What the Cybersecurity Act 2024 Means for Businesses in Malaysia

Malaysia is entering a new era of regulatory oversight in data protection and cybersecurity. With the enactment of the Personal Data Protection (Amendment) Act 2024 and often referred to by businesses as part of the broader Cybersecurity Act 2024 landscape, organisations operating in Malaysia must fundamentally reassess how they collect, process, store, and protect personal data. For businesses, this is not merely a compliance update. It is a structural shift that directly affects governance, cybersecurity investment, operational accountability, vendor management, and incident response readiness. The amended law introduces stricter obligations, broader accountability, higher penalties, and new rights for individuals—bringing Malaysia closer to global data protection standards.

Why the Cybersecurity Act 2024 Matters for Malaysian Businesses

Cyber incidents today are no longer just technical problems handled by IT teams behind the scenes. Data breaches, ransomware, insider misuse, and weaknesses in third-party vendors can directly disrupt operations, halt services, erode customer trust, and trigger serious financial and legal consequences. For many businesses, a single cyber incident can now affect revenue, reputation, and long-term viability at the same time. This reality has pushed cybersecurity from an operational concern into a core business risk.

Recognising these growing threats, the Malaysian government amended the Personal Data Protection Act 2010 through the Personal Data Protection (Amendment) Act 2024, which was passed in July 2024 and received Royal Assent in October 2024. The amendment strengthens accountability, introduces clearer obligations, and aligns Malaysia’s data protection framework more closely with international standards. It reflects a clear policy shift: organisations are expected to actively manage data protection and cybersecurity risks, not merely react after incidents occur.

For businesses in Malaysia, this reform raises the bar for how cybersecurity and data protection are governed across the organisation. Compliance is no longer limited to policies or technical controls—it now requires leadership involvement, structured governance, stronger oversight of vendors, and readiness to respond transparently when incidents happen. In short, the Cybersecurity Act 2024 signals that data protection maturity is becoming a baseline expectation for doing business in Malaysia, not a competitive differentiator.

Read: BYOD Policy: Maintaining Productivity Without Compromising Security

From “Data User” to “Data Controller”: A Fundamental Shift

One of the most significant changes introduced under the Cybersecurity Act 2024 is the replacement of the term “data user” with “data controller.” This shift is more than a change in wording. It aligns Malaysia’s regulatory framework with global data protection standards such as the GDPR and clearly defines who holds responsibility for personal data. A data controller is now explicitly recognised as the party that determines the purpose and means of processing personal data, making accountability more direct and harder to delegate away. For businesses, this change has clear and practical implications:

• Senior management can no longer distance themselves from how personal data is collected, used, or protected.
• Accountability is linked to decision-making authority, not just day-to-day operational tasks.
• Governance and oversight become as important as technical security controls in meeting compliance requirements.

In practice, this places boards, executives, and business unit leaders firmly within the scope of responsibility, signalling that data protection is a leadership issue and not just an IT or compliance function.

Expanded Obligations for Data Processors

Previously, data processors often operated behind the scenes with limited direct legal accountability, as most compliance obligations rested with data users. Under the Cybersecurity Act 2024, this position changes materially. Data processors, entities that process personal data on behalf of data controllers are now explicitly required to comply with the Security Principle under Section 9 of the amended Act and may face penalties if they fail to do so. This elevates data processors from a supporting role to a regulated party with clear legal responsibilities. For businesses, the implications are wide-ranging:

• Vendor and third-party risk management is no longer optional and must be actively enforced.
• Contracts with processors, cloud providers, and outsourcing partners need to be updated to clearly define security obligations and accountability.
• Organisations are responsible not only for their internal controls, but also for the cybersecurity posture of external partners handling their data.

As a result, cybersecurity due diligence across the supply chain becomes a critical component of compliance, governance, and overall business risk management.

Mandatory Appointment of a Data Protection Officer (DPO)

One of the clearest operational requirements under the Cybersecurity Act 2024 is the mandatory appointment of a Data Protection Officer (DPO). Both data controllers and data processors are now required to appoint one or more DPOs responsible for overseeing compliance with the Act and acting as the primary liaison with the Personal Data Protection Commissioner. This signals a clear expectation that data protection must be actively governed, not handled informally or on an ad hoc basis. What businesses need to understand:

• The DPO role is mandatory, regardless of company size or industry.
• Appointing a DPO does not remove accountability from senior management or the board.
• The DPO must have sufficient authority, independence, and access to relevant information across the organisation.

For many organisations, this requirement goes beyond a simple appointment. It often necessitates new governance structures, clearer role definitions, and formal reporting lines to ensure the DPO can operate effectively and independently.

