Companies operating in critical infrastructure sectors such as telecommunications, finance, energy and transportation are constantly challenged to reconcile their varying compliance obligations across multiple jurisdictions. Proposed and forthcoming federal cybersecurity obligations in Canada and the United States are among the latest challenges these companies face.

Both countries have introduced legislation to protect and maintain oversight over critical infrastructure cybersecurity incidents at the federal level, including by requiring the reporting of high-priority cybersecurity incidents. This article compares the reporting obligations in both jurisdictions with the aim of assisting companies in streamlining and reconciling compliance.

What you need to know

Our comparison of Canada’s proposed Critical Cyber Systems Protection Act (CCSPA) and the United States’ forthcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) indicates the following:

  • Scope. The CCSPA applies to a limited number of sectors to the extent they are under federal jurisdiction (telecommunications, finance, energy and transportation). CIRCIA covers these sectors plus the critical manufacturing, chemical, healthcare and information technology sectors, among others.
  • Reporting time. The CCSPA requires notification of a covered incident “immediately”, whereas CIRCIA requires notification within 72 hours, as well as notification within 24 hours if a ransom has been paid.
  • Privilege protection. Unlike the CCSPA, CIRCIA provides that reporting an incident does not waive privilege or any confidentiality protection that might apply to the information provided in the report.
  • Penalties. The CCSPA provides for monetary penalties of up to $15 million per violation, while CIRCIA does not currently provide for monetary penalties for non-compliance.

The CCSPA

In June 2022, the House of Commons introduced Bill C-26, which would enact the CCSPA and amend other statutes including the Telecommunications Act. If passed, the CCSPA would impose new compliance and reporting duties on certain entities in the federally regulated private sector.

To whom does the CCSPA apply?

The CCSPA would apply to “designated operators” who own, control or operate a “critical cyber system” in the federally regulated telecommunications, finance, energy or transportation sectors. While the current draft of the CCSPA has not yet identified any “designated operators”, a “critical cyber system” is defined as “a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information … that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system”.

Six vital systems and services

The CCSPA identifies six vital systems and services, the designated operators of which would therefore be within the scope of the CCSPA’s requirements:

Vital service or system

Regulator

Telecommunications services

Ministry of Industry

Interprovincial or international pipeline and power line systems

Canada Energy Regulator

Nuclear energy systems

Canadian Nuclear Safety Commission

Transportation systems under federal jurisdiction (shipping, rail, air)

Minister of Transport

Banking systems

Office of the Superintendent of Financial Institutions

Clearing and settlement systems

Bank of Canada

The CCSPA would allow the federal government to specify the classes of designated operators that own, control or operate one of these vital services or systems and therefore be subject to the Act. No classes of designated operators have been specified in the current draft of the CCSPA.

The government would also be able to add other federally regulated systems and services to the list above, thus making them subject to CCSPA's requirements.

The CIRCIA

The introduction of the CCSPA by the Canadian government aligns with U.S. efforts to regulate the security of critical infrastructure. In March 2022, President Joe Biden signed into law the CIRCIA.

The legislation requires companies operating in critical infrastructure sectors to report certain types of cyber incidents within 72 hours of discovering the incident (or within 24 hours if they make a ransom payment). The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. federal agency under the Department of Homeland Security. CISA works to understand and reduce risk to the cyber and physical infrastructure in the United States and is responsible for the implementation of the CIRCIA. CISA is required to distribute a proposed implementing regulation by March 15, 2024, and a final regulation no later than 18 months thereafter.

To whom does the CIRCIA apply?

CIRCIA applies to a broader range of sectors than the CCSPA. CIRCIA will apply to “covered entities” operating in one of 16 critical infrastructure sectors when such an entity reasonably believes that a “covered cyber incident” has occurred. The precise meaning of both definitions will be set by the Director of the Cybersecurity & Infrastructure Security Agency through a mandatory rule-making process. However, existing definitions within CIRCIA provide some indication of the scope of both terms.

Covered entities will be identified from within the critical infrastructure sector they are associated with, a list of which is set out below. The term “incident” is further defined as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system”. We also know that a “covered cyber incident” is “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director”.

