Canada’s Bill C-26: A Landmark Step Towards Enhanced Cybersecurity
On September 19, 2023, the Canadian Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. This marks a pivotal moment in the legislative process, as Bill C-26 was initially introduced in the House of Commons in 2022. The progression of this bill signals Canada’s commitment to establishing a robust legislative framework aimed at bolstering cybersecurity across critical cyber infrastructure sectors.
Understanding Bill C-26
If passed, Bill C-26 will introduce a new cybersecurity compliance regime by amending the Telecommunications Act and enacting the Critical Cyber Systems Protection Act (CCSPA). These changes will empower the Governor in Council and the Minister of Industry with enhanced authority to enforce compliance, while also establishing an administrative monetary penalty scheme to incentivize adherence to the new regulations.
The implications of Bill C-26 are significant, particularly for private-sector organizations operating within federally regulated critical infrastructure. This article will summarize the proposed changes and offer recommendations for organizations to prepare for the potential requirements.
Part I: Amendments to the Telecommunications Act
One of the core components of Bill C-26 involves amendments to the Telecommunications Act, aimed at enhancing the security of Canada’s telecommunications system. The proposed changes will grant the Governor and Minister the authority to issue new orders, conduct inspections, and enforce necessary actions on telecommunications service providers (TSPs) to safeguard the telecommunications infrastructure.
Powers Granted to the Governor
The Governor will have the authority to take several critical actions, including:
- Prohibiting TSPs from using or providing certain products and services that pose security risks.
- Restricting TSPs from offering services to specific entities, including other TSPs.
- Suspending services for a defined period if deemed necessary.
Failure to comply with these orders could result in severe financial penalties, with administrative monetary penalties reaching up to C$10 million for each day of non-compliance, and escalating to C$15 million for subsequent violations.
Part II: Introduction of the Critical Cyber Systems Protection Act (CCSPA)
The CCSPA is a groundbreaking piece of legislation that establishes a cybersecurity compliance regime specifically for federally regulated critical cyber infrastructure. If enacted, the CCSPA will require operators to implement comprehensive cybersecurity programs that align with its objectives.
Key Provisions of the CCSPA
- Cybersecurity Program Requirements: Operators will be mandated to develop and maintain a cybersecurity program that meets the CCSPA’s standards.
- Supply Chain Risk Management: Operators must take reasonable steps to mitigate cybersecurity risks associated with their supply chains and third-party products and services.
- Incident Notification Obligations: In the event of a cybersecurity incident, operators will be required to notify the Communications Security Establishment (CSE) and their responsible regulator, ensuring prompt action to mitigate risks.
Additionally, designated operators may be required to disclose confidential information to the federal government if it pertains to national security.
Who Will Bill C-26 Apply To?
The scope of Bill C-26 is extensive. Part I applies to TSPs and any transmission facilities of a Canadian carrier, including:
- Local voice service providers
- Voice-over-IP service providers
- Internet service providers
- Long-distance service providers
- Wireless and payphone service providers
Part II applies to designated operators engaged in “critical cyber systems” within the federally regulated private sector. According to Schedule 1 of the CCSPA, these vital services include:
- Telecommunications services
- Interprovincial or international pipeline and power line systems
- Nuclear energy systems
- Transportation systems under federal jurisdiction
- Banking systems
- Clearing and settlement systems
Preparing for Bill C-26
As Bill C-26 progresses through the Senate, organizations that fall under its purview should take proactive steps to prepare for the impending requirements:
-
Assess Status: Determine if your organization qualifies as an “operator” under the CCSPA and identify any customers, clients, vendors, or third-party stakeholders that may also be affected.
-
Evaluate Cybersecurity Programs: Review existing cybersecurity programs against the CCSPA’s requirements to ensure compliance within 90 days of being classified as a designated operator.
-
Implement Third-Party Risk Management: Develop or enhance a third-party cyber risk management program to assess and mitigate supply chain risks.
-
Regular Assessments: Establish a process for regular assessments of cybersecurity programs to ensure they remain compliant with the Acts’ regulations.
-
Employee Training: Provide ongoing cybersecurity training for employees, ensuring that training programs meet industry standards.
-
Incident Response Plan: Create a comprehensive response plan for potential cybersecurity incidents.
- Consult Experts: Engage legal advisors and cybersecurity experts to implement best practices tailored to your organization’s needs.
Conclusion
Bill C-26 represents a significant advancement in Canada’s cybersecurity landscape. While it has yet to be enacted—requiring further readings in the Senate—it is crucial for organizations affected by the bill to begin preparing for the upcoming requirements. By implementing robust cybersecurity practices, organizations can enhance their resilience against cyber threats and safeguard their operations in an increasingly interconnected world.
As the legislative process unfolds, we will continue to provide updates on Bill C-26 and its implications for Canadian cybersecurity.