In recent years, Canada's cybersecurity status has been tested by a variety of threat campaigns targeting critical infrastructure, businesses, and individuals. The increase in digitization has led to the weaponization of digital tools and processes by script kiddies, activists, organized crime agencies, and state-sponsored actors. This resulted in the disruption of critical systems and caused a loss of confidence in physical, psychological, and economic well-being.
The advent of both the COVID-19 pandemic and the Ukraine-Russia conflict has been a catalyst in bolstering national and international cyber defence practices, requiring improved policies, guidance, and cyber intel. With rising geopolitical tensions, government-driven hostile cyber operations are more prevalent now than ever, posing an increased threat level to Canada's security, economic prosperity, and public safety
The Communications Security Establishment (CSE) identified critical infrastructure and large enterprises with operational technology assets as lucrative targets for ransomware groups1. Moreover, Five Eyes cybersecurity authorities have recently urged critical infrastructure operators to harden their cyber defences amidst growing state-sponsored attacks2.
However, with 85% of Canada's critical infrastructure owned and operated by the private sector, provinces, and non-governmental agencies, standardized cybersecurity practices cannot be achieved through industry-derived policy alone but will continue to see increased use of legal frameworks to drive societal cyber defence improvements.
What is Bill C-26?
On June 14, 2022, the House of Commons of Canada introduced Bill C-26, an Act Respecting Cyber Security (ARCS), proposing new cybersecurity requirements that protect vital systems and services pertinent to Canada's security and public safety. 3
The objective of Bill C-26 is to improve security in critical sectors, mitigate cyber risk across federally regulated sectors more effectively, and provide the Government of Canada with greater legislative power to respond to threats accordingly.
The bill has two parts:
- Amending the Telecommunications Act to secure Canada's telecommunications systems and prohibit the use of products and services provided by specific telecommunications service providers. This amendment enforces the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure, as well as the removal or termination of related 4G equipment by 2027.
- Enacting the Critical Cyber Systems Protection Act (CCSPA) to provide a comprehensive regulatory framework to protect cyber systems that underpin Canada's critical infrastructure through risk mitigation and reporting, and to foster collaboration between government entities and operators through information sharing.
The effects of this bill will be far-reaching, and here are the top considerations:
- The government will have the power to receive, review, assess, and even intervene in cyber compliance and operational situations within critical industries in Canada.
- Mandatory cybersecurity programs for critical industries.
- Enforcement of regulations through regulatory and law enforcement with potential financial penalties.
Watch BDO’s Bill C-26 Webinar for an in-depth analysis of the key compliance and reporting changes proposed by Bill C-26
Critical Cyber Systems Protection Act (CCSPA)
Who is impacted?
The CCSPA applies to designated operators of vital services and systems, as well as their relevant regulators. The Governor in Council has the ability to add or remove sector-specific systems and services which they can classify as vital systems.
|Vital services or systems||Regulator|
|Telecommunications services||Minister of Industry|
|Transportation systems within the legislative authority of the Parliament||Minister of Transport|
|Interprovincial or international pipeline and power line systems||Canada Energy Regulator|
|Nuclear energy systems||Canadian Nuclear Safety Commission|
|Banking systems||Office of the Superintendent of Financial Institutions|
|Clearing and settlement systems||Bank of Canada|
Requirements of the CCSPA
The CCSPA would require designated operators to design and implement the following controls:
a. Establish a cybersecurity program
A cybersecurity program must be established within 90 days of being classified as a designated operator.
A well-defined cybersecurity program accounts for organizations'; business objectives, risk profile, regulatory and compliance requirements, and external threat landscape. It should also have active participation from the executive board, senior management, employees, contractors, and third-party vendors.
The program must meet the following criteria:
- Identify cybersecurity risks within the organization, including supply chain threats and the use of third-party products and services.
- Implement technologies to proactively detect and protect CCS from being compromised.
- Devise mitigation plans to align risks with corresponding risk appetite levels and minimize the impact of a cyber incident on CCS.
- Track the regulatory requirements and ensure compliance.
The program must be reviewed within 60 days after each year of establishment. Any changes made or set to be made from the review must be notified to the regulator within 30 days of the review.
Designated operators will be required to immediately notify regulators in the event of any significant change in ownership/control, use of third-party services, or any clauses prescribed in the regulation.
b. Implement a process to report cybersecurity incidents
A cybersecurity incident is defined by Bill C-26 as an act, omission, or circumstance that interferes or may interfere with the continuity or security of the vital service or system, or the confidentiality, integrity, and availability of the critical cyber system.
Designated operators must report cybersecurity incidents impacting their critical cyber systems'; operations to both:
- The appropriate regulator associated with their critical infrastructure sector.
- The Communication Security Establishment's (CSE's) Canadian Centre for Cyber Security.
The Cyber Centre will investigate the incident and provide mitigation advice. Designated operators must follow the Cyber Centre's recommendations to reduce risk and protect their critical systems.
Regulators may have varying requirements for what constitutes a timely duration of reporting a cyber incident, so please review your reporting obligations with the relevant regulator.
c. Maintain records of all cybersecurity controls
Designated operators will be required to keep records of the following:
- Any steps taken to implement designated operators'; cybersecurity program that spans across people, process, and technology controls. This includes all steps implemented across five cyber domains – identify, protect, detect, respond, and recover.
