[ad_1]
On June 14, 2022, the House of Commons of Canada introduced Bill
C-26, which would impose a series of cybersecurity-related
obligations on designated organizations in four key federally
regulated sectors: telecommunications, finance, energy and
transportation. At a high level, the bill would enact the
Critical Cyber Systems Protection Act (CCSPA), which aims
to protect critical cyber systems considered integral to Canadian
infrastructure and public safety.
APPLICABILITY TO DESIGNATED OPERATORS
If passed as currently drafted, the CCSPA would require
“designated operators” (the classes of organizations who
would be subject to this legislation have not yet been identified)
to protect their “critical cyber systems” – those
systems that, if their confidentiality, integrity or availability
were compromised, could affect the continuity or security of one of
the vital services or systems identified below. The CCSPA would be
overseen by the Communications Security Establishment (CSE),
Canada’s national cryptologic agency, along with the following
sector-specific regulators:
|
Vital Service or System
|
Responsible Regulator
|
|
Telecommunications services
|
Minister of Industry
|
|
Banking systems
|
Office of the Superintendent of Financial Institutions
|
|
Clearing and settlement systems
|
Bank of Canada
|
|
Interprovincial or international pipeline and power line
|
Canadian Energy Regulator (CER)
|
|
Nuclear energy systems
|
Canadian Nuclear Safety Commission
|
|
Federally regulated transportation systems
|
Minister of Transport
|
LEGISLATIVE HIGHLIGHTS
Designated operators would be required to, among other
things:
- Establish, implement and regularly review a cybersecurity
program, which must include steps to identify and manage
organizational cyber security risk; - Mitigate any cybersecurity risk associated with its supply
chain or third party products and services that it identifies; - Notify the appropriate regulator of any material change of
ownership or control, or any material change in the designated
operator’s supply chain or use of third-party products and
services; - Comply with a cybersecurity direction issued by either the
Federal Cabinet or the appropriate regulator and not disclose the
direction’s existence or content; and - Keep records regarding the implementation of its cybersecurity
program and any cybersecurity incident, and such records must be
stored within Canada.
Designated operators will also be required to report a
“cybersecurity incident” in a two-step process. A
“cybersecurity incident” is any incident that interferes
or may interfere with the continuity or security of a vital service
or system, or the confidentiality, integrity or availability of the
critical cyber system. First, designated operators must
“immediately” report a cybersecurity incident to the CSE
in the manner that will be set out in CCSPA’s regulations.
Second, a designated operator must also notify its responsible
regulator “immediately after reporting a cybersecurity
incident” to the CSE.
Responsible regulators are granted broad inspection and audit
powers, which are not limited to the premises of the designated
operator. Responsible regulators may also order a designated
operator to conduct an internal audit of its practices, books and
other records to determine compliance with CCSPA.
Enforcement of the CCSPA includes an administrative monetary
penalties regime for noncompliance with the legislation. Directors
and officers of designated operators are party to any violations of
the CCSPA if they direct, authorize, participate, assent to, or
acquiesce in the commission of the violation. The range of
penalties are to be prescribed by regulation, but CCSPA authorizes
a maximum penalty of C$15-million for designated operators and
C$1-million for directors and officers. Noncompliance with certain
provisions of CCSPA may alternatively be prosecuted as an offence
punishable with criminal fines and/or imprisonment.
SECTOR-SPECIFIC COMMENTARY
Telecommunications
In addition to enacting the CCSPA, Bill C-26 would amend the
Telecommunications Act by introducing security as a policy
objective, and providing the Governor in Council and Minister of
Industry with a series of powers that are largely directed at
Canada’s 5G infrastructure and equipment. Among other things,
the federal government may:
- prohibit a telecommunications service provider from using all
products and services provided by a specified person in, or in
relation to, its telecommunications network or telecommunications
facilities, or remove any such products; - direct a telecommunications service provider to do anything or
refrain from doing anything necessary to secure the Canadian
telecommunications system; - require that a telecommunications service provider develop a
security plan; - require that assessments be conducted to identify any
vulnerability in its services, network or facilities; and - require that a telecommunications service provider take steps
to mitigate any vulnerability in its services, network or
facilities.
