CYBER SECURITY: A LEGAL PERSPECTIVE ON RANSOMWARE ATTACKS

In the midst of a pandemic, people tend to make more online communications and transactions as a safety measure in order to connect and communicate. This includes transactions between persons, companies and authorities. Nonetheless, it is highly likely whereby communications and transactions made on the Internet through electronic devices like PC, laptops or even handphones may expose someone to a cyber security breach such as a ransomware attack. Ransomware attack is one of the biggest threats against preservation of information assets or systems. It can also be described as a kind of malware that prevents users from accessing their computing device resources and/or personal data using various methods.

1. Legislations Relating to Cyber Security

   In Malaysia, there are seven (7) legislations that are in place to deter cybercrime, including offences related to ransomware attack. These legislations are Communications and Multimedia

   Act 1998 (“CMA”), Computer Crimes Act 1997 (“CCA”), Digital Signatures Act 1997 (“DSA”), Electronic Commerce Act 2006 (“ECA”), Personal Data Protection Act 2010 (“PDPA”), National Cyber Security Policy (“NCSP”) and Penal Code (“PC”). 

   The main statute that regulates cyber law in Malaysia is known as Communications and

   Multimedia Act 1998 (“CMA”). This statute mainly governs the multimedia and communication industry in Malaysia. The jurisdiction of this statute is restricted to networked services and activities only and it aims to guarantee the information security and network reliability in Malaysia.

   Another cyber law statute that is crucial in Malaysia is Computer Crimes Act 1997 (“CCA”). This is because this statute actually provides punishments to those who are found guilty for disseminating viruses in a computer, hacking and also unauthorized access to a computer. The amount of fine under this statute ranges from RM25,000 to RM150,000 and imprisonment of 3 to 10 years or both depending on the offence committed^[1]. This can be reflected in the appeal case of Dato’ Gee Siew Yee v Public Prosecutor [2020] MLJU 1342, where the Appellant filed an appeal to the court against a decision made by the learned Sessions Court Judge. The Appellant contended that she should have been discharged amounting to an acquittal (‘DAA’) instead of being discharged not amounting to an acquittal (‘DNAA’) on the day scheduled for trial. In this case, the Appellant was charged at the Kuala Lumpur Sessions Court under section 3(1) of CCA^[2] punishable under section 3(3) of the same Act^[3]. On 29/09/2015, the Appellant had made an unauthorized access over a laptop owned by Brian Pereira to access 3 meeting files at Kelab Taman Perdana di Raja Kuala Lumpur, Dang Wangi. On the appeal, the court decided that the appeal is incompetent and that the DNAA meted out by the learned SCJ is not appealable where the Appellant could very well be charged again. Hence, the Court dismissed the appeal and affirmed the decision of the Sessions Court.

   The Digital Signatures Act 1997 (“DSA”) is a statute that allows the advancement of electronic transactions by providing a secured method for online transactions through digital signatures. Digital signatures are recognized legally under this statute where identity verification through encryption techniques is involved to avoid communication interference and forgery. The verification of a digital signature is made upon reference of ‘public key’ that is listed in a valid certificate which only a licensed certification authority can provide. For example, licensed certification authorities such as Pos Digicert Sdn Bhd and MSCTrustgate.com Sdn Bhd.

   The Electronic Commerce Act 2006 (“ECA”) gives a broader legal recognition for matters that involve commercial transactions and contracts made by any electronic means. After this statute has come into force, e-commerce that involves electronic transactions become legally valid. This statute also has its own information security standards to be complied with in order to ensure that e-commerce activities are smooth and secure, especially when it involves electronic messages and to prove originality of a document. 

   The Personal Data Protection Act 2010 (“PDPA”) is an Act that regulates the processing of personal data in relation to commercial transactions. This statute applies >to any person who collects and processes personal data in regards to commercial transactions. There are seven (7) main principles set out under this Act in order to protect personal data. The principle of security plays the most crucial role under the Act as it requires a data user, when processing personal data, to take practical steps ensuring the secure transfer of the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.^[4]

   In overcoming cybercrime risks of hacking, intrusion, fraud, harassment, malicious code and denial of service attacks, the Government has produced a National Cyber Security Policy

   (“NCSP”) to strengthen Malaysia’s Critical National Information Infrastructure (“CNII”). The CNII focuses on a secure digital information system where ten (10) main sectors consisting of Defence and Security, Transportation, Banking and Finance, Health Services, Emergency Services, Energy, Information and Communications, Government, Food and Agricultural, and Water are stressed on. These sectors are classified to be vital to the nation that their incapacity or destruction would have a strong, negative impact on the nation’s defence and security, the Government and the public’s health and safety.^[5] Further, the NCSP is divided into eight (8) areas of policy thrusts. Each policy thrust have a respective Thrust Driver from ministries to monitor and assist the cybersecurity within its own IT systems. The proposal of ISO/IEC 27001 has been accepted by Malaysia which marks as the information security standard for all CNII crucial sectors and thus the sectors are to be certified under ISO/IEC 27001 Information Security Management Systems (“ISMS”).

   Besides that, the offence of extortion under Section 383 of Penal Code (“PC”) is also a measure to deter cybercrime related to ransomware attack. This provision states that when one intentionally puts the victim in fear of any injury to himself or to any other, and thereby dishonestly induces the victim to deliver any property or valuable security, it amounts to the offence of extortion. Hence, if anyone is found guilty to be extorting money from a victim through the act of a cybercrime, the person may be found guilty under the Act.

2. Government Bodies that Manage Cyber Security

   There are a number of enforcement bodies in Malaysia consisting of government agencies and units that are tasked to handle matters relating to cyber security. Among them are Cyber Security Malaysia, MyCERT and Cyber999, CyberCSI, MyVAC, MySEF and MyCC and CyberSAFE. 

