All Things Newz
Law \ Legal

House Of Commons Introduces Bill C-26: Proposed Federal Cybersecurity Legislation – Security

[ad_1]

On June 14, 2022, the House of Commons of Canada introduced Bill
C-26, which would impose a series of cybersecurity-related
obligations on designated organizations in four key federally
regulated sectors: telecommunications, finance, energy and
transportation. At a high level, the bill would enact the
Critical Cyber Systems Protection Act (CCSPA), which aims
to protect critical cyber systems considered integral to Canadian
infrastructure and public safety.

APPLICABILITY TO DESIGNATED OPERATORS

If passed as currently drafted, the CCSPA would require
“designated operators” (the classes of organizations who
would be subject to this legislation have not yet been identified)
to protect their “critical cyber systems” – those
systems that, if their confidentiality, integrity or availability
were compromised, could affect the continuity or security of one of
the vital services or systems identified below. The CCSPA would be
overseen by the Communications Security Establishment (CSE),
Canada’s national cryptologic agency, along with the following
sector-specific regulators:
















Vital Service or System

Responsible Regulator

Telecommunications services

Minister of Industry

Banking systems

Office of the Superintendent of Financial Institutions
(OSFI)

Clearing and settlement systems

Bank of Canada

Interprovincial or international pipeline and power line
systems

Canadian Energy Regulator (CER)

Nuclear energy systems

Canadian Nuclear Safety Commission

Federally regulated transportation systems

Minister of Transport

LEGISLATIVE HIGHLIGHTS

Designated operators would be required to, among other
things:

  • Establish, implement and regularly review a cybersecurity
    program, which must include steps to identify and manage
    organizational cyber security risk;

  • Mitigate any cybersecurity risk associated with its supply
    chain or third party products and services that it identifies;

  • Notify the appropriate regulator of any material change of
    ownership or control, or any material change in the designated
    operator’s supply chain or use of third-party products and
    services;

  • Comply with a cybersecurity direction issued by either the
    Federal Cabinet or the appropriate regulator and not disclose the
    direction’s existence or content; and

  • Keep records regarding the implementation of its cybersecurity
    program and any cybersecurity incident, and such records must be
    stored within Canada.

Designated operators will also be required to report a
“cybersecurity incident” in a two-step process. A
“cybersecurity incident” is any incident that interferes
or may interfere with the continuity or security of a vital service
or system, or the confidentiality, integrity or availability of the
critical cyber system. First, designated operators must
“immediately” report a cybersecurity incident to the CSE
in the manner that will be set out in CCSPA’s regulations.
Second, a designated operator must also notify its responsible
regulator “immediately after reporting a cybersecurity
incident” to the CSE.

Responsible regulators are granted broad inspection and audit
powers, which are not limited to the premises of the designated
operator. Responsible regulators may also order a designated
operator to conduct an internal audit of its practices, books and
other records to determine compliance with CCSPA.

Enforcement of the CCSPA includes an administrative monetary
penalties regime for noncompliance with the legislation. Directors
and officers of designated operators are party to any violations of
the CCSPA if they direct, authorize, participate, assent to, or
acquiesce in the commission of the violation. The range of
penalties are to be prescribed by regulation, but CCSPA authorizes
a maximum penalty of C$15-million for designated operators and
C$1-million for directors and officers. Noncompliance with certain
provisions of CCSPA may alternatively be prosecuted as an offence
punishable with criminal fines and/or imprisonment.

SECTOR-SPECIFIC COMMENTARY

Telecommunications

In addition to enacting the CCSPA, Bill C-26 would amend the
Telecommunications Act by introducing security as a policy
objective, and providing the Governor in Council and Minister of
Industry with a series of powers that are largely directed at
Canada’s 5G infrastructure and equipment. Among other things,
the federal government may:

  • prohibit a telecommunications service provider from using all
    products and services provided by a specified person in, or in
    relation to, its telecommunications network or telecommunications
    facilities, or remove any such products;

  • direct a telecommunications service provider to do anything or
    refrain from doing anything necessary to secure the Canadian
    telecommunications system;

  • require that a telecommunications service provider develop a
    security plan;

  • require that assessments be conducted to identify any
    vulnerability in its services, network or facilities; and

  • require that a telecommunications service provider take steps
    to mitigate any vulnerability in its services, network or
    facilities.

