On June 14, 2022, the Canadian government tabled Bill C-26, An Act Respecting Cyber Security (ARCS), [1] which introduces significant new cybersecurity requirements for federally regulated industries and new national security requirements for the telecommunications sector. As it is currently drafted, ARCS would create a comprehensive framework for regulating the security of Canadian critical infrastructure and enhancing oversight over telecommunications security:
As noted in the official Backgrounder, ARCS is intended to empower the Canadian government to respond to emerging cyber threats and strengthen baseline cyber security for vital services and systems. In the current cyber risk landscape, operators of critical infrastructure are recognized as being at a heightened risk of cyber-attacks from malicious actors given the potential for severe disruption. [2] For enterprises in the telecommunications, energy, finance, and transport sectors in particular, ARCS is a strong signal that the Canadian government intends to take these risks seriously by increasing its regulatory supervision and intervention going forward.
CCSPA would apply to operators in the telecommunications, energy, finance, and transport sectors. More specifically, under the CCSPA, the Canadian government may designate:
The requirements of CCSPA apply to designated operators that own, control or operate a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information [] that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system (critical cyber system).
Although the current draft of CCSPA lists no designated operators in its Schedule 2, it enumerates six vital systems and services in its Schedule 1, each with a corresponding regulator:
Designated operators must comply with four key requirements under CCSPA:
1. Establish, implement, maintain, and review a cyber security program;2. Report cyber security incidents;3. Comply with cyber security directions; and4. Maintain records of compliance and incidents.
Designated operators must establish, implement, and maintain a cyber security program as it relates to their critical cyber systems. In addition to any requirements prescribed by regulations, these cyber security programs must include reasonable steps to:
1. Identify and manage cyber security risks, including risks associated with their supply chain and their use of third-party products and service providers;2. Protect their critical cyber systems from being compromised;3. Detect cyber security incidents that are affecting or potentially may affect their critical cyber systems; and4. Minimize the impact of cyber security incidents affecting critical cyber systems.
Within 90 days after being designated (or a longer period at the regulators discretion), designated operators must establish their cyber security program, notify the appropriate regulator in writing confirming same, and provide them with a copy. Designated operators must also:
Designated operators must immediately report cyber security incidents affectingtheir criticalcyber systems to the Communications Security Establishment (CSE), [3] followed by notification to the appropriate regulator, who is entitled to a copy of the report from both the designated operator and the CSE upon request.
CCSPA defines a cyber security incident as an act, omission, or circumstance that interferes or may interfere with (a) the continuity or security of a vital service or system; or (b) the confidentiality, integrity, or availability of a critical cyber system.
These reporting obligations are in addition to existing obligations. For example:
Designated operators must comply with cyber security directions made by the Canadian government, which may include specific measures and conditions for the purpose of protection of a critical cyber system, as well as a timeline for compliance.
Cyber security directions must be kept confidential by the designated operator, which may not disclose their existence and content, except to the extent required for compliance. However, CCSPA expressly permits extensive information collection and sharing between designated Canadian government officials and entities in relation to cyber security directions.
Designated operators must keep records related to each of their obligations under CCSPA, which differ from recordkeeping requirements in privacy laws. Records must document reported cyber security incidents and steps taken to implement the cyber security program, to mitigate supply chain or third-party risks, and to implement cyber security directions.
In addition, designated operators are required to keep all records in a prescribed manner in Canada, at a prescribed location or otherwise at their place of business. Absent evidence to the contrary, entries in records will serve as proof against the person who made the entry or the designated operator required to keep the record.
Regulators are granted broad enforcement powers to verify compliance or prevent non-compliance with CCSPA. Regulators may enter a place where they have reasonable grounds to believe that a CCSPA-regulated activity is being conducted or that a document, information or thing relevant to that purpose is located there. Regulators may exercise powers such as examining anything at the place, taking or copying any document or data, and using any cyber system (or causing it to be used) to examine information available through the system. Moreover, regulators are entitled to all reasonable assistance from the owner or operator of the place, and anyone found there.
To prevent non-compliance or mitigate the risks thereof, regulators may also audit an operator and issue a compliance order.
CCSPA also balances its broad disclosure requirements with certain protections for confidential information, which is defined as information (1) about vulnerabilities or protection measures of critical cyber systems of a designated operator that is treated confidentially; (2) that could reasonably be expected to have a material financial impact on the operator or prejudice their competitive position; or (3) that could reasonably be expected to interfere with their negotiations.
Accordingly, confidential information may only be disclosed under specific circumstances, including legal requirements, consent of the designated operator, and necessity for the protection of vital services, systems or critical cyber systems. Moreover, confidential information may be shared under agreements or arrangements between certain government entities and regulators.
CCSPA relies on both an administrative monetary penalty regime and statutory offences regime for enforcement of its provisions, similar to the one in the Telecommunications Act. Either regime can involve the personal liability of directors and officers that direct, authorize, assent to, acquiesce in or participate in a violation of the CCSPA, which can result in significant fines or imprisonment.
Eventual regulations may classify violations as minor, serious or very serious and determine the maximum penalty for each type of violation. However, penalties for each violation may not exceed $1,000,000 for individuals and $15,000,000 for other cases.
Designated operators have the right to make representations or exercise a defence of due diligence. Regulators are granted discretion to correct errors in a notice of violation, cancel it or enter into compliance agreements with terms the regulator considers appropriate, including the reduction of the amount of the penalty in part or in whole.