- Every cybersecurity incident that the designated operator reported.
- Any steps taken by the designated operator to mitigate any supply-chain or third-party risks.
- Any measures taken by the designated operator to implement a cybersecurity direction.
- Any other matter prescribed by the regulations.
Designated operators will be required to keep records in Canada at a place prescribed by regulation or, if no place is prescribed, at their place of business. They will also be required to keep records in the manner and for the period determined by the appropriate regulator unless another manner or period is prescribed by regulation.
Overall Implications and Governmental Powers
Conditions to operate
In practical terms, cybersecurity programs become part of the designated operator's licence to operate. The federal government can enact regulations imposing requirements the programs must meet. However, defining these requirements is a responsibility shared between the Government of Canada and the associated regulator.
The bill allows the federal government to share technical or confidential information, as necessary, to protect vital infrastructure. Specifically, the Cyber Centre would be able to:
- Share its findings with designated operators belonging to the same sector.
- Inform regulators of a designated operator's failure to implement a cybersecurity program.
Receiving guidance from the Communications Security Establishment (CSE)
If regulators request advice, guidance, or services from CSE, the regulator may provide to CSE any information, including confidential information, about the designated operator's cybersecurity program and mitigation of risk from the supply chain, or use of third-party products and services.
Compliance with cybersecurity directions
The bill allows the federal government to issue cybersecurity directions to designated operators to protect a critical cyber system as they see fit, mandating compliance and maintaining records of compliance.
These directives are set out as follows:
- Identify the designated operators.
- Specify the required cybersecurity actions to be employed.
- Outline an implementation period.
Administrative monetary penalties
Upon failure to comply, the bill allows each regulator to issue monetary penalties, with maximum penalties to be established by regulation at amounts of up to $1 million in the case of an individual, and up to $15 million in any other case.
Administrative monetary penalties may be issued for any violation of the CCSPA, including failing to report a cybersecurity incident and failing to comply with a cybersecurity directive.
Regulators will also have the authority to initiate regulatory proceedings leading to fines and possible imprisonment for non-compliance with the provisions of the CCSPA.
Key safeguards that your organization can implement
Security safeguards are meant to protect an organization's information assets from unauthorized disclosure, disruption, access, use, or modification. BDO recommends having the following key safeguards in place to ensure confidentiality, integrity, and availability of your organization's information assets:
- Risk management programs – Build awareness of organizational risk by conducting assessments of your controls and processes, establishing risk registers, assigning roles and responsibilities to manage risk accountably, and developing operating standards that meet compliance requirements. Being risk aware is the first step on the road to cybersecurity maturity.
- Secure platforms and architectures – Utilize secure cloud platforms with built-in security features that accelerate organizations' journey to security.
- Continuous monitoring, detection, and response capability – Maximize your threat response capabilities and threat awareness by leveraging tools that provide detection capability with actionable alerting.
- Offensive security – While having procedures and policies in place is important, testing organizational controls by running a simulated test is equally important. Controlled testing that employs a threat actor's tactics can help identify and remediate any weaknesses in your people, process, and technology controls.
- Asset and vulnerability management – Build your IT asset inventory list and leverage tools to identify the vulnerabilities within your network. Removing vulnerabilities in priority assets reduces risk.
- Incident response (IR) and data recovery (DR) procedures – It is not a matter of if one gets breached, but when. Having appropriate IR and DR plans with actionable steps, roles and responsibilities, and offline contact information helps speed your organization's containment and recovery times.
- Threat awareness – Leverage cyber threat intelligence to protect your organization against common threats and threat actors who plan to attack or exploit your organization on the dark web.
How can BDO Lixar help?
BDO Lixar's cybersecurity team, with its eight pillars of service, offers a comprehensive approach to cyber management to help you rise to the challenge of today's cyber landscape.
Our team of experts can help you develop the tools and technologies you need to safeguard your critical assets, allowing you to focus on what's most important: growing your core business.
We believe that your business objectives and IT strategy work together to create an effective security strategy that can be leveraged now and for future planning.
Therefore, our team can help you understand your current cybersecurity status, envision future needs, and implement a plan to achieve an optimal cybersecurity maturity level by taking a risk management and a business-forward approach to support your security enhancements.
The cybersecurity team covers every angle of today's business needs with a comprehensive suite of solutions. Our cybersecurity capabilities include:
- Application Security
- Cloud Security
- Cyber Risk Management & Transformation
- Managed Detection & Response
- Offensive Security
- Threat Hunting
- Threat Intelligence
- Vulnerability Management
For more information, contact:
Rocco Galletto, Partner and National Cybersecurity Leader
Rob Philpotts, Director and Lead of Cyber Threat Management & Response
Dishank Rustogi, Senior Manager and Lead of Cyber Risk Management & Transformation
Mark Zuzarte, Director and Lead of Application and Offensive Security
Sacha Blasiak-Priestley, Director and Lead of Cloud Security
Get the latest cybersecurity news
No business can afford to be uninformed or unprepared for digital threats. Get the latest cybersecurity news, insights, and best practices delivered straight to your inbox.