Sixteen infrastructure sectors

Below we have listed the 16 critical infrastructure sectors and sector-specific agencies enumerated in Presidential Policy Directive 21:

Critical infrastructure sector

Sector-specific agency

Chemical

Department of Homeland Security

Commercial Facilities

Department of Homeland Security

Communications

Department of Homeland Security

Critical Manufacturing

Department of Homeland Security

Dams

Department of Homeland Security

Defense Industrial Base

Department of Defense

Emergency Services

Department of Homeland Security

Energy

Department of Energy

Financial Services

Department of the Treasury

Food and Agriculture

U.S. Department of Agriculture and Department of Health and Human Services

Government Facilities

Department of Homeland Security and General Services Administration

Healthcare and Public health

Department of Health and Human Services

Information Technology

Department of Homeland Security

Nuclear Reactors, Materials, and Waste

Department of Homeland Security

Transportation Systems

Department of Homeland Security and Department of Transportation

Water and Wastewater Systems

Environmental Protection Agency

CCSPA (Canada) vs. CIRCIA (U.S.): a comparison

Below we have highlighted the key differences between the Canadian and U.S. legislation.

CCSPA (Canada)

CIRCIA (US)

Scope of a notifiable incident

A notifiable cybersecurity incident means, in respect of a critical cyber system, an incident, including an act, omission or circumstance, that interferes or may interfere with:

  • the continuity or security of a vital service or vital system; or
  • the confidentiality, integrity or availability of the critical cyber system.

Note that a designated operator must also notify the appropriate regulator of other significant events, such as a material change in the designated operator’s ownership or control, cybersecurity program, or use of third-party products or services. The timelines for notification can vary.

CISA must determine what constitutes a covered cyber incident. Currently, CIRCIA sets out that a notifiable incident must include at least one of the following:

  • unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of that information system or network, or has a serious impact on the safety and resiliency of operational systems and processes;
  • disruption of business or industrial operations due to a denial-of-service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against (i) an information system or network; or (ii) an operational technology system or process; or
  • unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.

Content of cyber incident reporting

The contents and manner of reporting will be specified in regulations. The CCSPA notes that the reporting will be “for the purpose of enabling the Communications Security Establishment to exercise its powers or perform its duties and functions”.

CISA is tasked with determining the contents of reporting covered cyber incidents and ransom payments. CIRCIA currently states that at least the following contents must be included:

  • a description of the covered cyber incident;
  • a description of the vulnerabilities that were exploited, the techniques and procedures used by the attackers, and the defenses the entity had in place;
  • identifying information related to the perpetrator;
  • identification of the categories of information accessed by the attackers; and
  • in the case of a ransomware event, the ransom instructions, the type of payment requested, and the date and amount of the ransom payment.

Timeline of cyber incident reporting and who to report to

A designated operator must immediately report a cybersecurity incident affecting any of its critical cyber systems to the Communications Security Establishment (CSE) and then to the appropriate regulator.

CIRCIA has two reporting requirements: one for "covered cyber incidents" and another for "ransom payments".

A covered entity that experiences a covered cyber incident must report the incident to the Department of Homeland Security (DHS) and CISA within 72 hours of the entity’s reasonable belief that a covered cyber incident has occurred.

A covered entity that makes a ransom payment due to a ransomware attack against the entity will be required to report that payment to DHS and CISA within 24 hours after making the payment.

Exception to cyber incident reporting

N/A

CIRCIA provides an exception to reporting requirements for entities that are already required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, as long as an agreement exists between CISA and the other agency.

Record keeping/data preservation

A designated operator must keep a record of the following information in Canada at any place prescribed by the regulations or at the designated operator’s place of business:

  • any steps taken to implement its cybersecurity program;
  • every cybersecurity incident reported by the designated operator;
  • any steps taken to mitigate any supply-chain or third-party risks;
  • any measures taken to implement a cybersecurity direction; and
  • any matter prescribed by the regulations.

Covered entities must preserve data related to covered cyber incidents or ransom payments they report. CISA must determine the types of data to be preserved and the retention period for such data.

Confidentiality provisions

“Confidential information” is defined as information obtained under the CCSPA regarding a critical cyber system and which either concerns a vulnerability of the system or, if disclosed, could have a significant impact on a designated operator.

There is a general prohibition of disclosing confidential information, subject to a number of exceptions, including when the disclosure is:

  • required by law;
  • of publicly available information;
  • consented to by the designated operator;
  • of necessary for the protection of vital services, vital systems or critical cyber systems;
  • made in accordance with the CCSPA or the Security of Canada Information Disclosure Act; or
  • made under agreements or arrangements made between the regulators and certain government entities.