While some of the proposed modifications are primarily directed
at Canadian carriers, both facilities-based providers and resellers
of telecommunications services should review their cybersecurity
posture.
For more detail on how the CCSPA applies to the telecommunications
sector, please see this
table in the Appendix.
Banking and Clearing and Settlement Systems
The CCSPA authorizes the Federal Cabinet to designate a class of
operators in respect of “banking systems” and
“clearing and settlement systems” which are vital to
national security or public safety. While no such classes have yet
been identified, a class of operators could include Canada’s
systemically important banks or the clearing and settlement systems
already designated by the Bank of Canada under the Payment
Clearing and Settlement Act (PCSA), though the CCSPA does not
limit the designation power to these entities. The use of the term
“banking system” in the legislation also suggests that
other federal financial institutions, such as insurers, are outside
the scope of the designation power.
For designated operators of banking systems, the CCSPA obligations
supplement OSFI’s growing list of expectations respecting cyber
risk management, third-party risk management, and incident
reporting. These include the requirements of Guideline B-13: Technology and Cyber Risk
Management, which will soon be published in final form, as
well as the new Guideline B-10: Third-Party Risk
Management published for consultation in April 2022. The
CCSPA reporting requirements supplement OSFI’s current Technology and Cyber Security Incident Reporting
Advisory for federal financial institutions to report a
technology or cybersecurity incident to OSFI.
For designated operators of clearing and settlement systems, the
requirements of the CCSPA will complement the Bank of Canada’s
Expectations for Cyber Resilience of Financial
Market Infrastructures published in October 2021.
Federal financial institutions are already subject to change of
control approval requirements, and clearing and settlement systems
must comply with broad notice and approval requirements under the
PCSA; however, the CCSPA introduces a remarkably broad notice
requirement to report changes in control, or supply chain or
third-party products and services. This is because of the use of
the “material change” standard. It remains to be seen how
OSFI and the Bank of Canada will practically administer this
requirement while keeping the flow of information manageable.
For more detail on how the CCSPA applies to banking systems and
clearing and settlement systems, please see this
table in the Appendix.
Energy Systems
The CCSPA grants additional powers to the CER in addition to its
current powers under the Canadian Energy Regulator Act.
The CER regulates pipelines that cross provincial boundaries or the
Canada-U.S. border. The CCSPA also only applies to these pipelines
and not pipelines solely within one province.
The CER currently can assess whether pipeline projects meet
engineering, safety and environmental requirements. The CCSPA
further allows the CER to inspect and audit whether operators are
in compliance with the CCSPA. The Canadian Energy Regulator
Act allows the CER to establish regulations regarding
cybersecurity matters for interprovincial and international
pipelines, though no such regulations have been established to
date. Accordingly, the inspection, audit, and administrative
monetary penalties regime for noncompliance with the legislation
powers granted to the CER are an expansion of its role.
The CCSPA also supplements the pre-existing obligations for
operators of nuclear power systems under the General Nuclear
Safety and Control Regulations (GNSCR). Operators will already
be familiar with the obligations for prescribed information, and
the obligations to take all necessary precautions to prevent the
transfer or disclosure of prescribed information that is not
authorized by law. The GNSCR also sets out specific recordkeeping
obligations, although the requirements under the CCSPA are more
stringent. The Canadian Nuclear Safety Commission (CNSC) already
oversees these obligations, and the CCSPA adds to the oversight
powers that the CNSC currently possesses.
For more detail on how the CCSPA applies to energy systems, please
see this
table in the Appendix.
Transportation Systems
Operators in federally regulated transportation sectors,
including aviation, railways and marine transport, will be familiar
with the oversight powers exercised by the Minister of Transport.