Violations of certain provisions of CCSPA is a punishable offence. Individuals and corporations are liable for fines at the discretion of the court. Moreover, individuals may be sentenced to a term of up to two years on summary conviction or five years upon conviction on indictment.
ARCS also establishes special rules for securing the telecommunications sector, recognizing its importance to national security. Part 1 of ARCS would amend the Telecommunications Act to provide the Canadian government and the Minister of Industry with sweeping new regulatory powers to secure the Canadian telecommunications system.
The amendments would also add the promotion of the security of the Canadian telecommunications system to the Canadian telecommunications policy objectives. Thiswould provide the Canadian Radio-television and Telecommunications Commission (or CRTC) with an express statutory basis to consider security ramifications when crafting regulatory policies affecting the industry.
ARCS would amend the Telecommunications Act to enable the Canadian government and the Minister to make orders respecting a TSPs (i) use of products and services of specific vendors and other TSPs in telecommunications networks; and (ii) provision of specific telecommunications services in Canada (each a form of a security order).
This distinction between these two types of security order is important one form of security order relates to inputs (both physical products and services) into telecommunications networks and the other relates to the type of telecommunications services that a TSP may offer using telecommunications networks. However, both must be based on the opinion that the security order is necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.
Specifically, the Canadian government may make a security order that:
Separately, the Minister of Industry will be given the authority to:
The Minister of Industry will also have the power to order precise measures, such as imposing conditions on a TSPs use of a specific product or service, prohibiting a TSP from entering a service agreement (or requiring the termination of an existing agreement), requiring TSPs to develop a security plan, requiring a TSP to conduct vulnerability assessments and mitigate identified vulnerabilities, or requiring that a TSP implement specified standards in relation to their products and services. The enumerated powers are not exhaustive, meaning the Minister has very broad power to determine the contents of a security order, subject only to general administrative law principles.
Significantly, the Canadian government and the Minister willhave the authority to prohibit the disclosure or publicization of any security order, meaning these decision-makers will have the ability to make each form of security order without other actors in the telecommunications industryor, indeed, the publicbeing aware.
Similar to the CCSPA, ARCS also provides the Minister of Industry with a broad power to compel the production of information, subject to limited exceptions. Specifically, the Minister may require any person to provide any information that the Minister believes on reasonable grounds is relevant for the purpose of making, amending or revoking a security order. Information provided in response may be designated as confidential if it includes trade secrets, commercial, scientific or technical information that is consistently treated as confidential, and information that may result in economic prejudice if disclosed.
The Minister may designate any qualified person as an inspector for the purpose of verifying compliance or preventing non-compliance with a security order.
ARCS extends the existing administrative monetary penalty regime in the Telecommunications Act to ensure compliance with the security order provisions and other new obligations. Specifically, violations of these new obligations expose individuals and corporations to penalties of up to $25,000 and $10,000,000, respectively, for a first violation and to $50,000 and $15,000,000, respectively, for each subsequent violation. These penalties are made even more substantial by the fact that each day that a violation continues constitutes a separate violation.
Although many details will need to be clarified in its regulations, ARCS becoming law would represent a significant development in Canadian cybersecurity law and the telecommunications security landscape.
Operators involved with critical cyber systems in federally regulated industries, particularly those which qualify as a vital system or service, should carefully review its provisions and evaluate the potential compliance issues based on their existing cybersecurity practices. In particular, operators potentially subject to these requirements should consider preparatory measures, including:
Given the requirements for designated operators to manage third-party risks, service providers and suppliers who do business with them should prepare for closer scrutiny of their cybersecurity standards and consider similar preparatory measures.
TSPs should strategically prepare for federal political decision makers being given new legal and policy tools to shape the Canadian telecommunications industry by denying access to commercial actors who may present a risk to the Canadian telecommunications system.
From a national security perspective, ARCS and the anticipated CCSPA represent the fulfilment of a national critical infrastructure protection initiative that began in 2009 with the first federal-provincial National Strategy for Critical Infrastructure. [4] With the advent of the Internet of Things, cyber threats to Canadas essential security interests can increasingly manifest into real world consequences. The growing digital interconnectivity of these systems in relation to critical infrastructure represents a vulnerability that ARCS looks to address with the achievement of a baseline level of cyber resilience and recoverability.
Fasken offers a suite of services to assist organizations in their cybersecurity journey, including:
Please contact our Privacy and Cybersecurity group, National Security group, or Technology, Media and Telecommunications group for more information.
For more information on the potential implications of the new Bill C-27, Digital Charter Implementation Act, 2022, please see our bulletin on this topic.
[1]Short title for Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, 1st Sess, 44th Parl, 2022, 70-71 (First Reading, June 2022)
[2] See Canadian Centre for Cyber Security, National cyber threat assessment 2020 (2020), online: https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020
[3] Subject to being prescribed in CCSPA or its regulations, engagement with the CSE will potentially be conducted through the Canadian Centre for Cyber Security, which is the arm of the CSE responsible for securing national critical infrastructure.
[4] For the most recent version, see: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx.
Continued here:
New Cybersecurity Requirements in Critical Infrastructure: Assessing the Impact of Bill C-26, An Act Respecting Cyber Security (ARCS) - Fasken
Read More..