Boards & CEOs Ransomware Series #7: Are Our Practices in Alignment with Regulatory Requirements?
Hello friends, in Malaysia, the legal expectations around ransomware incidents have tightened considerably. If you think regulators are just observers, think again—they’re watching how fast you respond, how prepared you are, and whether you’ve done your homework before the crisis hits.
So here’s the big question for the board and CEO: Are we prepared to meet our legal obligations when a ransomware incident occurs?
Regulatory Expectations Are Clear—and Strict
Let’s start with what the law says.
Under the Personal Data Protection Act 2024, if personal data is compromised in a ransomware incident, organizations have 72 hours to report it. Miss that window, and you risk regulatory action, legal suits, and brand damage that could take years to recover from.
Meanwhile, the Cyber Security Act 2024 mandates that NCII organizations have a proper incident response plan, not just on paper but operationally ready. It also requires reporting cyber incidents to NACSA—which means ransomware isn’t just a business crisis, it’s a legal one too.
These deadlines are not suggestions. They’re legal obligations. And failure to comply is expensive.
What Should Boards and CEOs Be Asking?
The role of the board isn’t to manage incidents—that’s the CEO’s responsibility.
The board’s role is to ensure the organization is prepared. That means asking the tough questions long before a crisis hits.
Let’s walk through three of them.
1. Are Our Playbooks Aligned with Regulatory Timelines?
It’s one thing to have a ransomware playbook. It’s another to make sure it actually aligns with regulatory requirements.
Are your incident response workflows mapped to the 72-hour breach notification rule? Is your legal team involved in drafting and testing the plan? Do your communication protocols factor in deadlines for notifying regulators and affected individuals?
If you’re unclear on any of these, your playbook needs work. Because in a real attack, every hour counts—and regulators don’t care if you’re “almost ready.”
2. Have We Tested Our Reporting Processes Through Simulations?
You can’t afford to learn on the job during a cyber crisis. Reporting procedures need to be rehearsed, not just documented.
Has your company run full-scale ransomware tabletop exercises that include reporting obligations? Did legal, PR, and compliance actually participate—or was it just IT and security? Did those teams know what to do, or were they caught off guard?
If the first time you're dealing with regulators is during an actual breach, you're already too late.
3. Are Our External Partners Aligned With Our Compliance Expectations?
Most companies today depend on cloud service providers, IT vendors, and outsourced platforms. But what happens if an incident originates there—or if you need logs, forensic data, or help isolating the breach?
Are your partners contractually obligated to respond within your regulatory reporting window? Do they even know what’s expected of them in a ransomware scenario?
Too many organizations assume their partners will “figure it out.” But if they don’t—and they delay your response—it’s still your company on the hook when the regulators come knocking.
Compliance Is About Trust—and Reputation
Ransomware is a board-level issue, a regulatory issue, and a reputation issue. If your company fumbles its response, it won’t matter how sophisticated your security tools are. What matters is how fast you respond, how well you communicate, and whether you’ve met your obligations.
So here’s what every board should ensure today:
That regulatory timelines are baked into every incident response playbook.
That mock drills and simulations test real-world readiness—not just technical response, but legal and reputational response too.
That third-party vendors are fully aligned with your compliance expectations—and contractually bound to act within defined timeframes.
Because when something goes wrong—saying “we weren’t ready” is the fastest way to lose trust.
That’s all for this week.
Cheers,
Sivanathan