequences if the window closes unmet. The board's job is narrow and concrete: confirm that role is filled, backed up, and awake.

Third, the penalty is among the heaviest in the Act. A failure to conduct a mandated risk assessment or audit under Section 22 is exposed to a fine of up to RM200,000 and up to three years. A missed notification under Section 23 is exposed to RM500,000 and up to ten years.

The legislature priced silence higher than negligence. Section 23 carries more than double the maximum fine and more than triple the maximum sentence of the audit duty.

Build the reflex now

You cannot assemble this capability during the incident. The six-hour window does not leave room to find a login, locate a contact, or debate who has sign-off. Build it now, in this order.

1. Name your authorised persons this week. Designate at least three, with documented authority to notify NACSA and your sector lead without seeking further sign-off. Put them on a rotation that covers nights and weekends, because that is when the 02:14 alert arrives.

2. Pre-register and rehearse NC4S access. Confirm every authorised person can log in to the NC4S channel today, not during a crisis. Store the access details and the sector lead contact where your on-call team can reach them offline.

3. Set your internal trigger below the legal one. The Act fires on "might have occurred." Write your runbook so that a credible suspicion, not a confirmed breach, starts your internal six-hour timer. Give your own process slack the law does not.

4. Pre-draft the six-hour submission. Build a template that maps to the prescribed particulars: incident type, severity, time of occurrence, method of discovery. During an event your team fills blanks. They should not be designing a document against the clock.

5. Run the clock as a drill. Once a quarter, trigger a tabletop at an inconvenient hour and measure one number: minutes from first alert to a submitted first notification. If that number runs past six hours in rehearsal, fix it before NACSA measures it for you.

The close

Go back to 02:14 on Saturday. The analyst still does not know whether the alert is real. The difference between an entity that is ready and one that is exposed is not the quality of its forensics. It is whether, in the next few minutes, a designated person can raise their hand to NACSA without waiting for a certainty that may take days to arrive. The reporting clock does not start when you understand the incident. It starts when you notice it. Decide today who answers when it does.

Disclaimer

This article is provided for general information and does not constitute legal advice. The notification periods, particulars, and penalties described here are drawn from Act 854 and its subsidiary regulations as in force at the time of writing. NCII entities should rely on the gazetted instruments and qualified legal counsel for their specific obligations, as regulatory requirements and channels may be updated.