   CyberSecurity Malaysia is previously known as the National ICT Security and Emergency

   Response Centre (“NISER”). This agency plays an important role to defend the nation from cyber-attacks and was formed under the Ministry of Science, Technology & Innovation

   (“MOSTI”). It also plays a vital role in ensuring that the nation’s e-security is tight. Also, this body provides cyber security services to counter cyber security attacks such as detecting possible harm that may occur and trigger the national security and public safety.

   Subsequently, Malaysia Computer Emergency Response Team (“MyCERT”) which was formed under Cyber Security Malaysia provides remedial assistance for systems that are at risk by giving expert advice and recommendations. There are specialists and analysts under this agency focusing on the areas of Incident Handling and Malware Research. This agency also spreads awareness and alerts Malaysian Internet Users when there is any widespread security incident or malware outbreak. Numerous agencies have recognized MyCERT’s services to coordinate an efficient response plan with many parties, including internet service providers, law enforcement agencies, universities, government agencies, and international CERTs (Computer Emergency Response Teams).^[6] Further, Cyber999 Help Centre operates under MyCERT to give assistance for emergency response on computer security-related matters such as cyber harassment, malware, intrusion, hack attempts, and other information security breaches. 

   Next, Cyber Crime Scene Investigation (“CyberCSI”) is one of the digital forensic agencies under CyberSecurity Malaysia, which focuses on investigation and prosecution of criminal cases that includes services of onsite digital evidence preservation, digital evidence analysis, and providing an expert witness. Under the Criminal Procedure Code, this agency’s experts are allowed to be expert witnesses of the digital forensic team to testify and provide reports before the court. Some services under this agency are expert witness service, computer, audio, mobile phone, video forensics, and forensics on Internet applications. The clients under this agency are mainly from Law Enforcement Agencies ("LEA"), Government-Linked Companies ("GLC") and private agencies.

   In addition, there is a unit under CyberSecurity Malaysia known as National Vulnerability

   Assessment Centre (“MyVAC”). This department is established under Policy Thrust 3 of Technology Framework aiming to enhance the national information security assurance for the Critical National Information Infrastructure (“CNII”) and the nation’s cyber safety. This unit also aims to provide security posture for CNII sectors through actual assessment of the nation's ability in defending against cyber threats and exploitation due to information systems and technology vulnerabilities.^[7] The importance of this unit is that they provide vulnerability assessment laboratories for critical information systems and technologies. Through the assessment, the analyst of this unit will identify common and potential vulnerabilities and suggest ways to mitigate such vulnerabilities. Aside from vulnerability assessment research, MyVAC also provides services such as control systems security assessments and cyber security audit.

   Besides that, Malaysian Common Criteria Evaluation and Certification (“MyCC”) is also a unit department under CyberSecurity Malaysia that provides evaluation and certifies the security functionality within ICT products against defined criteria or standards. Similarly, Malaysian

   ICT Security Evaluation Facilities (“MySEF”) is formed as a licensed evaluation facility under MyCC. This facility provides similar assessment and evaluation services but it focuses more on the ICT products and systems.  

   Awareness also plays a crucial role in the community. This leads to the establishment of Cyber Security Awareness for Everyone (“CyberSAFE”) which is an initiative of the government to generally disseminate awareness among the Internet users in Malaysia. Numerous guidelines and updates on a safer usage of the Internet for all users are provided under CyberSAFE.

3. Cyber Security Risks Management

   In 2016, there was a proposed regulatory framework on cyber security resilience made to the Securities Commission Malaysia (“SC”). In response, the SC issued the >Cyber Risk Guidelines on Management of Cyber Risk for capital market participants. This guideline stresses on the roles and responsibilities of the board of directors and the management along with cyber risk prevention, detection and recovery measures.

   Cyber security risks management are deemed to be intertwined with Cyber Insurance as it provides financial protection for businesses from risks relating to data and information technology. Nowadays, no modern business can escape from the exposure of cyber risk. Hence, a secure cyber insurance shall include seven (7) main scopes of recovery modes and protection for those who have been affected by cyber security breach. 

   The first scope is cyber liability which covers a range of third-party claims arising from data breaches, network security failures and publication of online content. Second is Incident Response whereby costs associated with IT forensic investigation and data breach notification, including engaging legal experts and public relations consultants shall be covered. Third is Cyber Extortion where the insurance shall cover expenses incurred in the investigation and

   resolution of a ransomware event. Subsequently, Business Interruption is where the insurance needs to provide recovery to cover for loss of net profit and extra expenses incurred due to a network disruption arising from a security failure, human error or programming error. Next is System Recovery where the costs to restore or recreate data and software arising from a security failure, human error or programming error shall be covered. The Cyber Theft scope is where the insurance shall cover for direct financial loss arising from a security failure. The last scope is Social Engineering Fraud where the insurance shall cover fraudulent inducement of funds transfer by attacker posing as vendor, customer or colleague. Some of the cyber insurances in Malaysia are Tokio Marine Cyber 365 of Tokio Marine Insurance Group, Howden Malaysia’s Cyber Insurance and Cyber Insurance (Cyberedge) of AIG Malaysia.

4. Conclusion

   To conclude, cybersecurity breach such as ransomware attacks may be prevented following the guidelines provided under the legislations that have been enacted in Malaysia. Also, with the punishments provided under the PC and the CCA, one may can take action against an alleged offender. As a precautionary measure, steps also should be taken for the security of recovery, protection and compensation against such breach by subscribing to any existing cyber insurance in Malaysia. 

Written by: Najwa Hafiz. For further advice on the above, you may contact us at 03-2171 1484 or at mail@azamlaw.com.