27/06/2025

FRIDAY | JUNE 27, 2025

FOLLOW

ON INSTAGRAM

4

Malaysian Paper

@thesundaily @t

RM1.2 billion cyber-related losses recorded last year

Corporate leaders liable for data protection failures: Expert PETALING JAYA: Experts say recent amendments to Malaysia’s Personal Data Protection Act (PDPA) and the enforcement of the Cyber Security Bill 2024 have introduced heavier obligations and liabilities for organisations, particularly those handling sensitive or large volumes of personal data. The updated PDPA, referred to as PDPA 2.0, includes mandatory breach notifications, classification of biometric data as sensitive information and increased penalties of up to RM1 million, alongside a maximum of three years’ imprisonment for offences. Cyber security software specialist NetAssist managing director Hon Fun Ping said the law now holds more corporate leaders accountable for data protection failures. “Directors, CEOs, COOs and even HR heads may be held liable if they are found to have failed in exercising due diligence.” Hon said individuals can only be exempted if they are able to demonstrate that reasonable steps were taken to prevent lapses in compliance. He added that negligence, such as the failure to implement multi-factor authentication or sharing of administrator level credentials, could result in action. He said the Cyber Security Bill 2024, which applies to organisations designated as part of the National Critical Information Infrastructure, extends its reach beyond Malaysia’s borders. Organisations using overseas data centres or cloud services remain liable under the law. The legislation mandates that covered entities report cybersecurity incidents within six hours, followed by a full report within 14 days. Non-compliance may incur fines of up to RM500,000 or a 10-year prison term. Among other requirements are annual risk assessments, biennial audits and compulsory licensing for cybersecurity vendors, including security operations centres and penetration testing firms. Deloitte Southeast Asia cybersecurity specialist Melbourne Lim said the amendments represent a shift in compliance responsibility toward executive management. “These are no longer concerns limited to IT departments. Organisations must ensure that legal, operations, HR and technical teams are aligned in their data governance practices.” Lim said the revised PDPA also introduces the right to data portability, revised across border transfer rules and new obligations for third-party data processors. Companies must now conduct their own assessment of whether the jurisdictions receiving personal data offer equivalent safeguards as stipulated under Malaysian law. A registered data protection officer must also be appointed if an organisation meets specific thresholds, such as processing over 20,000 personal data records, handling 10,000 records of sensitive data or engaging in regular monitoring of individuals. This role may be outsourced but must be formally registered with the Personal Data Protection Department. Lim said failure to notify the regulator and affected individuals of a data breach is also classified as an offence under the revised Act. – By Faiz Ruzman

PETALING JAYA: Malaysia recorded about RM1.2 billion in cyber-related losses last year, underscoring an urgent need for a more coordinated approach to national cybersecurity readiness, said National Tech Association of Malaysia secretary-general Anthony Raja Devadoss. He said the losses, which involved both commercial and consumer sectors, were driven by a surge in cyber scams and increasingly sophisticated attacks powered by artificial intelligence. He added that scam calls alone rose by 82%. Anthony said while Malaysia has made regulatory progress with the Personal Data Protection Act (PDPA) and the proposed National Cyber Security Bill, the country continues to struggle with uneven awareness o ‘Commercial, consumer sectors hit by surge in online scams and increasingly sophisticated attacks powered by artificial intelligence’ Ű BY FAIZ RUZMAN newsdesk@thesundaily.com CyberSecurity Malaysia (CSM), an agency under the Digital Ministry, warned that AI is being abused to generate synthetic child sexual abuse material (CSAM), a trend that is complicating online safety efforts and outpacing traditional enforcement methods. CSM CEO Datuk Dr Amirudin Abdul Wahab said its monitoring has uncovered growing incidents of images of Malaysian children being harvested from platforms such as Facebook and WhatsApp. “These images, often shared innocently, are repurposed by offenders using deepfake tools such as DeepFaceLab, Faceswap and Avatarify. “In some cases, they even create fully synthetic children using AI-generated faces and 3D models, falsely claiming that no real child was harmed. “This is a dangerous narrative that risks normalising abuse,” he told theSun recently. Amirudin said encrypted apps such as Telegram, TOX and Session have become key channels for circulating CSAM, grooming material and guides on avoiding detection. Although Malaysia has legal frameworks such as the Sexual Offences Against Children Act 2017 and Section 233 of the Communications and Multimedia Act, enforcement remains hampered by jurisdictional challenges, a lack of legal definition for cyberbullying and offender anonymity. He called for stronger inter-agency collaboration, improved digital parenting strategies and greater public awareness to better protect children in an increasingly borderless, hyperconnected digital landscape.