While some of the proposed modifications are primarily directed
at Canadian carriers, both facilities-based providers and resellers
of telecommunications services should review their cybersecurity
posture.

For more detail on how the CCSPA applies to the telecommunications
sector, please see this
table
in the Appendix.

Banking and Clearing and Settlement Systems

The CCSPA authorizes the Federal Cabinet to designate a class of
operators in respect of “banking systems” and
“clearing and settlement systems” which are vital to
national security or public safety. While no such classes have yet
been identified, a class of operators could include Canada’s
systemically important banks or the clearing and settlement systems
already designated by the Bank of Canada under the Payment
Clearing and Settlement Act
(PCSA), though the CCSPA does not
limit the designation power to these entities. The use of the term
“banking system” in the legislation also suggests that
other federal financial institutions, such as insurers, are outside
the scope of the designation power.

For designated operators of banking systems, the CCSPA obligations
supplement OSFI’s growing list of expectations respecting cyber
risk management, third-party risk management, and incident
reporting. These include the requirements of Guideline B-13: Technology and Cyber Risk
Management
, which will soon be published in final form, as
well as the new Guideline B-10: Third-Party Risk
Management
published for consultation in April 2022. The
CCSPA reporting requirements supplement OSFI’s current Technology and Cyber Security Incident Reporting
Advisory
for federal financial institutions to report a
technology or cybersecurity incident to OSFI.

For designated operators of clearing and settlement systems, the
requirements of the CCSPA will complement the Bank of Canada’s
Expectations for Cyber Resilience of Financial
Market Infrastructures
published in October 2021.

Federal financial institutions are already subject to change of
control approval requirements, and clearing and settlement systems
must comply with broad notice and approval requirements under the
PCSA; however, the CCSPA introduces a remarkably broad notice
requirement to report changes in control, or supply chain or
third-party products and services. This is because of the use of
the “material change” standard. It remains to be seen how
OSFI and the Bank of Canada will practically administer this
requirement while keeping the flow of information manageable.

For more detail on how the CCSPA applies to banking systems and
clearing and settlement systems, please see this
table
in the Appendix.

Energy Systems

The CCSPA grants additional powers to the CER in addition to its
current powers under the Canadian Energy Regulator Act.
The CER regulates pipelines that cross provincial boundaries or the
Canada-U.S. border. The CCSPA also only applies to these pipelines
and not pipelines solely within one province.

The CER currently can assess whether pipeline projects meet
engineering, safety and environmental requirements. The CCSPA
further allows the CER to inspect and audit whether operators are
in compliance with the CCSPA. The Canadian Energy Regulator
Act
allows the CER to establish regulations regarding
cybersecurity matters for interprovincial and international
pipelines, though no such regulations have been established to
date. Accordingly, the inspection, audit, and administrative
monetary penalties regime for noncompliance with the legislation
powers granted to the CER are an expansion of its role.

The CCSPA also supplements the pre-existing obligations for
operators of nuclear power systems under the General Nuclear
Safety and Control Regulations
(GNSCR). Operators will already
be familiar with the obligations for prescribed information, and
the obligations to take all necessary precautions to prevent the
transfer or disclosure of prescribed information that is not
authorized by law. The GNSCR also sets out specific recordkeeping
obligations, although the requirements under the CCSPA are more
stringent. The Canadian Nuclear Safety Commission (CNSC) already
oversees these obligations, and the CCSPA adds to the oversight
powers that the CNSC currently possesses.

For more detail on how the CCSPA applies to energy systems, please
see this
table
in the Appendix.

Transportation Systems

Operators in federally regulated transportation sectors,
including aviation, railways and marine transport, will be familiar
with the oversight powers exercised by the Minister of Transport.
Whether the pre-existing obligations of these operators
specifically included mitigating cybersecurity related risks
through safety management systems or otherwise, the CCSPA is a
clear direction to these operators to understand and manage cyber
risk for their enterprises.

