June 14, 2022 - Private Sector

Federal Government Introduces Cyber Security Statutory Framework for Critical Infrastructure 

Today, the Government of Canada introduced Bill C-26, An Act Respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, for its first reading in Parliament.

Part 2 of the Bill would enact the Critical Cyber Systems Protection Act (CCSPA), to “provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety”.

The CCSPA would allow Cabinet to designate any service or system as “vital”, a list that presently includes:

  • telecommunications services;
  • interprovincial or international pipeline and power line systems,
  • nuclear energy systems,
  • transportation systems within federal legislative authority,
  • banking systems, and
  • clearing and settlement systems.

The CCSPA would allow Cabinet to establish classes of operators in respect of a vital service or system. Among other things, the CCSPA would require every such “designated operator” to establish a cyber security program to:

  • outline reasonable steps to identity and manage any organizational cyber security risks,
  • protect its critical cyber systems from being compromised,
  • detect security incidents with the potential to affect its critical cyber systems, and
  • manage the impact of cyber security incidents.

The CCSPA would also introduce obligations on designated operators to immediately report cyber security incidents to the Communications Security Establishment, as well as to one of several applicable regulatory authorities. Designated operators would also be required to maintain cyber security records.

If Bill C-26 passes, designated regulatory authorities (the Office of the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transport) would be granted powers to ensure that designated operators comply with the CCSPA. These powers are enumerated with regard to each regulator and include the authority to enter places, the power to order internal audits, and the power to issue compliance orders and enter into compliance agreements.

Critically, each of these regulatory authorities would also be able to issue administrative monetary penalties of up to $15,000,000 for each violation of the CCSPA. A due diligence defence would be available to any person that commits such a violation. 

The AccessPrivacy team will address issues arising from the introduction of Bill C-26 in our next Monthly Privacy Webinar, to be held on June 22, 2022. Please visit the event page to register for free.