he told theSun . “So, when we talk about needing to enhance our tech, human errors and complacency need to be looked into as well.” BAC Education Group founder and managing director Raja Singham echoed similar concerns, particularly about the compliance burden placed on smaller businesses under current regulations. He said the 20,000 data-subject threshold for compliance under PDPA effectively pulls in almost every organisation, from supermarkets to educational institutions. “Even a mid-sized college like BAC holds well over 20,000 data records. Everyone gets caught.” Raja said SMEs, which make up over 90% of Malaysian businesses, are often left scrambling to comply with new mandates without adequate time or support. “We roll things out very quickly and then threaten penalties. However, most SMEs don’t have the manpower, training or budget to respond immediately.” He added that the shortage of skilled professionals, such as privacy officers and cybersecurity leads, has left many firms unable to comply meaningfully. “These are now mandatory roles. But for many businesses, they’re seen as added expenses, and no one knows whom to hire or how to train them.” On recent leaks involving government websites, Raja attributed the problem to outdated infrastructure.

and inconsistent implementation, particularly among SMEs. “Framework-wise, Malaysia is moving in the right direction. But we tend to announce regulations first and expect compliance the next day. That’s a major concern. “We need scalable cybersecurity practices, not just firewalls. Small firms must have access to certified talent, and if they can’t afford to hire directly, government-supported partnerships should be made available.” He suggested establishing a gov-tech alliance, a government-industry initiative focused on modernising public sector digital infrastructure, improving cybersecurity standards and ensuring that local councils and agencies adopt the latest technologies, in line with national security priorities. “Cybersecurity is not exclusive. The impact cuts across every sector. Whether you’re in finance, telco or healthcare, the consequences of a breach are widespread – reputational and financial.” He said cybersecurity must be treated as a cultural shift, not just a technical challenge. “We’re not just talking about software but also awareness, behaviour and trust. That starts at home, not just in the workplace.” He said Malaysians often underestimate personal responsibility in digital safety, and high levels of social trust have led to risky habits such as unsecured device use as well as sharing of sensitive information within households. “The trust bank is so high here. We leave our devices unlocked, we give out our passwords,”

AI-fuelled sexual exploitation of children on the rise PETALING JAYA: Authorities are raising the alarm over a disturbing rise in AI-fuelled sexual exploitation of children, as offenders increasingly weaponise deepfake technology and encrypted platforms to target Malaysian children.

Amirudin said images shared online can be altered using deepfake tools such as DeepFaceLab, Faceswap and Avatarify (pic features AI generated images). – SYED AZAHAR SYED OSMAN/THESUN

1998,

carrying

penalties

of

up

to

“Malaysia cannot afford to stay passive and we cannot act alone. No single country can tackle this threat in isolation. As the number of social media users grows, so does the scale of cyber harassment. “Exploitation has moved from schoolyards to chatrooms. If we don’t evolve our defences, the harm will be irreversible.” From January to June 15, the Malaysian Communications and Multimedia Commission (MCMC) flagged 1,501 online content items involving child exploitation. Of these, 94% were taken down following cooperation with digital platforms and public reports. In a joint statement with police, MCMC said the creation, sharing or possession of such materials is a serious offence under Section 233 of the Communications and Multimedia Act

RM1 million, five years’ jail, or both. Offenders may also face charges under the Sexual Offences Against Children Act 2017, which criminalises the production, distribution and possession of CSAM. The authorities highlighted recent crackdowns such as Ops Pedo in December 2024, which led to 13 arrests and the seizure of over 40,000 CSAM files across multiple states. MCMC has also intensified its internet safety education through Kempen Internet Selamat . A key focus is discouraging social media use among children aged 13 and below. The public is urged to report suspicious online activity to MCMC via email (aduanskmm@mcmc.gov.my), its complaints portal or any police station.– By Faiz Ruzman