For more detail on how the CCSPA applies to transportation systems,
please see this
table
in the Appendix.

CONCLUSION

Bill C-26 has only completed a first reading and may be amended
as it continues through the legislative process. It remains to be
seen whether any provinces will enact similar laws that would apply
to provincially regulated sectors.

APPENDIX


























Telecommunications Services
Scope Telecommunications services have been identified in the
legislation as services that are vital to national security and/or
public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of
operators in respect of these systems who must comply with the
requirements of the legislation.

A class of operators could include facilities-based
telecommunications service providers as well as resellers of
telecommunications services.

Responsible Regulator The Minister of Industry is the regulator charged with
administering the CCSPA in respect of telecommunications services.
Bill C-26 would also would amend the Telecommunications
Act
by introducing security as a policy objective, and
providing the Federal Cabinet and the Minister of Industry with a
series of powers that are largely directed at Canada’s 5G
infrastructure and equipment.

The Communications Security Establishment (CSE),
Canada’s national cryptologic agency.

Cybersecurity Programs Designated operators will be required to establish a
cybersecurity program (CSP) within 90 days of being designated
under the CCSPA. The CSP must include reasonable steps to identify
and manage organizational cybersecurity risks:

  1. include reasonable steps to protect critical cyber systems from
    being compromised, detect cybersecurity incidents and minimize
    related impacts;

  2. be reviewed and updated annually, or more frequently if
    specified by regulation; and

  3. be filed with the Minister of Industry including notices of any
    updates to the CSP following periodic reviews.

Supply Chain Management Designated operators must take reasonable steps to mitigate any
identified cyber security risks associated with the designated
operator’s supply chain or use of third-party products and
services. These risk management measures must also be addressed in
the operator’s CSP.
Change of Control Reporting Designated operators are required to notify the Minister of
Industry of any material changes to ownership and/or control as
well as to its supply chain or use of third-party products and
services.
Cybersecurity Incident Reporting Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A
“cybersecurity incident” is any incident that interferes
or may interfere with the continuity or security of a vital service
or system, or the confidentiality, integrity or availability of the
critical cyber system.

First, designated operators must “immediately” report a
cybersecurity incident to the CSE in a manner to be set out in the
CCSPA’s regulations. Second, designated operators must notify
the Minister of Industry “immediately after reporting a
cybersecurity incident” to the CSE.

Recordkeeping Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various
security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with
additional guidance that may be established by the Minister of
Industry or regulations.

Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any
measure for the purpose of protecting a critical cyber
system.

The Minister of Industry is also granted powers to order a
designated operator to stop doing anything that is or is likely to
be in contravention of the CCSPA or to take any measure that is
necessary to ensure compliance or mitigate noncompliance with the
CCSPA.

In relation to telecommunications services, networks and equipment,
the Minister of Industry may, among other things:

  • prohibit a telecommunications service provider from using all
    products and services provided by a specified person in, or in
    relation to, its telecommunications network or telecommunications
    facilities, or remove any such products;

  • direct a telecommunications service provider to do anything or
    refrain from doing anything necessary to secure the Canadian
    telecommunications system;

  • require that a telecommunications service provider develop a
    security plan;

  • require that assessments be conducted to identify any
    vulnerability in its services, network or facilities; and

  • require that a telecommunications service provider take steps
    to mitigate any vulnerability in its services, network or
    facilities.

Disclosure Restrictions on Confidential
Information
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated
operator’s critical cyber system. Disclosure of directions
issued by the Federal Cabinet or the Minister of Industry under the
CCSPA is also generally prohibited.
Inspections and Audits The Minister of Industry is granted broad audit and inspection
powers under the CCSPA, which are not limited to the physical
premises of the designated operator.

The Minister of Industry may also order a designated operator to
conduct an internal audit of its practices, books and other records
to determine compliance with the CCSPA.

Enforcement Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation.

