On June 14, 2022, the Government of Canada introduced Bill C-26, An Act Respecting Cyber Security which, among other things, seeks to enact the Critical Cyber Systems Protection Act (“CCSPA”). The “Backgrounder” that accompanies the Bill explains that the CCSPA “addresses longstanding gaps in the Government’s ability to protect the vital services and systems Canadians depend on” by enabling it to (in the words of the Backgrounder):
- Designate services and systems that are vital to national security or public safety in Canada as well as the operators or classes of operators responsible for their protection;
- Ensure that designated operators are protecting the cyber systems that underpin Canada’s critical infrastructure;
- Ensure that cyber incidents that meet or exceed a specific threshold are reported;
- Compel action by organizations in response to an identified cyber security threat or vulnerability; and
- Ensure a consistent cross-sectoral approach to cyber security in response to the growing interdependency of cyber systems.
To accomplish its objective, the CCSPA proposes to impose new compliance and reporting duties on certain classes of federally regulated personal, partnership, or unincorporated organizations in sectors that are deemed vital to Canadian security (“Designated Operators”), as well as severe penalties for non-compliance by the Designated Operators and their directors and officers.
The CCSPA would require Designated Operators to
- Establish a cyber security program;
- Notify appropriate regulators of certain events;
- Mitigate supply-chain and third-party risks;
- Immediately report cyber security incidents; and
- Maintain compliance records.
It would also allow the Governor in Council to issue cyber security directions to address immediate threats and vulnerabilities.
Cyber security program
Although the Bill has not yet identified specific Designated Operators in its Schedule 2, once the Governor in Council determines that an entity is a Designated Operator, the entity must, within 90 days, establish and make available to the appropriate regulator, a cyber security program in respect of its critical cyber systems (“CCS”s). A CCS is “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system”. The CCSPA provides a list of vital services or systems in its Schedule 1. These include:
- Telecommunications services;
- Interprovincial or international pipeline and power line systems;
- Nuclear energy systems;
- Transportation systems that are within the legislative authority of Parliament;
- Banking systems;
- Clearing and settlement systems.
The Bill would require the Designated Operator’s cyber security program to:
- Identify and manage any organizational cyber security risks, including risks associated with the Designated Operator’s supply chain and its use of third-party products and services;
- Protect the Designated Operator’s CCS from being compromised.
- Detect any cyber security incidents (“CSI”) affecting, or having the potential to affect, its CCSs. The Bill defines a CSI as “an incident, including an act, omission or circumstance, that interferes or may interfere with: (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity or availability of the critical cyber system”;
- Minimize the impact of a CSI affecting its CCS; and
- Do anything that is prescribed by the regulation.
Once the program has been established the Designated Operator must
- Inform the appropriate regulator in writing and,
- Implement and maintain the program.
The program must be reviewed on a date specified by regulation or annually if no date is specified. The review must be completed within 60 days and any change to the program in response to the review communicated to the appropriate regulator within 30 days of the review’s completion.
The Bill would require Designated Operators to notify their appropriate regulators of an event involving: (a) any material change in the Designated Operator’s ownership or control; (b) any material change in the Designated Operator’s supply chain or use of third-party products; and (c) any circumstances prescribed in a regulation. The Designated Operator would also be required to inform the appropriate regulator of any change to its cyber security program as a result of events mentioned in (a) to (c) within 90 days of providing notification of the event.
Mitigation of supply-chain and third-party risks
If a Designated Operator were to identify a cyber security risk associated to a supply-chain or a third-party product or service, the Bill would require the Designated Operator to take reasonable steps to mitigate the risk.
A Designated Operator would also be required to report immediately a CSI affecting any of its CCSs first to the Communications Security Establishment and then to the appropriate regulator.
The Bill would require a Designated Operator to keep a record of the following information in Canada at any place prescribed by the regulation or at the Designated Operator’s place of business:
- Any steps taken to implement its cyber security program;
- Every CSI reported to the Communications Security Establishment;
- Any steps taken to mitigate any supply chain or third party risks;
- Any measures to implement a cyber security direction; and
- Any matter prescribed by regulation.
Cyber security direction
Another feature that the Bill proposes is to allow the Governor in Council to issue a cyber security order to direct any Designated Operator or class of operators to comply with any measure for the purposes of protecting a CCS. In addition to the name or class of the Designated Operator, this order must specify the measures to be taken and the period within which they must be taken. Failure to comply with a cyber security direction could be punishable on conviction on indictment and subject to the sanctions described below.
To enforce the above compliance requirements, CCSPA proposes administrative penalties for violations and criminal sanctions for offenses. Both types of sanctions carry a three-year statute of limitation. Both provide for director and officer liability in the event the individual “directed, authorized, assented to, acquiesced in or participated in the commission of” the violation or offence. A violation or an offence that lasts for more than one day will be considered a separate offence for each day it is allowed to continue.
Additionally, the following regulatory bodies would be given the power to enter a place – including a dwelling –, require internal audits, and order compliance orders: (i) the Superintendent of Financial Institutions, (ii) the Ministry of Industry, (iii) the Bank of Canada, (iv) the Canadian Nuclear Safety Commission, (v) the Canadian Energy Regulator, and (vi) the Ministry of Transport.
As stated above the Bill proposes two types of sanctions depending on whether the breach of the CCSPA constitutes a violation or an offense. The draft legislation, however, precludes any activity that is proceeded against as a violation from being tried as an offence and vice versa. A violation, defined as any activity that contravenes the CCSPA, would be punishable by a financial monetary penalty of no more than $1 million for an individual and $15 million in any other case. An offence, defined as any breach of specific provisions such as those requiring the establishment of a cyber security program or the notice obligations, could be punishable either on summary conviction or on conviction on indictment. A summary conviction would result in either or both of a fine or a prison sentence of two years less a day for an individual or a fine for the entity involved. A conviction on indictment would result in (for an individual) a fine or a prison sentence of no more than five years (or both) or (for the entity involved) a fine. In both instances, the amount of any fine would be up to the discretion of the court.
Bill C-26 proposes compliance measures intended to protect CCSs in sectors that are deemed vital to Canadian security. The Bill has only passed first reading in the House of Commons and is thus not assured of implementation in its current form. If it is implemented “as is”, however, Bill C-26 will require additional compliance and record-keeping duties by private sector entities conducting business in these sectors. We will continue to follow the legislation as it proceeds through the legislative process (see the Parliament of Canada website for the Bill’s current status).