On June 14, 2022, federal Public Safety Minister Marco Mendicino introduced Bill C-26, An Act Respecting Cyber Security (ARCS). Intended to strengthen cybersecurity of vital services and vital systems, this proposed legislation will, among other things, require various federally-regulated organizations to take steps to protect their cyber infrastructure. These may include, once the Schedules to ARCS are finalized, organizations providing:
- telecommunications services;
- interprovincial or international pipeline and power line systems;
- nuclear energy systems;
- transportation systems that are within the legislative authority of Parliament;
- banking systems; and
- clearing and settlement systems.
Part 2 of ARCS would enact the Critical Cyber Systems Protection Act (CCPSA). As stated, the purpose of this proposed legislation is to "… help to protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, among other things,
- any cybersecurity risks in respect of critical cyber systems are identified and managed, including risks associated with supply chains and the use of third-party products and services;
- critical cyber systems are protected from being compromised;
- any cybersecurity incidents affecting, or having the potential to affect, critical cyber systems are detected; and
- the impacts of cybersecurity incidents affecting critical cyber systems are minimized."
To this end, the CCPSA would require a "designated operator" (namely, a person, partnership or unincorporated organization that belongs to any class of operators referred to in Schedule 2 of the CCPSA) that owns, controls or operates a critical cyber system to comply with the requirements of this proposed Act with respect to said critical cyber system. For reference, a critical cyber system means "a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system."
A summary of some of the material CCPSA requirements are as follows:
A designated operator will be obligated to establish a cybersecurity program in respect of its critical cyber systems and include in the program reasonable steps to:
- identify and manage any organizational cybersecurity risks, including risks associated with the designated operator’s supply chain and its use of third-party products and services;
- protect its critical cyber systems from being compromised;
- detect any cybersecurity incidents affecting, or having the potential to affect, its critical cyber systems;
- minimize the impact of cybersecurity incidents affecting critical cyber systems; and
- do anything that is prescribed by the regulations.
Mitigation of Supply-Chain and Third-Party Risks
As soon as any cybersecurity risk associated with the designated operator’s supply chain or its use of third-party products and services has been identified in connection with its cybersecurity program, the designated operator will need to take reasonable steps, including any steps that are prescribed by the regulations, to mitigate those risks.
A designated operator will need to immediately report a cybersecurity incident in respect of any of its critical cyber systems to: (i) the Communications Security Establishment; as well as (ii) its regulator.
Subject to various exceptions, the CCPSA will prohibit the disclosure of any information obtained under that Act in respect of a critical cyber system that: "(a) concerns a vulnerability of any designated operator’s critical cyber system or the methods used to protect that system and that is consistently treated as confidential by the designated operator; (b) if disclosed could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a designated operator; or (c) if disclosed could reasonably be expected to interfere with contractual or other negotiations of a designated operator."
Designated operators will be required to keep records with respect to:
- any steps taken to implement the designated operator’s cybersecurity program;
- every cybersecurity incident that the designated operator reported under the CCPSA;
- any steps taken by the designated operator to mitigate certain supply-chain or third-party risks;
- any measures taken by the designated operator to implement a cybersecurity direction; and
- any matter prescribed by the regulations.
The penalty for a designated operator or other person who contravenes a provision in the CCPSA or a related regulation may potentially be up to $15,000,000 (or a maximum of $1,000,000 for an individual). If a designated operator commits a violation, any director or officer of the designated operator that acquiesced to or participated in the commission of the violation may be held similarly liable, whether or not a proceeding has been brought against the designated operator itself.
As the CCPSA may serve as a model for provinces and territories to secure the critical cyber infrastructure under their purview, Canadian organizations are encouraged to monitor Bill C-26 as it progresses through the legislative process.