Directors and officers of designated operators are party to any
violations of the CCSPA if they direct, authorize, participate,
assent to, or acquiesce in the commission of the violation.

The CCSPA states that the purpose of a penalty is to promote
compliance and not to punish. The CCSPA allows a designated
operator or their directors and officers to raise a due diligence
defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but
CCSPA authorizes a maximum penalty of C$15-million for designated
operators and C$1-million for directors and officers.

Noncompliance with certain provisions of CCSPA may alternatively be
prosecuted as an offence punishable with criminal fines and/or
imprisonment.

The CCSPA also authorizes the Minister of Industry, to enter into a
compliance agreements with a designated operator in respect of the
operator’s obligations under the CCSPA.


























Banking
Systems and Clearing and Settlement Systems
Scope Banking Systems and Clearing and Settlement Systems have been
identified in the legislation as systems that are vital to national
security and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of
operators in respect of these systems who must comply with the
requirements of the legislation.

The use of the term “banking system” in the legislation
suggests that other federal financial institutions, such as
insurers, are outside the scope of the designation power.

Responsible Regulator OSFI in respect of banking systems:

The Bank of Canada in respect of clearing and settlement
systems.

The Communications Security Establishment (CSE),
Canada’s national cryptologic agency.

Cybersecurity Programs Designated operators will be required to establish a
cybersecurity program (CSP) within 90 days of being designated
under the CCSPA. The CSP must:

  1. include reasonable steps to identify and manage organizational
    cybersecurity risks;

  2. include reasonable steps to protect critical cyber systems from
    being compromised, detect cyber security incidents and minimize
    related impacts;

  3. be reviewed and updated annually, or more frequently if
    specified by regulation; and

  4. be filed with OSFI/Bank of Canada including notices of any
    updates to the CSP following periodic reviews.



For banking systems operators, the CSP requirements of the CCSPA
will be in addition to the technology and cyber risk management
requirements for financial institutions under OSFI’s draft
Guideline B-13: Technology and Cyber Risk
Management
, which OSFI announced earlier this month will soon be
published in final form.

For clearing and settlement systems operators, the requirements of
the CCSPA will complement the Bank of Canada’s Expectations for Cyber Resilience of Financial
Market Infrastructures
published in October 2021.

Supply Chain Management Designated operators must take reasonable steps to mitigate any
identified cybersecurity risks associated with the designated
operator’s supply chain or use of third-party products and
services. These risk management measures must also be addressed in
the operator’s CSP.

While the CCSPA introduces obligations to mitigate cyber risks
related to a designated operator’s supply chain, federal
financial institutions are already subject to OSFI’s
expectations in respect of third-party risk management, as set out
in OSFI’s recently updated draft Guideline B-10: Third-Party Risk
Management
.

Change of Control Reporting Designated operators are required to notify OSFI or the Bank of
Canada, as applicable, of any material changes to ownership and/or
control as well as to its supply chain or use of third-party
products and services.

Although federal financial institutions are already subject to
approval requirements in respect of change of control, and clearing
and settlement systems must comply with broad notice and approval
requirements under the PCSA, the notice requirement under the CCSPA
is remarkably broad, given that it uses a material change as the
threshold for notice. It remains to be seen how OSFI and the Bank
of Canada will practically administer this requirement so that the
flow of information remains manageable both for the designated
operators and the regulators themselves.

Cybersecurity Incident Reporting Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A
“cyber security incident” is any incident that interferes
or may interfere with the continuity or security of a vital service
or system, or the confidentiality, integrity or availability of the
critical cyber system.

First, designated operators must “immediately” report a
cybersecurity incident to the CSE in a manner to be set out in the
CCSPA’s regulations. Second, designated operators must notify
OSFI or the Bank of Canada, as applicable, “immediately after
reporting a cybersecurity incident” to the CSE.

The reporting requirement under the CCSPA will be in addition to
the current obligation for federal financial institutions to report
a technology or cyber security incident to OSFI under OSFI’s Technology and Cyber Security Incident Reporting
Advisory
. The definition of a reportable incident under these
two regimes is similar but not identical.

