As Malaysia advances its digital economy ambitions, the cybersecurity landscape in 2025 has been characterised by rapid acceleration in both threats and defensive measures. The full implementation of the Cyber Security Act 2024 (Act 854), effective since August 2024, has imposed mandatory compliance on National Critical Information Infrastructure (NCII) entities across 11 sectors, including banking, energy, transport, and government.
This shift has driven organisations towards assured resilience, with requirements for annual risk assessments, incident reporting to the National Cyber Security Agency (NACSA), and biennial audits.
Official data underscores the urgency: NACSA reported 2,366 cybersecurity incidents in the first half of 2025 alone, many targeting vulnerable populations through sophisticated scams and AI-enhanced attacks. CyberSecurity Malaysia's MyCERT quarterly reports highlight persistent fraud (over 70% of incidents), ransomware surges from late 2024 (78% increase in Q4 2024, with ongoing threats into 2025), and emerging issues such as QR code phishing ("quishing") and impersonation scams.
The government's response includes the launch of the Malaysia Cyber Security Strategy 2025–2030, focusing on resilience, awareness, and intelligence sharing, alongside a talent drive to reach 27,000 professionals by year-end amid a shortfall of over 12,000.
Market projections reflect this momentum, with the cybersecurity sector valued at USD 6.15 billion in 2025 and a CAGR of around 7-16% fuelled by regulatory enforcement and AI-driven threats.
State of cybersecurity in Malaysia
Asked for his take on the state of cybersecurity in the country, Jeremiah Abraham Selvaraj, head of cybersecurity solutions at CyberArmour Asia Sdn. Bhd., summed 2025 in one word: "acceleration". "We're not seeing just more attacks. We are seeing a surge in the investment into cybersecurity," he stated.
He pointed to a staggering 78% increase in ransomware incidents in late 2024, a trend that has compounded into 2025, exacerbated by generative AI enabling attackers to craft highly convincing phishing scams and malware.
The government's swift rollout of the Cybersecurity Act 2024 (practical since August 2024) has fundamentally transformed requirements for critical national information infrastructure (CII) sectors, including government, agriculture, banking, energy, transport, and utilities.
Amendments to the PDPA in 2025 introduced mandatory breach notifications and stricter cross-border data transfer rules, making compliance a "core business requirement" with significant penalties.
On the investment side, Selvaraj noted executives recognising cybersecurity as a "critical business enabler". Malaysia's cybersecurity market is experiencing robust growth, with projections reflecting a high compound annual growth rate (CAGR) driven by regulatory pressures.
Sources of investment amid economic pressures
Despite global economic challenges, organisations are prioritising cybersecurity through internalisation and consolidation. Selvaraj observed: "There is much internalisation of cybersecurity processes... we see more effort is put in internally to develop teams rather than outsourcing."
Banks, for instance, are building in-house security operation centres and upskilling staff. Others are consolidating tools into integrated platforms for cost efficiency: "Instead of having a few different solutions, they find like integrated solutions at a lower cost."
Restructuring cybersecurity programmes for sectoral regulations
For CISOs in the 11 CII sectors, the Cybersecurity Act 2024 marks a shift from "best effort" to "assured resilience and accountability". Selvaraj outlined three levels of restructuring: governance and mindset, regulatory adherence, and strategic prioritisation.
The mindset has evolved to "assume that you are already breached". "It's no longer something that you think is a probability, but it is an eventuality," he explained. Regulatory adherence involves mandatory annual risk assessments and direct communication with NACSA. Strategically, CISOs and CIOs are prioritising "tier zero" assets, such as payment gateways and utility grids, with robust protections.
Collaborative defence through NACSA-led initiatives
The Act mandates incident reporting to NACSA, fostering a "two-way street" for threat intelligence. Organisations contribute detailed reports on anomalies while benefiting from contextualised alerts, such as indications of compromise from specific threat actors. Selvaraj termed this "collaborative defence", citing NACSA alerts that enable immediate action across sectors.
Navigating data residency and sovereignty under PDPA
With the PDPA amendments introducing breach notifications and cross-border rules, CISOs must distinguish between data residency (physical location) and sovereignty (legal control). Selvaraj emphasised the need to educate businesses: "Even if my data is in a Kuala Lumpur data centre, can foreign law like the US Cloud Act compel the US-based cloud provider to hand it over?"
The response involves adopting "sovereign capable" strategies, partnering with providers that guarantee immunity from foreign legal access, especially for sensitive citizen or financial data.
Preparing for a hardening cyber insurance market
Cyber insurance is shifting from risk mitigation to transference, with premiums skyrocketing and coverage narrowing amid global losses exceeding US$10.5 trillion. Selvaraj advised treating insurance as the "last line of defence": prioritise preventive controls like MFA and zero trust, then use insurance applications to benchmark maturity and demonstrate resilience to insurers.
Building cyber-resilient BC and DR
Traditional DR plans, designed for physical disasters, fail against logical ransomware attacks that encrypt both primary and secondary sites. Selvaraj stressed collaboration between CISOs and CIOs to rewrite playbooks for "cyber resilient" plans resting on immutability and air gapping: "Your data, your backups need to be immutable... store a clean immutable copy... in an environment that is logically and networkly disconnected."
Educating the Board and C-Suite on liabilities
Education has moved to "business risk-based dialogues", quantifying risks in financial terms and running tabletop exercises. Selvaraj's firm simulates breaches, forcing executives to decide: "Who are you calling first? ... What will you tell the press?" This builds muscle memory, referencing penalties under the Cybersecurity Act (up to 10 years' imprisonment) and PDPA amendments.
Outlook for 2026 and advice for CISOs
Selvaraj predicts that 2026 will feature AI-driven warfare, "crime-as-a-service" and IT-OT convergence that exposes critical infrastructure. "The biggest risk will be the accelerating convergence of IT and OT."
His advice: Master fundamentals like patch management and least privilege; become a "business enabler" by integrating security from day one; and balance risk appetite with resilience.
"The CISO of 2026... must be able to balance the risk appetite of the business with the resiliency that is required." Jeremiah Abraham Selvaraj
