Cybersecurity requirements for critical infrastructure: Canada vs. the U.S.

Vital service or system

Regulator

Telecommunications services

Ministry of Industry

Interprovincial or international pipeline and power line systems

Canada Energy Regulator

Nuclear energy systems

Canadian Nuclear Safety Commission

Transportation systems under federal jurisdiction (shipping, rail, air)

Minister of Transport

Banking systems

Office of the Superintendent of Financial Institutions

Clearing and settlement systems

Bank of Canada

Critical infrastructure sector

Sector-specific agency

Chemical

Department of Homeland Security

Commercial Facilities

Department of Homeland Security

Communications

Department of Homeland Security

Critical Manufacturing

Department of Homeland Security

Dams

Department of Homeland Security

Defense Industrial Base

Department of Defense

Emergency Services

Department of Homeland Security

Energy

Department of Energy

Financial Services

Department of the Treasury

Food and Agriculture

U.S. Department of Agriculture and Department of Health and Human Services

Government Facilities

Department of Homeland Security and General Services Administration

Healthcare and Public health

Department of Health and Human Services

Information Technology

Department of Homeland Security

Nuclear Reactors, Materials, and Waste

Department of Homeland Security

Transportation Systems

Department of Homeland Security and Department of Transportation

Water and Wastewater Systems

Environmental Protection Agency

CCSPA (Canada)

CIRCIA (US)

Scope of a notifiable incident

A notifiable cybersecurity incident means, in respect of a critical cyber system, an incident, including an act, omission or circumstance, that interferes or may interfere with:

• the continuity or security of a vital service or vital system; or
• the confidentiality, integrity or availability of the critical cyber system.

Note that a designated operator must also notify the appropriate regulator of other significant events, such as a material change in the designated operator’s ownership or control, cybersecurity program, or use of third-party products or services. The timelines for notification can vary.

CISA must determine what constitutes a covered cyber incident. Currently, CIRCIA sets out that a notifiable incident must include at least one of the following:

• unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of that information system or network, or has a serious impact on the safety and resiliency of operational systems and processes;
• disruption of business or industrial operations due to a denial-of-service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against (i) an information system or network; or (ii) an operational technology system or process; or
• unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.

Content of cyber incident reporting

The contents and manner of reporting will be specified in regulations. The CCSPA notes that the reporting will be “for the purpose of enabling the Communications Security Establishment to exercise its powers or perform its duties and functions”.

CISA is tasked with determining the contents of reporting covered cyber incidents and ransom payments. CIRCIA currently states that at least the following contents must be included:

• a description of the covered cyber incident;
• a description of the vulnerabilities that were exploited, the techniques and procedures used by the attackers, and the defenses the entity had in place;
• identifying information related to the perpetrator;
• identification of the categories of information accessed by the attackers; and
• in the case of a ransomware event, the ransom instructions, the type of payment requested, and the date and amount of the ransom payment.

Timeline of cyber incident reporting and who to report to

A designated operator must immediately report a cybersecurity incident affecting any of its critical cyber systems to the Communications Security Establishment (CSE) and then to the appropriate regulator.

CIRCIA has two reporting requirements: one for "covered cyber incidents" and another for "ransom payments".

A covered entity that experiences a covered cyber incident must report the incident to the Department of Homeland Security (DHS) and CISA within 72 hours of the entity’s reasonable belief that a covered cyber incident has occurred.

A covered entity that makes a ransom payment due to a ransomware attack against the entity will be required to report that payment to DHS and CISA within 24 hours after making the payment.

Exception to cyber incident reporting

N/A

CIRCIA provides an exception to reporting requirements for entities that are already required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, as long as an agreement exists between CISA and the other agency.

Record keeping/data preservation

A designated operator must keep a record of the following information in Canada at any place prescribed by the regulations or at the designated operator’s place of business:

• any steps taken to implement its cybersecurity program;
• every cybersecurity incident reported by the designated operator;
• any steps taken to mitigate any supply-chain or third-party risks;
• any measures taken to implement a cybersecurity direction; and
• any matter prescribed by the regulations.

Covered entities must preserve data related to covered cyber incidents or ransom payments they report. CISA must determine the types of data to be preserved and the retention period for such data.

Confidentiality provisions

“Confidential information” is defined as information obtained under the CCSPA regarding a critical cyber system and which either concerns a vulnerability of the system or, if disclosed, could have a significant impact on a designated operator.

There is a general prohibition of disclosing confidential information, subject to a number of exceptions, including when the disclosure is:

• required by law;
• of publicly available information;
• consented to by the designated operator;
• of necessary for the protection of vital services, vital systems or critical cyber systems;
• made in accordance with the CCSPA or the Security of Canada Information Disclosure Act; or
• made under agreements or arrangements made between the regulators and certain government entities.

Reports that describe covered cyber incidents or ransom payments are kept confidential and do not constitute a waiver of any applicable privilege or protection provided by law regarding the information they contain. The reports are also exempt from federal, state or local freedom of information laws that could compel their disclosure.

Enforcement powers

Regulators may enter a place where they have reasonable grounds to believe that a CCSPA-regulated activity is being conducted, or a document, information or thing that is relevant to the CCSPA is located. Upon entry, regulators may, among other things:

• examine anything in that place;
• use any cyber system (or cause it to be used) to examine any information available to or contained in the system;
• prepare a document (or cause one to be prepared) based on the information;
• use any copying equipment in that place (or cause it to be used); and
• remove any document, record or cyber system to examine or copy it.

Moreover, regulators may order designated operators to conduct internal audits within specified parameters to determine whether the designated operator is in compliance with any provision of the CCSPA.

If CISA has reason to believe that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report it, CISA may request additional information from that entity to determine whether such an incident or payment occurred.

If the covered entity fails to respond to CISA’s request within 72 hours, CISA may issue a subpoena to compel disclosure of the information it seeks from that entity.

If the covered entity fails to comply with the subpoena, CISA may refer the matter to the Attorney General to bring a civil action to enforce the subpoena.

Penalties

The CCSPA proposes administrative monetary penalties and criminal sanctions for statutory offences. Both types of penalties include director and officer liability, where that individual directs, authorizes, assents to, acquiesces in or participates in a violation of the CCSPA.

Administrative monetary penalties for each violation may not exceed $1 million for individuals and $15 million for other cases.

Moreover, a violation of certain provisions in the CCSPA is a punishable offence. Individuals may be sentenced to up to two years on summary conviction or five years on conviction on indictment. For both convictions, individuals and corporations are liable for fines at the court’s discretion.

If the entity does not comply with an issued subpoena, CISA may refer the matter to the Attorney General who may bring a civil action. An entity’s failure to comply with the subpoena may be punishable by contempt. It is expected that more details of how enforcement provisions will be implemented will be developed during the rule-making process.