Reports that describe covered cyber incidents or ransom payments are kept confidential and do not constitute a waiver of any applicable privilege or protection provided by law regarding the information they contain. The reports are also exempt from federal, state or local freedom of information laws that could compel their disclosure.

Enforcement powers

Regulators may enter a place where they have reasonable grounds to believe that a CCSPA-regulated activity is being conducted, or a document, information or thing that is relevant to the CCSPA is located. Upon entry, regulators may, among other things:

  • examine anything in that place;
  • use any cyber system (or cause it to be used) to examine any information available to or contained in the system;
  • prepare a document (or cause one to be prepared) based on the information;
  • use any copying equipment in that place (or cause it to be used); and
  • remove any document, record or cyber system to examine or copy it.

Moreover, regulators may order designated operators to conduct internal audits within specified parameters to determine whether the designated operator is in compliance with any provision of the CCSPA.

If CISA has reason to believe that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report it, CISA may request additional information from that entity to determine whether such an incident or payment occurred.

If the covered entity fails to respond to CISA’s request within 72 hours, CISA may issue a subpoena to compel disclosure of the information it seeks from that entity.

If the covered entity fails to comply with the subpoena, CISA may refer the matter to the Attorney General to bring a civil action to enforce the subpoena.

Penalties

The CCSPA proposes administrative monetary penalties and criminal sanctions for statutory offences. Both types of penalties include director and officer liability, where that individual directs, authorizes, assents to, acquiesces in or participates in a violation of the CCSPA.

Administrative monetary penalties for each violation may not exceed $1 million for individuals and $15 million for other cases.

Moreover, a violation of certain provisions in the CCSPA is a punishable offence. Individuals may be sentenced to up to two years on summary conviction or five years on conviction on indictment. For both convictions, individuals and corporations are liable for fines at the court’s discretion.

If the entity does not comply with an issued subpoena, CISA may refer the matter to the Attorney General who may bring a civil action. An entity’s failure to comply with the subpoena may be punishable by contempt. It is expected that more details of how enforcement provisions will be implemented will be developed during the rule-making process.

Preparing your enterprise for CCSPA/CIRCIA

While neither regime is currently in force, companies likely subject to one or both should consider four points to be proactive.

First and most immediate, there are likely industry advocacy and feedback opportunities with respect to the requirements set out above. For Canada, this includes anything under the scope of the CCSPA and the rest of Bill C-26, as the Bill has not yet progressed to Committee. Advocacy and feedback opportunities for the CIRCIA rulemaking process in the United States will have to be more informal, as CISA’s formal “request for information” stage recently concluded.

Second, companies in Canada should give significant consideration to how they will protect information subject to solicitor/attorney-client, litigation and other legal privileges. Protecting privilege could be particularly challenging in the event of a cybersecurity incident in Canada, given the extensive enforcement (including search and seizure) powers afforded to regulators, the record-keeping requirements imposed on designated operators to demonstrate compliance, and the requirement to immediately notify the CSE and appropriate regulator upon discovering a cybersecurity incident. Notably in the United States, CIRCIA provides that reporting an incident does not constitute a waiver of any applicable privilege or protection provided by law regarding the information the report contains; however, companies should still remain cognizant not to overreport. This ability to report an incident without it constituting a waiver of any applicable privilege is a potential area for industry advocacy and feedback with respect to Bill C-26.

Third, companies should plan to review and update their incident response plans and cybersecurity policies in accordance with the above reforms. Current and upcoming reviews should make note of upcoming notification requirements and consider the extent to which notice to CISA, the CSE and other regulators can be streamlined (keeping in mind the current lack of privilege protections for notification to the CSE). Reviews should also consider third-party and supply chain risks, including those posed by critical service providers (particularly those providing IT services), key suppliers, and device or product manufacturers. Once more information is provided, companies will also want to explore the extent to which their “critical cyber systems” in Canada, or computer systems that could give rise to a “covered cyber incident” in the United States, can be segregated from other systems and whether doing so would assist in streamlining compliance efforts.

Fourth, companies potentially subject to these reforms should consider how these new requirements could or should impact relationships with other parties. Both companies and governments stand to benefit from more collaboration as the roles of CISA, the CSE, and other regulators evolve—particularly if such relationships can be leveraged for the voluntary sharing of threat intelligence. Companies should also consider whether the incoming requirements should be reflected when contracting for services with third parties. Likewise, service providers should expect increasing cybersecurity standards from regulated customers, particularly when services provided relate to systems that will be covered by the CCSPA or CIRCIA.