On June 14, 2022, the House of Commons of Canada introduced Bill C-26, which would impose a series of cybersecurity-related obligations on designated organizations in four key federally regulated sectors: telecommunications, finance, energy and transportation. At a high level, the bill would enact the Critical Cyber Systems Protection Act (CCSPA), which aims to protect critical cyber systems considered integral to Canadian infrastructure and public safety.
APPLICABILITY TO DESIGNATED OPERATORS
If passed as currently drafted, the CCSPA would require “designated operators” (the classes of organizations who would be subject to this legislation have not yet been identified) to protect their “critical cyber systems” – those systems that, if their confidentiality, integrity or availability were compromised, could affect the continuity or security of one of the vital services or systems identified below. The CCSPA would be overseen by the Communications Security Establishment (CSE), Canada’s national cryptologic agency, along with the following sector-specific regulators:
LEGISLATIVE HIGHLIGHTS
Designated operators would be required to, among other things:
-
Establish, implement and regularly review a cybersecurity program, which must include steps to identify and manage organizational cyber security risk;
-
Mitigate any cybersecurity risk associated with its supply chain or third party products and services that it identifies;
-
Notify the appropriate regulator of any material change of ownership or control, or any material change in the designated operator’s supply chain or use of third-party products and services;
-
Comply with a cybersecurity direction issued by either the Federal Cabinet or the appropriate regulator and not disclose the direction’s existence or content; and
-
Keep records regarding the implementation of its cybersecurity program and any cybersecurity incident, and such records must be stored within Canada.
Designated operators will also be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the CSE in the manner that will be set out in CCSPA’s regulations. Second, a designated operator must also notify its responsible regulator “immediately after reporting a cybersecurity incident” to the CSE.
Responsible regulators are granted broad inspection and audit powers, which are not limited to the premises of the designated operator. Responsible regulators may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with CCSPA.
Enforcement of the CCSPA includes an administrative monetary penalties regime for noncompliance with the legislation. Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation. The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.
SECTOR-SPECIFIC COMMENTARY
Telecommunications
In addition to enacting the CCSPA, Bill C-26 would amend the Telecommunications Act by introducing security as a policy objective, and providing the Governor in Council and Minister of Industry with a series of powers that are largely directed at Canada’s 5G infrastructure and equipment. Among other things, the federal government may:
-
prohibit a telecommunications service provider from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities, or remove any such products;
-
direct a telecommunications service provider to do anything or refrain from doing anything necessary to secure the Canadian telecommunications system;
-
require that a telecommunications service provider develop a security plan;
-
require that assessments be conducted to identify any vulnerability in its services, network or facilities; and
-
require that a telecommunications service provider take steps to mitigate any vulnerability in its services, network or facilities.
While some of the proposed modifications are primarily directed at Canadian carriers, both facilities-based providers and resellers of telecommunications services should review their cybersecurity posture.
Banking and Clearing and Settlement Systems
The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of “banking systems” and “clearing and settlement systems” which are vital to national security or public safety. While no such classes have yet been identified, a class of operators could include Canada’s systemically important banks or the clearing and settlement systems already designated by the Bank of Canada under the Payment Clearing and Settlement Act (PCSA), though the CCSPA does not limit the designation power to these entities. The use of the term “banking system” in the legislation also suggests that other federal financial institutions, such as insurers, are outside the scope of the designation power.
For designated operators of banking systems, the CCSPA obligations supplement OSFI’s growing list of expectations respecting cyber risk management, third-party risk management, and incident reporting. These include the requirements of Guideline B-13: Technology and Cyber Risk Management, which will soon be published in final form, as well as the new Guideline B-10: Third-Party Risk Management published for consultation in April 2022. The CCSPA reporting requirements supplement OSFI’s current Technology and Cyber Security Incident Reporting Advisory for federal financial institutions to report a technology or cybersecurity incident to OSFI.
For designated operators of clearing and settlement systems, the requirements of the CCSPA will complement the Bank of Canada’s Expectations for Cyber Resilience of Financial Market Infrastructures published in October 2021.
Federal financial institutions are already subject to change of control approval requirements, and clearing and settlement systems must comply with broad notice and approval requirements under the PCSA; however, the CCSPA introduces a remarkably broad notice requirement to report changes in control, or supply chain or third-party products and services. This is because of the use of the “material change” standard. It remains to be seen how OSFI and the Bank of Canada will practically administer this requirement while keeping the flow of information manageable.
For more detail on how the CCSPA applies to banking systems and clearing and settlement systems, please see this table in the Appendix.
Energy Systems
The CCSPA grants additional powers to the CER in addition to its current powers under the Canadian Energy Regulator Act. The CER regulates pipelines that cross provincial boundaries or the Canada-U.S. border. The CCSPA also only applies to these pipelines and not pipelines solely within one province.
The CER currently can assess whether pipeline projects meet engineering, safety and environmental requirements. The CCSPA further allows the CER to inspect and audit whether operators are in compliance with the CCSPA. The Canadian Energy Regulator Act allows the CER to establish regulations regarding cybersecurity matters for interprovincial and international pipelines, though no such regulations have been established to date. Accordingly, the inspection, audit, and administrative monetary penalties regime for noncompliance with the legislation powers granted to the CER are an expansion of its role.
The CCSPA also supplements the pre-existing obligations for operators of nuclear power systems under the General Nuclear Safety and Control Regulations (GNSCR). Operators will already be familiar with the obligations for prescribed information, and the obligations to take all necessary precautions to prevent the transfer or disclosure of prescribed information that is not authorized by law. The GNSCR also sets out specific recordkeeping obligations, although the requirements under the CCSPA are more stringent. The Canadian Nuclear Safety Commission (CNSC) already oversees these obligations, and the CCSPA adds to the oversight powers that the CNSC currently possesses.
Transportation Systems
Operators in federally regulated transportation sectors, including aviation, railways and marine transport, will be familiar with the oversight powers exercised by the Minister of Transport. Whether the pre-existing obligations of these operators specifically included mitigating cybersecurity related risks through safety management systems or otherwise, the CCSPA is a clear direction to these operators to understand and manage cyber risk for their enterprises.
CONCLUSION
Bill C-26 has only completed a first reading and may be amended as it continues through the legislative process. It remains to be seen whether any provinces will enact similar laws that would apply to provincially regulated sectors.
APPENDIX