Whether the pre-existing obligations of these operators
specifically included mitigating cybersecurity related risks
through safety management systems or otherwise, the CCSPA is a
clear direction to these operators to understand and manage cyber
risk for their enterprises.
For more detail on how the CCSPA applies to transportation systems,
please see this
table in the Appendix.
CONCLUSION
Bill C-26 has only completed a first reading and may be amended
as it continues through the legislative process. It remains to be
seen whether any provinces will enact similar laws that would apply
to provincially regulated sectors.
APPENDIX
| Telecommunications Services | |
|---|---|
| Scope | Telecommunications services have been identified in the
legislation as services that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of
A class of operators could include facilities-based
|
| Responsible Regulator | The Minister of Industry is the regulator charged with
administering the CCSPA in respect of telecommunications services. Bill C-26 would also would amend the Telecommunications Act by introducing security as a policy objective, and providing the Federal Cabinet and the Minister of Industry with a series of powers that are largely directed at Canada’s 5G infrastructure and equipment. The Communications Security Establishment (CSE),
|
| Cybersecurity Programs | Designated operators will be required to establish a
cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must include reasonable steps to identify and manage organizational cybersecurity risks:
|
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any
identified cyber security risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. |
| Change of Control Reporting | Designated operators are required to notify the Minister of
Industry of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. |
| Cybersecurity Incident Reporting | Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a
|
| Recordkeeping | Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with
|
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. The Minister of Industry is also granted powers to order a
In relation to telecommunications services, networks and equipment,
|
| Disclosure Restrictions on Confidential
Information |
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Industry under the CCSPA is also generally prohibited. |
| Inspections and Audits | The Minister of Industry is granted broad audit and inspection
powers under the CCSPA, which are not limited to the physical premises of the designated operator. The Minister of Industry may also order a designated operator to
|
| Enforcement | Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation. Directors and officers of designated operators are party to any
The CCSPA states that the purpose of a penalty is to promote
The range of penalties are to be prescribed by regulation, but
Noncompliance with certain provisions of CCSPA may alternatively be
The CCSPA also authorizes the Minister of Industry, to enter into a
|
| Banking
Systems and Clearing and Settlement Systems |
|
|---|---|
| Scope | Banking Systems and Clearing and Settlement Systems have been
identified in the legislation as systems that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of
The use of the term “banking system” in the legislation
|
| Responsible Regulator | OSFI in respect of banking systems:
The Bank of Canada in respect of clearing and settlement
The Communications Security Establishment (CSE),
|
| Cybersecurity Programs | Designated operators will be required to establish a
cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must:
For clearing and settlement systems operators, the requirements of
|
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any
identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. While the CCSPA introduces obligations to mitigate cyber risks
|
| Change of Control Reporting | Designated operators are required to notify OSFI or the Bank of
Canada, as applicable, of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. Although federal financial institutions are already subject to
|
| Cybersecurity Incident Reporting | Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A “cyber security incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a
The reporting requirement under the CCSPA will be in addition to
|
| Recordkeeping | Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with
|
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. OSFI and the Bank of Canada are also granted powers to order a
|
| Disclosure Restrictions on Confidential
Information |
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or OSFI/Bank of Canada under the CCSPA is also generally prohibited. Both financial institutions and clearing and settlement systems
|
| Inspections and Audits | OSFI and the Bank of Canada, as applicable, are granted broad
audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. OSFI and the Bank of Canada, as applicable, may also order a
|
| Enforcement | Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation. Directors and officers of designated operators are party to any
Similar to other financial institutions legislation, the CCSPA
The range of penalties are to be prescribed by regulation, but
Noncompliance with certain provisions of CCSPA may alternatively be
The CCSPA also authorizes OSFI and the Bank of Canada, as
|
| Interprovincial or International
Pipeline and Power Line Systems, and Nuclear Energy Systems |
|
|---|---|