Recordkeeping Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various
security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with
additional guidance that may be established by OSFI/Bank of Canada
or regulations.

Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any
measure for the purpose of protecting a critical cyber
system.

OSFI and the Bank of Canada are also granted powers to order a
designated operator to stop doing anything that is or is likely to
be in contravention of the CCSPA or to take any measure that is
necessary to ensure compliance or mitigate noncompliance with the
CCSPA.

Disclosure Restrictions on Confidential
Information
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated
operator’s critical cyber system. Disclosure of directions
issued by the Federal Cabinet or OSFI/Bank of Canada under the
CCSPA is also generally prohibited.

Both financial institutions and clearing and settlement systems
will be familiar with restrictions on disclosure of supervisory
information under their governing legislation although the CCSPA
regime is somewhat more nuanced and several exceptions apply.

Inspections and Audits OSFI and the Bank of Canada, as applicable, are granted broad
audit and inspection powers under the CCSPA, which are not limited
to the physical premises of the designated operator.

OSFI and the Bank of Canada, as applicable, may also order a
designated operator to conduct an internal audit of its practices,
books and other records to determine compliance with the
CCSPA.

Enforcement Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation.

Directors and officers of designated operators are party to any
violations of the CCSPA if they direct, authorize, participate,
assent to, or acquiesce in the commission of the violation.

Similar to other financial institutions legislation, the CCSPA
states that the purpose of a penalty is to promote compliance and
not to punish. The CCSPA allows a designated operator or their
directors and officers to raise a due diligence defence in a
violation proceeding.

The range of penalties are to be prescribed by regulation, but
CCSPA authorizes a maximum penalty of C$15-million for designated
operators and C$1-million for directors and officers.

Noncompliance with certain provisions of CCSPA may alternatively be
prosecuted as an offence punishable with criminal fines and/or
imprisonment.

The CCSPA also authorizes OSFI and the Bank of Canada, as
applicable, to enter into a compliance agreements with a designated
operator in respect of the operator’s obligations under the
CCSPA.


























Interprovincial or International
Pipeline and Power Line Systems, and Nuclear Energy
Systems
Scope Interprovincial or International Pipeline and Power Line
Systems, and Nuclear Energy Systems have been identified in the
legislation as systems that are vital to national security and/or
public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of
operators in respect of these systems who must comply with the
requirements of the legislation.

A class of operators could include interprovincial pipelines that
cross provincial borders and international pipelines that cross the
Canada-U.S. border.

Responsible Regulator The Canadian Energy Regulator (CER) is the regulator charged
with administering the CCSPA in respect of interprovincial or
international pipeline and power line systems.

The Canadian Nuclear Safety Commission (CNSC) is the regulator
charged with administering the CCSPA in respect of nuclear energy
systems.

The legislation also imposes a reporting obligation to the Communications
Security Establishment
(CSE), Canada’s national cryptologic
agency.

Cybersecurity Programs Designated operators will be required to establish a cyber
security program (CSP) within 90 days of being designated under the
CCSPA. The CSP must:

  1. include reasonable steps to identify and manage organizational
    cybersecurity risks;

  2. include reasonable steps to protect critical cyber systems from
    being compromised, detect cybersecurity incidents and minimize
    related impacts;

  3. be reviewed and updated annually, or more frequently if
    specified by regulation; and

  4. be filed with CER/CNSC of Canada including notices of any
    updates to the CSP following periodic reviews.

Supply Chain Management Designated operators must take reasonable steps to mitigate any
identified cybersecurity risks associated with the designated
operator’s supply chain or use of third-party products and
services. These risk management measures must also be addressed in
the operator’s CSP.
Change of Control Reporting Designated operators are required to notify the CER or the
CNSC, as applicable, of any material changes to ownership and/or
control as well as to its supply chain or use of third-party
products and services.
Cybersecurity Incident Reporting Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A
“cybersecurity incident” is any incident that interferes
or may interfere with the continuity or security of a vital service
or system, or the confidentiality, integrity or availability of the
critical cyber system.