Mandatory Personal Data Breach Notification

Under the previous PDPA, organisations were not explicitly required to notify authorities or individuals when a data breach occurred. The Cybersecurity Act 2024 changes this approach by introducing mandatory breach notification obligations, representing a major shift in how incidents must be handled and communicated. If a data controller has reason to believe that a personal data breach has occurred, they must:

• Notify the Personal Data Protection Commissioner as soon as practicable.
• Notify affected individuals if the breach causes or is likely to cause significant harm.

Failure to comply may result in fines of up to RM250,000, imprisonment, or both. As a result, incident response plans can no longer remain informal or untested. Detection, escalation, internal decision-making, and external reporting timelines must be clearly defined. Cybersecurity incidents are now directly linked to regulatory exposure, making speed, transparency, and preparedness critical success factors.

Biometric Data Now Classified as Sensitive Personal Data

The amendment explicitly classifies biometric data, such as facial recognition data, fingerprints, and behavioural identifiers as sensitive personal data. This reflects growing concerns over the misuse of biometric technologies and the long-term impact of biometric data breaches, which are often irreversible. This change is especially relevant for businesses using:

• Biometric access control systems
• Mobile or app-based authentication technologies
• AI-driven identity verification solutions
• Workforce monitoring or surveillance tools

Because biometric data is now considered sensitive, organisations must apply stronger security controls, stricter access limitations, and enhanced governance. In many cases, this will require reviewing existing systems, vendors, and internal policies to ensure compliance.

New Rights to Data Portability

For the first time, individuals in Malaysia are granted the right to data portability, allowing them to request that their personal data be transferred directly to another data controller, subject to technical feasibility and data format compatibility. This represents a meaningful shift toward greater consumer control over personal data. For businesses, this means:

• Systems must support structured, commonly used, and transferable data formats.
• Identity verification procedures must be strengthened to prevent fraud or misuse.
• Customer experience, IT architecture, and compliance obligations must work together.

While this change encourages competition, transparency, and consumer empowerment, it also requires operational readiness and coordination across technical, legal, and business teams.

Cross-Border Data Transfers: A More Flexible but Accountable Regime

The Cybersecurity Act 2024 removes the previous whitelist regime for cross-border data transfers. Instead, businesses may transfer personal data to countries with adequate data protection laws, provided appropriate safeguards are implemented. This offers greater flexibility for international business operations and regional data flows. Key considerations for businesses include:

• Assessing the legal adequacy of data protection laws in recipient jurisdictions.
• Implementing contractual safeguards, such as standard contractual clauses, where necessary.
• Maintaining proper documentation and conducting ongoing risk assessments.

While the regime is more flexible, it places greater responsibility on organisations to justify and manage cross-border data transfer risks in a structured and defensible manner.

Increased Penalties and Enforcement Risk

The amended Act significantly increases penalties for non-compliance. Breaches of personal data protection principles may now result in fines of up to RM1 million and imprisonment for up to three years, signalling a much tougher enforcement stance. For businesses, this fundamentally changes the risk calculus:

• Cybersecurity and data protection failures become board-level issues.
• Proactive compliance investments are far more cost-effective than regulatory penalties and reputational damage.
• Insurance coverage, audits, and governance controls become increasingly important.

The message from regulators is clear: weak data protection is no longer tolerated as a cost of doing business.

What Business Leaders Should Do Now

The Cybersecurity Act 2024 makes it clear that compliance is not solely a legal or IT responsibility. It is an organisation-wide obligation that requires leadership commitment, cross-functional coordination, and sustained execution. Immediate actions businesses in Malaysia should consider include:

1. Conducting a data protection gap assessment against the amended Act.
2. Appointing a qualified DPO with sufficient authority and resources.
3. Updating cybersecurity and incident response plans to incorporate breach notification requirements.
4. Reviewing third-party and vendor contracts to ensure clear security and compliance obligations.
5. Strengthening data governance frameworks, including data classification and lifecycle management.
6. Training employees so they understand their role in protecting personal data and reducing human risk.

Taken together, these steps help organisations move beyond reactive compliance and build a more resilient, trustworthy, and future-ready cybersecurity posture.

Read: The Benefits of Cybersecurity Awareness Training for Company Employees

Conclusion

The Cybersecurity Act 2024 is not merely a compliance obligation, but an opportunity for businesses in Malaysia to strengthen trust, resilience, and competitiveness. Achieving this goes beyond policies and technology alone, it requires strong governance, continuous employee awareness, and real risk reduction driven by everyday behaviour across the organisation.

This is where SiberMate plays a critical role. SiberMate empowers organisations through a Human Risk Management platform that builds strong security awareness and shapes safer everyday behaviour. By reducing human-driven cyber risk and reinforcing consistent security practices, SiberMate helps organisations defend their digital environment and establish a resilient, trusted foundation—powered by people as the first line of defence.