| Scope | Interprovincial or International Pipeline and Power Line
Systems, and Nuclear Energy Systems have been identified in the legislation as systems that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of
A class of operators could include interprovincial pipelines that
|
| Responsible Regulator | The Canadian Energy Regulator (CER) is the regulator charged
with administering the CCSPA in respect of interprovincial or international pipeline and power line systems. The Canadian Nuclear Safety Commission (CNSC) is the regulator
The legislation also imposes a reporting obligation to the Communications
|
| Cybersecurity Programs | Designated operators will be required to establish a cyber
security program (CSP) within 90 days of being designated under the CCSPA. The CSP must:
|
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any
identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. |
| Change of Control Reporting | Designated operators are required to notify the CER or the
CNSC, as applicable, of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. |
| Cybersecurity Incident Reporting | Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a
For nuclear energy operators, the obligations to report a
|
| Recordkeeping | Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with
Nuclear energy companies will be familiar with the recordkeeping
Federally regulated pipeline operators will also be familiar with
|
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. The CER or the CNSC are also granted powers to order a designated
|
| Disclosure Restrictions on Confidential
Information |
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the CER/CNSC under the CCSPA is also generally prohibited. |
| Inspections and Audits | The CER and the CNSC, as applicable, are granted broad audit
and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. The CER and the CNSC, as applicable, may also order a designated
These broad inspection powers are in addition to those previously
|
| Enforcement | Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation. Of course, operators in the nuclear energy sector will be familiar with the administrative penalties regime under the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) (AMPR CNSC) as will operators with federally regulated pipelines under the Administrative Monetary Penalties Regulations (National Energy Board) (AMPR NEB). Directors and officers of designated operators are party to any
The CCSPA states that the purpose of a penalty is to promote
The range of penalties are to be prescribed by regulation, but
Noncompliance with certain provisions of CCSPA may alternatively be
The CCSPA also authorizes the CER and the CNSC, as applicable, to
|
| Federally Regulated Transportation
Systems |
|
|---|---|
| Scope | Federally regulated transportation systems have been identified
in the legislation as systems that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of
|
| Responsible Regulator | The Minister of Transport is the regulator charged with
administering the CCSPA in respect of federally regulated transportation systems. The legislation also imposes a reporting obligation to the Communications
|
| Cybersecurity Programs | Designated operators will be required to establish a
cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must:
|
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any
identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. |
| Change of Control Reporting | Designated operators are required to notify the Minister of
Transport of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. |
| Cybersecurity Incident Reporting | Designated operators will be required to report a
“cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a
|
| Recordkeeping | Designated operators must keep certain records, including
copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with
|
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue
directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. The Minister of Industry is also granted powers to order a
These powers are similar to those already granted to the Minister
|
| Disclosure Restrictions on Confidential
Information |
The CCSPA prohibits the disclosure of certain confidential
information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Transport under the CCSPA is also generally prohibited. |
| Inspections and Audits | The Minister of Transport is granted broad audit and inspection
powers under the CCSPA, which are not limited to the physical premises of the designated operator. The Minister of Transport may also order a designated operator to
Aircraft operators will be familiar with the similarly broad
|
| Enforcement | Enforcement of the CCSPA includes administrative monetary
penalties regime for noncompliance with the legislation. Railway operators will be familiar with the regime under the Railway Safety Administrative Monetary Penalties Regulations (RSAMPR) as will marine transport operators under the Administrative Monetary Penalties and Notices (CSA 2001) Regulations (AMPNR). Directors and officers of designated operators are party to any
The CCSPA states that the purpose of a penalty is to promote
The range of penalties are to be prescribed by regulation, but
Noncompliance with certain provisions of CCSPA may alternatively be
The CCSPA also authorizes the Minister of Transport, to enter into
|
For permission to reprint articles, please contact the
Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
[ad_2]
Source link