First, designated operators must “immediately” report a
cybersecurity incident to the CSE in a manner to be set out in the
CCSPA’s regulations. Second, designated operators must notify
the CER or the CNSC, as applicable, “immediately after
reporting a cybersecurity incident” to the CSE.

For nuclear energy operators, the obligations to report a
cybersecurity incident complement their obligations under the
General Nuclear Safety and Control Regulations (CNSCR) to
report any theft or loss of prescribed information to the
CNSC.

Recordkeeping Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various
security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with
additional guidance that may be established by the CER/CNSC or
regulations.

Nuclear energy companies will be familiar with the recordkeeping
requirements under the CNSCR, and the obligations to notify the
CNSC of any proposed disposal of records. However, the CCSPA
obligations go above and beyond these established recordkeeping
requirements.

Federally regulated pipeline operators will also be familiar with
the recordkeeping requirements under the Canadian Energy
Regulator Onshore Pipeline Regulations
(CEROPR). However, the
CCSPA obligations supplement these obligations and add additional
recordkeeping requirements.

Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any
measure for the purpose of protecting a critical cyber
system.

The CER or the CNSC are also granted powers to order a designated
operator to stop doing anything that is or is likely to be in
contravention of the CCSPA or to take any measure that is necessary
to ensure compliance or mitigate noncompliance with the CCSPA.

Disclosure Restrictions on Confidential
Information
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated
operator’s critical cyber system. Disclosure of directions
issued by the Federal Cabinet or the CER/CNSC under the CCSPA is
also generally prohibited.
Inspections and Audits The CER and the CNSC, as applicable, are granted broad audit
and inspection powers under the CCSPA, which are not limited to the
physical premises of the designated operator.

The CER and the CNSC, as applicable, may also order a designated
operator to conduct an internal audit of its practices, books and
other records to determine compliance with the CCSPA.

These broad inspection powers are in addition to those previously
provided to the CER under the CEROPR and the CNSC under the
Nuclear Safety and Control Act (NSCA).

Enforcement Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation. Of course,
operators in the nuclear energy sector will be familiar with the
administrative penalties regime under the Administrative
Monetary Penalties Regulations (Canadian Nuclear Safety
Commission)
(AMPR CNSC) as will operators with federally
regulated pipelines under the Administrative Monetary Penalties
Regulations (National Energy Board)
(AMPR NEB).

Directors and officers of designated operators are party to any
violations of the CCSPA if they direct, authorize, participate,
assent to, or acquiesce in the commission of the violation. This is
not dissimilar to the liability under the NSCA or the Canadian
Energy Regulator Act
.

The CCSPA states that the purpose of a penalty is to promote
compliance and not to punish. The CCSPA allows a designated
operator or their directors and officers to raise a due diligence
defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but
CCSPA authorizes a maximum penalty of C$15-million for designated
operators and C$1-million for directors and officers. These are
significantly higher than the penalties prescribed under the AMPR
CNSC and the AMPR NEB.

Noncompliance with certain provisions of CCSPA may alternatively be
prosecuted as an offence punishable with criminal fines and/or
imprisonment.

The CCSPA also authorizes the CER and the CNSC, as applicable, to
enter into a compliance agreements with a designated operator in
respect of the operator’s obligations under the CCSPA.


























Federally Regulated Transportation
Systems
Scope Federally regulated transportation systems have been identified
in the legislation as systems that are vital to national security
and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of
operators in respect of these systems who must comply with the
requirements of the legislation.

Responsible Regulator The Minister of Transport is the regulator charged with
administering the CCSPA in respect of federally regulated
transportation systems.

The legislation also imposes a reporting obligation to the Communications
Security Establishment
(CSE), Canada’s national cryptologic
agency.

Cybersecurity Programs Designated operators will be required to establish a
cybersecurity program (CSP) within 90 days of being designated
under the CCSPA. The CSP must:

  1. include reasonable steps to identify and manage organizational
    cybersecurity risks;

  2. include reasonable steps to protect critical cyber systems from
    being compromised, detect cybersecurity incidents and minimize
    related impacts;

  3. be reviewed and updated annually, or more frequently if
    specified by regulation; and

  4. be filed with the Minister of Transport including notices of
    any updates to the CSP following periodic reviews.



