On June 14, 2022, the Canadian government tabled Bill C-26, An Act Respecting Cyber Security (“ARCS”), which introduces significant new cybersecurity requirements for federally regulated industries and new national security requirements for the telecommunications sector. As it is currently drafted, ARCS would create a comprehensive framework for regulating the security of Canadian critical infrastructure and enhancing oversight over telecommunications security:
- The first part of ARCS would amend the Telecommunications Act with a focus on securing Canada’s telecommunications systems and prohibiting the use of products and services of certain suppliers.
- The second part of ARCS would enact the Critical Cyber Systems Protection Act (“CCSPA”) with new requirements for certain federally regulated organizations to prepare for, prevent, and respond to cyber security incidents.
As noted in the official Backgrounder, ARCS is intended to empower the Canadian government to “respond to emerging cyber threats” and “strengthen baseline cyber security” for vital services and systems. In the current cyber risk landscape, operators of critical infrastructure are recognized as being at a heightened risk of cyber-attacks from malicious actors given the potential for severe disruption. For enterprises in the telecommunications, energy, finance, and transport sectors in particular, ARCS is a strong signal that the Canadian government intends to take these risks seriously by increasing its regulatory supervision and intervention going forward.
Critical Cyber Systems Protection Act (CCSPA)
Who does the CCSPA apply to?
CCSPA would apply to operators in the telecommunications, energy, finance, and transport sectors. More specifically, under the CCSPA, the Canadian government may designate:
- certain federally regulated systems and services as being vital to national security or public safety (“vital systems and services”); and
- a class of operators (e.g. persons, partnerships or unincorporated organizations) in respect of a vital system or service (“designated operators”), and the regulator for that class.
The requirements of CCSPA apply to designated operators that own, control or operate a “system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information […] that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system” (“critical cyber system”).
Although the current draft of CCSPA lists no designated operators in its Schedule 2, it enumerates six vital systems and services in its Schedule 1, each with a corresponding regulator:
Designated operators must comply with four key requirements under CCSPA:
1. Establish, implement, maintain, and review a cyber security program;
2. Report cyber security incidents;
3. Comply with cyber security directions; and
4. Maintain records of compliance and incidents.
Cyber Security Program
Designated operators must establish, implement, and maintain a cyber security program as it relates to their critical cyber systems. In addition to any requirements prescribed by regulations, these cyber security programs must include reasonable steps to:
1. Identify and manage cyber security risks, including risks associated with their supply chain and their use of third-party products and service providers;
2. Protect their critical cyber systems from being compromised;
3. Detect cyber security incidents that are affecting or potentially may affect their critical cyber systems; and
4. Minimize the impact of cyber security incidents affecting critical cyber systems.
Within 90 days after being designated (or a longer period at the regulator’s discretion), designated operators must establish their cyber security program, notify the appropriate regulator in writing confirming same, and provide them with a copy. Designated operators must also:
- take reasonable steps to mitigate any identified cyber security risk associated with their supply chain or use of third-party products and services;
- conduct a review of their cyber security program within a 60-day period from each anniversary of its establishment or another prescribed period;
- notify the regulator of changes to the program within 30 days from the review; and
- immediately notify the regulator of material changes in their ownership or control, supply chain, use of third-party products and services, or other prescribed circumstances, and within 90 days from that notification, notify the regulator of changes to their cyber security program as a result of those circumstances or another material change.
Cyber Security Incidents
Designated operators must immediately report cyber security incidents affecting their critical cyber systems to the Communications Security Establishment (“CSE”), followed by notification to the appropriate regulator, who is entitled to a copy of the report from both the designated operator and the CSE upon request.
CCSPA defines a cyber security incident as an act, omission, or circumstance that interferes or may interfere with (a) the continuity or security of a vital service or system; or (b) the confidentiality, integrity, or availability of a critical cyber system.
These reporting obligations are in addition to existing obligations. For example:
- The Office of the Superintendent of Financial Institutions requires notification of any technology or cyber security incidents affecting federally regulated financial institutions within 24 hours as explained in our previous bulletin.
