Cybersecurity By Industry

nCrypt delivers offensive security, compliance and managed defence across fourteen sector practices: financial services (banks, DFIs, capital markets), insurance and takaful, healthcare, government and GLCs, manufacturing, oil & gas, utilities and power, telecommunications, technology and SaaS, energy and renewables, e-commerce and retail, logistics and supply chain, legal, and education. Each practice is scoped to the regulator and threat model that actually applies to that sector in Malaysia — BNM RMiT for finance, NACSA and the Cyber Security Act 2024 for NCII operators, MCMC for telcos, PDPA 2010 (and the 2024 amendments) for any business handling personal data.

Yes. Every sector practice is scoped against the regulator that owns it. Financial-services work is aligned to Bank Negara's Risk Management in Technology (RMiT) policy and the SWIFT Customer Security Programme. Telecommunications engagements are scoped to MCMC's network-resilience and lawful-interception expectations. Critical National Information Infrastructure (CNII/NCII) sectors — finance, energy, water, healthcare, government, transport, defence, communications, emergency services, food and agriculture — are scoped to NACSA's Cyber Security Act 2024 framework and the sector-lead codes of practice. PDPA 2010 plus the 2024 amendments (data-breach notification, data-protection officer appointment, cross-border transfer rules) underpin all data-handling reviews.

A generalist runs the same playbook across every client and lets the regulator do the translation work. A sector specialist scopes engagements around the actual systems, threat actors and regulatory pressure that define the sector — for finance, that means SWIFT, core-banking, payment switches and the RMiT control library; for oil & gas it means IEC 62443, Purdue-model segmentation and hazard-gated active testing; for telco it means SS7/Diameter signalling, IMS core and lawful-interception controls; for healthcare it means HIS/EMR estates, medical-device segmentation and PDPA-grade record protection. nCrypt's MIT-founder-led team scopes from the sector's reality, not from a generic checklist.

Yes. nCrypt has submitted its licensed cybersecurity service provider (LCSP) application under the Cyber Security Act 2024 and operates to the standards expected of the licensed-provider regime. For NCII-designated entities, the firm scopes engagements against the NACSA sector-lead codes of practice — including the asset-inventory, risk-assessment, audit and incident-notification obligations — and delivers the underlying technical work (penetration testing, vulnerability assessment, security policy development, incident response) that the codes require.

Yes. PCI DSS is delivered for merchants, acquirers and payment-service providers across e-commerce, retail and financial services. ISO 27001 and SOC 2 readiness is delivered for technology, SaaS, fintech and any enterprise pursuing customer-required attestation. Engagements are scoped to the sector — a SaaS SOC 2 looks very different from a manufacturer's ISO 27001 — and are paired with the technical controls work (pentest, code review, cloud hardening, policy development) needed to actually pass the audit, not just hand over evidence.

Scoping calls are confirmed within 24 hours. Standard sector engagements — pentest, vulnerability assessment, compliance gap analysis — typically mobilise within 1–3 weeks of signed SoW. Incident response retainers carry guaranteed acknowledgement SLAs (one hour for critical) with pre-positioned credentials and offline forensic tooling, so first responders are on the wire the same day the incident is declared. For NCII-designated entities, mobilisation also covers the regulatory-notification matrix (NACSA, MCMC, BNM, PDPC as applicable) from the first hour of the engagement.