Authors
Alessandra (Ali) Harkness
H
Harleen Badwal
Companies operating in critical infrastructure sectors such as telecommunications, finance, energy and transportation are constantly challenged to reconcile their varying compliance obligations across multiple jurisdictions. Proposed and forthcoming federal cybersecurity obligations in Canada and the United States are among the latest challenges these companies face.
Both countries have introduced legislation to protect and maintain oversight over critical infrastructure cybersecurity incidents at the federal level, including by requiring the reporting of high-priority cybersecurity incidents. This article compares the reporting obligations in both jurisdictions with the aim of assisting companies in streamlining and reconciling compliance.
Our comparison of Canada’s proposed Critical Cyber Systems Protection Act (CCSPA) and the United States’ forthcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) indicates the following:
In June 2022, the House of Commons introduced Bill C-26, which would enact the CCSPA and amend other statutes including the Telecommunications Act. If passed, the CCSPA would impose new compliance and reporting duties on certain entities in the federally regulated private sector.
The CCSPA would apply to “designated operators” who own, control or operate a “critical cyber system” in the federally regulated telecommunications, finance, energy or transportation sectors. While the current draft of the CCSPA has not yet identified any “designated operators”, a “critical cyber system” is defined as “a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information … that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system”.
The CCSPA identifies six vital systems and services, the designated operators of which would therefore be within the scope of the CCSPA’s requirements:
Vital service or system |
Regulator |
Telecommunications services |
Ministry of Industry |
Interprovincial or international pipeline and power line systems |
Canada Energy Regulator |
Nuclear energy systems |
Canadian Nuclear Safety Commission |
Transportation systems under federal jurisdiction (shipping, rail, air) |
Minister of Transport |
Banking systems |
Office of the Superintendent of Financial Institutions |
Clearing and settlement systems |
Bank of Canada |
The CCSPA would allow the federal government to specify the classes of designated operators that own, control or operate one of these vital services or systems and therefore be subject to the Act. No classes of designated operators have been specified in the current draft of the CCSPA.
The government would also be able to add other federally regulated systems and services to the list above, thus making them subject to CCSPA's requirements.
The introduction of the CCSPA by the Canadian government aligns with U.S. efforts to regulate the security of critical infrastructure. In March 2022, President Joe Biden signed into law the CIRCIA.
The legislation requires companies operating in critical infrastructure sectors to report certain types of cyber incidents within 72 hours of discovering the incident (or within 24 hours if they make a ransom payment). The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. federal agency under the Department of Homeland Security. CISA works to understand and reduce risk to the cyber and physical infrastructure in the United States and is responsible for the implementation of the CIRCIA. CISA is required to distribute a proposed implementing regulation by March 15, 2024, and a final regulation no later than 18 months thereafter.
CIRCIA applies to a broader range of sectors than the CCSPA. CIRCIA will apply to “covered entities” operating in one of 16 critical infrastructure sectors when such an entity reasonably believes that a “covered cyber incident” has occurred. The precise meaning of both definitions will be set by the Director of the Cybersecurity & Infrastructure Security Agency through a mandatory rule-making process. However, existing definitions within CIRCIA provide some indication of the scope of both terms.
Covered entities will be identified from within the critical infrastructure sector they are associated with, a list of which is set out below. The term “incident” is further defined as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system”. We also know that a “covered cyber incident” is “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director”.
Below we have listed the 16 critical infrastructure sectors and sector-specific agencies enumerated in Presidential Policy Directive 21:
Critical infrastructure sector |
Sector-specific agency |
Chemical |
Department of Homeland Security |
Commercial Facilities |
Department of Homeland Security |
Communications |
Department of Homeland Security |
Critical Manufacturing |
Department of Homeland Security |
Dams |
Department of Homeland Security |
Defense Industrial Base |
Department of Defense |
Emergency Services |
Department of Homeland Security |
Energy |
Department of Energy |
Financial Services |
Department of the Treasury |
Food and Agriculture |
U.S. Department of Agriculture and Department of Health and Human Services |
Government Facilities |
Department of Homeland Security and General Services Administration |
Healthcare and Public health |
Department of Health and Human Services |
Information Technology |
Department of Homeland Security |
Nuclear Reactors, Materials, and Waste |
Department of Homeland Security |
Transportation Systems |
Department of Homeland Security and Department of Transportation |
Water and Wastewater Systems |
Environmental Protection Agency |
Below we have highlighted the key differences between the Canadian and U.S. legislation.