- The Office of the Privacy Commissioner of Canada requires notification from regulated organizations as soon as feasible where a breach of safeguards involving personal information results in a real risk of significant harm as explained in our previous bulletin.
Cyber Security Directions
Designated operators must comply with cyber security directions made by the Canadian government, which may include specific measures and conditions for the purpose of protection of a critical cyber system, as well as a timeline for compliance.
Cyber security directions must be kept confidential by the designated operator, which may not disclose their existence and content, except to the extent required for compliance. However, CCSPA expressly permits extensive information collection and sharing between designated Canadian government officials and entities in relation to cyber security directions.
Designated operators must keep records related to each of their obligations under CCSPA, which differ from recordkeeping requirements in privacy laws. Records must document reported cyber security incidents and steps taken to implement the cyber security program, to mitigate supply chain or third-party risks, and to implement cyber security directions.
In addition, designated operators are required to keep all records in a prescribed manner in Canada, at a prescribed location or otherwise at their place of business. Absent evidence to the contrary, entries in records will serve as proof against the person who made the entry or the designated operator required to keep the record.
Enforcement and Penalties
Regulators are granted broad enforcement powers to verify compliance or prevent non-compliance with CCSPA. Regulators may enter a place where they have reasonable grounds to believe that a CCSPA-regulated activity is being conducted or that a document, information or thing relevant to that purpose is located there. Regulators may exercise powers such as examining anything at the place, taking or copying any document or data, and using any “cyber system” (or causing it to be used) to examine information available through the system. Moreover, regulators are entitled to all reasonable assistance from the owner or operator of the place, and anyone found there.
To prevent non-compliance or mitigate the risks thereof, regulators may also audit an operator and issue a compliance order.
CCSPA also balances its broad disclosure requirements with certain protections for “confidential information”, which is defined as information (1) about vulnerabilities or protection measures of critical cyber systems of a designated operator that is treated confidentially; (2) that could reasonably be expected to have a material financial impact on the operator or prejudice their competitive position; or (3) that could reasonably be expected to interfere with their negotiations.
Accordingly, confidential information may only be disclosed under specific circumstances, including legal requirements, consent of the designated operator, and necessity for the protection of vital services, systems or critical cyber systems. Moreover, confidential information may be shared under agreements or arrangements between certain government entities and regulators.
Administrative Monetary Penalties and Offences
CCSPA relies on both an administrative monetary penalty regime and statutory offences regime for enforcement of its provisions, similar to the one in the Telecommunications Act. Either regime can involve the personal liability of directors and officers that direct, authorize, assent to, acquiesce in or participate in a violation of the CCSPA, which can result in significant fines or imprisonment.
Eventual regulations may classify violations as minor, serious or very serious and determine the maximum penalty for each type of violation. However, penalties for each violation may not exceed $1,000,000 for individuals and $15,000,000 for other cases.
Designated operators have the right to make representations or exercise a defence of due diligence. Regulators are granted discretion to correct errors in a notice of violation, cancel it or enter into compliance agreements with terms the regulator considers appropriate, including the reduction of the amount of the penalty in part or in whole.
Violations of certain provisions of CCSPA is a punishable offence. Individuals and corporations are liable for fines at the discretion of the court. Moreover, individuals may be sentenced to a term of up to two years on summary conviction or five years upon conviction on indictment.
Amendments to Telecommunications Act
ARCS also establishes special rules for securing the telecommunications sector, recognizing its importance to national security. Part 1 of ARCS would amend the Telecommunications Act to provide the Canadian government and the Minister of Industry with sweeping new regulatory powers to secure the Canadian telecommunications system.
The amendments would also add the promotion of the security of the Canadian telecommunications system to the Canadian telecommunications policy objectives. This would provide the Canadian Radio-television and Telecommunications Commission (or CRTC) with an express statutory basis to consider security ramifications when crafting regulatory policies affecting the industry.
ARCS would amend the Telecommunications Act to enable the Canadian government and the Minister to make orders respecting a TSP’s (i) use of products and services of specific vendors and other TSPs in telecommunications networks; and (ii) provision of specific telecommunications services in Canada (each a form of a “security order”).