For railway and aircraft operators, these obligations will
supplement the safety management system obligations under the
Railway Safety Management System Regulations and the
Canadian Aviation Regulations, respectively.

Supply Chain Management Designated operators must take reasonable steps to mitigate any
identified cybersecurity risks associated with the designated
operator’s supply chain or use of third-party products and
services. These risk management measures must also be addressed in
the operator’s CSP.
Change of Control Reporting Designated operators are required to notify the Minister of
Transport of any material changes to ownership and/or control as
well as to its supply chain or use of third-party products and
services.
Cybersecurity Incident Reporting Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A
“cybersecurity incident” is any incident that interferes
or may interfere with the continuity or security of a vital service
or system, or the confidentiality, integrity or availability of the
critical cyber system.

First, designated operators must “immediately” report a
cybersecurity incident to the CSE in a manner to be set out in the
CCSPA’s regulations. Second, designated operators must notify
the Minister of Transport “immediately after reporting a
cybersecurity incident” to the CSE.

Recordkeeping Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various
security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with
additional guidance that may be established by the Minister of
Transport or regulations.

Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any
measure for the purpose of protecting a critical cyber
system.

The Minister of Industry is also granted powers to order a
designated operator to stop doing anything that is or is likely to
be in contravention of the CCSPA or to take any measure that is
necessary to ensure compliance or mitigate noncompliance with the
CCSPA.

These powers are similar to those already granted to the Minister
of Transport under the Aeronautics Act and the Railway
Safety Act
(RSA).

Disclosure Restrictions on Confidential
Information
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated
operator’s critical cyber system. Disclosure of directions
issued by the Federal Cabinet or the Minister of Transport under
the CCSPA is also generally prohibited.
Inspections and Audits The Minister of Transport is granted broad audit and inspection
powers under the CCSPA, which are not limited to the physical
premises of the designated operator.

The Minister of Transport may also order a designated operator to
conduct an internal audit of its practices, books and other records
to determine compliance with the CCSPA.

Aircraft operators will be familiar with the similarly broad
inspection powers granted to the Minister of Transport under the
Canadian Aviation Regulations, as will railway operators
in respect of the RSA and marine transport operators under
the Canada Shipping Act, 2001 (CSA).

Enforcement Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation. Railway
operators will be familiar with the regime under the Railway
Safety Administrative Monetary Penalties Regulations
(RSAMPR)
as will marine transport operators under the Administrative
Monetary Penalties and Notices (CSA 2001) Regulations

(AMPNR).

Directors and officers of designated operators are party to any
violations of the CCSPA if they direct, authorize, participate,
assent to, or acquiesce in the commission of the violation.

The CCSPA states that the purpose of a penalty is to promote
compliance and not to punish. The CCSPA allows a designated
operator or their directors and officers to raise a due diligence
defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but
CCSPA authorizes a maximum penalty of C$15-million for designated
operators and C$1-million for directors and officers. These are
significantly higher than the penalties prescribed by the RSAMPR
for railway operators and marine transport operators under the
AMPNR.

Noncompliance with certain provisions of CCSPA may alternatively be
prosecuted as an offence punishable with criminal fines and/or
imprisonment.

The CCSPA also authorizes the Minister of Transport, to enter into
a compliance agreements with a designated operator in respect of
the operator’s obligations under the CCSPA.

For permission to reprint articles, please contact the
Blakes
Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

[ad_2]

Source link

Related posts

Relic Project: A New Threat Group Or Rebranded Ransomware? – Security

U.S. District Court Finds Mayo Clinic Qualifies As An “Educational Organization”; Awards $11.5M UBTI Refund – Income Tax

Ricoh Canada Wins Canadian Lawyer Readers’ Choice Awards 2022 For Legal Process Outsourcing And Managed Document Review – Performance