Canadian federal financial institutions suffered almost three times as many serious reportable IT incidents in 2023 as in the year before, a parliamentary committee debating proposed cybersecurity legislation for overseeing the country’s critical infrastructure providers was told Monday.
In 2023, there were 28 Priority 1 incidents reported to the Office of the Superintendent of Financial Institutions (OSFI), compared to 2022, when there were only 10 Priority 1 incidents reported.
Priority 1 covers “high impact incidents that cause disruption of service or leakage of data,” Tolga Yalkin, an assistant superintendent at the OFSI, told MPs. The agency later clarified to IT World Canada that a Priority 1 incident covers various sources of potential technology disruption, including but not limited to cyber-attacks.
The OSFI oversees 400 federally-regulated institutions, including 80 banks and 43 trust companies, as well as insurance companies,
The release of the two numbers is a rare view into the extent of serious IT incidents suffered by federally regulated Canadian banks, trust companies, and insurance firms.
“We are concerned with that number growing,” Yalkin told MPs. “We are tracking it very carefully. We are eagerly watching to see whether or not the trajectory continues to grow. This [cybersecurity] is an area of risk for financial institutions.”
Yalkin was testifying before the House of Commons national security committee looking into Bill C-26, which would force designated banks, telecommunications companies, and interprovincial transportation and energy firms to meet certain cybersecurity standards to protect their IT networks and report incidents to the government.
The legislation would impose some obligations on Canadian banks. But, Yalkin said, banks already have to follow OFSI cybersecurity risk management guidelines.
Bill C-26 has two parts: One would amend the Telecommunications Act to give the federal cabinet and the Minister of Industry the power to order designated telecom providers to do “anything” to secure their systems against a range of threats.
The bill would also create the Critical Cyber Systems Protection Act (CCSPA), which would apply to other critical infrastructure providers. Initially, these would be limited to banking, financial clearing firms, interprovincial transport and energy companies, and nuclear power operators. Similar to the Telecommunications Act changes, it would create a cyber security compliance regime for designated firms. Included would be a requirement to report cyber incidents “immediately” to the Canadian Security Establishment (CSE), the branch of the Defence Department responsible for government cybersecurity.
Industry witnesses have worried about having to report serious incidents immediately, preferring the law or regulations follow the American practice of reporting to government regulators within 72 hours. The U.S. Federal Communications Commission just modified its data breach notification rules for telcos: The FCC, the FBI and the Secret Service have to be notified within seven days, and customers within 30 days.
Also at Monday’s committee meeting, a University of Toronto IT professor emeritus called C-26 “a very one-sided bill” that allows CSE to gather too much sensitive information.
CSE has a “boundless appetite for data collection,” Andrew Clement told the committee.
The proposed legislation needs “substantial” amendments to ensure the “sweeping and secretive powers it grants the government do not override other equally vital values such as privacy, freedom of expression, judicial transparency and government accountability.”
Eric Smith, senior vice-president of the Canadian Telecommunications Association (CTA), which represents the country’s major telcos, said the legislation allowing the Industry minister to order telcos to do — or not do — anything in the name of security “could be broadly interpreted.”
That could range from cutting off service to an organization or individual, he said, or putting equipment on a telco’s network that would weaken encryption or intercept communications. The CTA is asking MPs to amend C-26 to give the government only the power to issue “reasonably necessary’” orders to telcos. The law should also say compliance orders can only be made after the Industry minister has consulted with a list of experts — some of whom may be in the government — to ensure the orders are proportionate to the risk. An order should only have a limited impact on a telco’s service availability, the CTA says, and should be economically and operationally feasible for affected service providers
Even without C-26, in 2022 the government ordered telcos to remove some equipment from specific companies, Smith noted. That was a reference to the removal of equipment made by China’s Huawei and ZTE.
The CTA is asking C-26 be amended so carriers can at least ask the government for compensation if it has to remove or add networking gear.
It is also asking that the legislation allow a carrier a due diligence defence – that it tried to protect its IT network in good faith – if the government alleges the carrier violated an order. A due diligence defence is allowed for other critical infrastructure providers, Smith noted.
Federal privacy commissioner Philippe Dufresne asked for several changes to C-26, including limiting the ability of the government to share sensitive information that critical infrastructure providers would have to hand over to CSE with other departments or foreign governments; and that the government would have to report to him or Parliament the number and purpose of secret orders it issues under the law to a critical infrastructure provider.
Angelina Mason, general counsel and senior vice-president of the Canadian Bankers Association, which represents 60 of the country’s banks, asked MPs to add greater safeguards for the protection of confidential information banks would have to give the government; protect banks from civil and criminal prosecution for good faith compliance with the act’s reporting requirements and cybersecurity directives; and make the government share its cybersecurity information with the private sector.