CCSPA (Canada) |
CIRCIA (US) |
Scope of a notifiable incident |
|
A notifiable cybersecurity incident means, in respect of a critical cyber system, an incident, including an act, omission or circumstance, that interferes or may interfere with:
Note that a designated operator must also notify the appropriate regulator of other significant events, such as a material change in the designated operator’s ownership or control, cybersecurity program, or use of third-party products or services. The timelines for notification can vary. |
CISA must determine what constitutes a covered cyber incident. Currently, CIRCIA sets out that a notifiable incident must include at least one of the following:
|
Content of cyber incident reporting |
|
The contents and manner of reporting will be specified in regulations. The CCSPA notes that the reporting will be “for the purpose of enabling the Communications Security Establishment to exercise its powers or perform its duties and functions”. |
CISA is tasked with determining the contents of reporting covered cyber incidents and ransom payments. CIRCIA currently states that at least the following contents must be included:
|
Timeline of cyber incident reporting and who to report to |
|
A designated operator must immediately report a cybersecurity incident affecting any of its critical cyber systems to the Communications Security Establishment (CSE) and then to the appropriate regulator. |
CIRCIA has two reporting requirements: one for "covered cyber incidents" and another for "ransom payments". A covered entity that experiences a covered cyber incident must report the incident to the Department of Homeland Security (DHS) and CISA within 72 hours of the entity’s reasonable belief that a covered cyber incident has occurred. A covered entity that makes a ransom payment due to a ransomware attack against the entity will be required to report that payment to DHS and CISA within 24 hours after making the payment. |
Exception to cyber incident reporting |
|
N/A |
CIRCIA provides an exception to reporting requirements for entities that are already required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, as long as an agreement exists between CISA and the other agency. |
Record keeping/data preservation |
|
A designated operator must keep a record of the following information in Canada at any place prescribed by the regulations or at the designated operator’s place of business:
|
Covered entities must preserve data related to covered cyber incidents or ransom payments they report. CISA must determine the types of data to be preserved and the retention period for such data. |
Confidentiality provisions |
|
“Confidential information” is defined as information obtained under the CCSPA regarding a critical cyber system and which either concerns a vulnerability of the system or, if disclosed, could have a significant impact on a designated operator. There is a general prohibition of disclosing confidential information, subject to a number of exceptions, including when the disclosure is:
|
Reports that describe covered cyber incidents or ransom payments are kept confidential and do not constitute a waiver of any applicable privilege or protection provided by law regarding the information they contain. The reports are also exempt from federal, state or local freedom of information laws that could compel their disclosure. |
Enforcement powers |
|
Regulators may enter a place where they have reasonable grounds to believe that a CCSPA-regulated activity is being conducted, or a document, information or thing that is relevant to the CCSPA is located. Upon entry, regulators may, among other things:
Moreover, regulators may order designated operators to conduct internal audits within specified parameters to determine whether the designated operator is in compliance with any provision of the CCSPA. |
If CISA has reason to believe that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report it, CISA may request additional information from that entity to determine whether such an incident or payment occurred. If the covered entity fails to respond to CISA’s request within 72 hours, CISA may issue a subpoena to compel disclosure of the information it seeks from that entity. If the covered entity fails to comply with the subpoena, CISA may refer the matter to the Attorney General to bring a civil action to enforce the subpoena. |
Penalties |
|
The CCSPA proposes administrative monetary penalties and criminal sanctions for statutory offences. Both types of penalties include director and officer liability, where that individual directs, authorizes, assents to, acquiesces in or participates in a violation of the CCSPA. Administrative monetary penalties for each violation may not exceed $1 million for individuals and $15 million for other cases. Moreover, a violation of certain provisions in the CCSPA is a punishable offence. Individuals may be sentenced to up to two years on summary conviction or five years on conviction on indictment. For both convictions, individuals and corporations are liable for fines at the court’s discretion. |
If the entity does not comply with an issued subpoena, CISA may refer the matter to the Attorney General who may bring a civil action. An entity’s failure to comply with the subpoena may be punishable by contempt. It is expected that more details of how enforcement provisions will be implemented will be developed during the rule-making process. |
While neither regime is currently in force, companies likely subject to one or both should consider four points to be proactive.
First and most immediate, there are likely industry advocacy and feedback opportunities with respect to the requirements set out above. For Canada, this includes anything under the scope of the CCSPA and the rest of Bill C-26, as the Bill has not yet progressed to Committee. Advocacy and feedback opportunities for the CIRCIA rulemaking process in the United States will have to be more informal, as CISA’s formal “request for information” stage recently concluded.
Second, companies in Canada should give significant consideration to how they will protect information subject to solicitor/attorney-client, litigation and other legal privileges. Protecting privilege could be particularly challenging in the event of a cybersecurity incident in Canada, given the extensive enforcement (including search and seizure) powers afforded to regulators, the record-keeping requirements imposed on designated operators to demonstrate compliance, and the requirement to immediately notify the CSE and appropriate regulator upon discovering a cybersecurity incident. Notably in the United States, CIRCIA provides that reporting an incident does not constitute a waiver of any applicable privilege or protection provided by law regarding the information the report contains; however, companies should still remain cognizant not to overreport. This ability to report an incident without it constituting a waiver of any applicable privilege is a potential area for industry advocacy and feedback with respect to Bill C-26.
Third, companies should plan to review and update their incident response plans and cybersecurity policies in accordance with the above reforms. Current and upcoming reviews should make note of upcoming notification requirements and consider the extent to which notice to CISA, the CSE and other regulators can be streamlined (keeping in mind the current lack of privilege protections for notification to the CSE). Reviews should also consider third-party and supply chain risks, including those posed by critical service providers (particularly those providing IT services), key suppliers, and device or product manufacturers. Once more information is provided, companies will also want to explore the extent to which their “critical cyber systems” in Canada, or computer systems that could give rise to a “covered cyber incident” in the United States, can be segregated from other systems and whether doing so would assist in streamlining compliance efforts.
Fourth, companies potentially subject to these reforms should consider how these new requirements could or should impact relationships with other parties. Both companies and governments stand to benefit from more collaboration as the roles of CISA, the CSE, and other regulators evolve—particularly if such relationships can be leveraged for the voluntary sharing of threat intelligence. Companies should also consider whether the incoming requirements should be reflected when contracting for services with third parties. Likewise, service providers should expect increasing cybersecurity standards from regulated customers, particularly when services provided relate to systems that will be covered by the CCSPA or CIRCIA.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.