This distinction between these two types of security order is important – one form of security order relates to inputs (both physical products and services) into telecommunications networks and the other relates to the type of telecommunications services that a TSP may offer using telecommunications networks. However, both must be based on the opinion that the security order is necessary to secure the Canadian telecommunications system, including against “the threat of interference, manipulation or disruption”.
Specifically, the Canadian government may make a security order that:
- prohibits a TSP from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities; or
- directs a TSP to remove all products provided by a specified person from its telecommunications networks or telecommunications facilities.
Separately, the Minister of Industry will be given the authority to:
- prohibit a TSP from providing any service to any specified person, including another TSP; and
- direct a TSP to suspend providing for a specified period any service to any specified person, including another TSP.
The Minister of Industry will also have the power to order precise measures, such as imposing conditions on a TSP’s use of a specific product or service, prohibiting a TSP from entering a service agreement (or requiring the termination of an existing agreement), requiring TSPs to develop a security plan, requiring a TSP to conduct vulnerability assessments and mitigate identified vulnerabilities, or requiring that a TSP implement specified standards in relation to their products and services. The enumerated powers are not exhaustive, meaning the Minister has very broad power to determine the contents of a security order, subject only to general administrative law principles.
Significantly, the Canadian government and the Minister will have the authority to prohibit the disclosure or publicization of any security order, meaning these decision-makers will have the ability to make each form of security order without other actors in the telecommunications industry—or, indeed, the public—being aware.
Minister’s Power to Obtain Information
Similar to the CCSPA, ARCS also provides the Minister of Industry with a broad power to compel the production of information, subject to limited exceptions. Specifically, the Minister may require any person to provide “any information that the Minister believes on reasonable grounds is relevant for the purpose of making, amending or revoking” a security order. Information provided in response may be designated as confidential if it includes trade secrets, commercial, scientific or technical information that is consistently treated as confidential, and information that may result in economic prejudice if disclosed.
Inspection and Enforcement
The Minister may designate any qualified person as an inspector for the purpose of verifying compliance or preventing non-compliance with a security order.
ARCS extends the existing administrative monetary penalty regime in the Telecommunications Act to ensure compliance with the security order provisions and other new obligations. Specifically, violations of these new obligations expose individuals and corporations to penalties of up to $25,000 and $10,000,000, respectively, for a first violation and to $50,000 and $15,000,000, respectively, for each subsequent violation. These penalties are made even more substantial by the fact that each day that a violation continues constitutes a separate violation.
Although many details will need to be clarified in its regulations, ARCS becoming law would represent a significant development in Canadian cybersecurity law and the telecommunications security landscape.
Operators involved with critical cyber systems in federally regulated industries, particularly those which qualify as a vital system or service, should carefully review its provisions and evaluate the potential compliance issues based on their existing cybersecurity practices. In particular, operators potentially subject to these requirements should consider preparatory measures, including:
- reviewing their existing cybersecurity program and ensuring it is current, comprehensive, and well-documented;
- reviewing their agreements with service providers to account and prepare for potential cyber security directions or security orders; and
- developing and maintaining an incident reporting process, which is typically documented in an incident response plan.
Given the requirements for designated operators to manage third-party risks, service providers and suppliers who do business with them should prepare for closer scrutiny of their cybersecurity standards and consider similar preparatory measures.
TSPs should strategically prepare for federal political decision makers being given new legal and policy tools to shape the Canadian telecommunications industry by denying access to commercial actors who may present a risk to the Canadian telecommunications system.
From a national security perspective, ARCS and the anticipated CCSPA represent the fulfilment of a national critical infrastructure protection initiative that began in 2009 with the first federal-provincial National Strategy for Critical Infrastructure.  With the advent of the Internet of Things, cyber threats to Canada’s essential security interests can increasingly manifest into “real world” consequences. The growing digital interconnectivity of these systems in relation to critical infrastructure represents a vulnerability that ARCS looks to address with the achievement of a baseline level of cyber resilience and recoverability.