Nacsa warns that unauthorised network access, even for security testing, is illegal under Malaysia’s licensing framework for cybersecurity services.

PETALING JAYA: Ethical hackers in Malaysia walk a legal tightrope, as even well-intentioned security testing can be treated as a criminal offence without explicit written consent, warned the National Cyber Security Agency (Nacsa).

In a written response to theSun, it said Malaysia’s licensing framework for managed security operations centre (MSOC) monitoring and penetration testing is designed to distinguish authorised assessments from unlawful network intrusions.

“Ethical hacking is defined by a specific scope and explicit written consent. Any attempt to access a network without prior authorisation remains an illegal act.”

The framework requires MSOC and penetration testing services to be conducted solely by licensed providers, particularly for organisations designated as National Critical Information Infrastructure (NCII). This ensures that testing is performed by properly credentialled practitioners within approved boundaries.

Nacsa said oversight does not end at licensing.

It added that during licence renewal, the chief executive may review a provider’s performance records covering the preceding six years, including whether any NCII entities experienced cyber incidents after MSOC monitoring or penetration testing.

“Licensed providers must maintain service records for six years and produce them on request to support transparency and compliance.”

The agency also highlighted a notable gap between licensed companies and individual practitioners. Malaysia currently has 410 companies licensed for SOC services and 403 for penetration testing, compared with only 23 individuals licensed for SOC services and 53 for penetration testing.

“This is expected because NCII entities, particularly government-linked bodies, prioritise vendors registered with the Companies Commission of Malaysia to meet procurement requirements.

“However, demand for individual freelancers still exists, especially among smaller organisations seeking penetration testing services.

“Cybersecurity is fundamentally a governance issue. Organisational leadership must integrate cyber risk into corporate governance to ensure adequate resources, robust SOPs and effective cyber hygiene awareness.” 

 The Sun Malaysia