Research and Advocacy

Remarks on Part 2 of Bill C‑26, An Act to enact The Critical Cyber Systems Protection Act

Remarks by Angelina Mason, General Counsel and Senior Vice President, Legal & Risk, delivered to the House of Commons Standing Committee on Public Safety and National Security

Posted on: February 12, 2024

Good afternoon. I would like to thank the Committee for inviting us here today to provide our views on Part 2 of Bill C-26, An Act to enact The Critical Cyber Systems Protection Act.

My name is Angelina Mason, and I am General Counsel and SVP, Legal & Risk, at the Canadian Bankers Association. I am joined by my colleague, Charles Docherty, Assistant General Counsel and Vice-President, Legal & Risk.

The CBA is the voice of more than 60 domestic and foreign banks that help drive Canada’s economic growth and prosperity. The CBA advocates for public policies that contribute to a sound, thriving banking system to ensure Canadians can succeed in their financial goals.

Banks in Canada are leaders in cyber security and have invested heavily to protect the financial system and the personal information of their customers from cyber threats. We are also a highly regulated industry and comply with robust requirements from the Office of the Superintendent of Financial Institutions in respect of cyber risk management, supply chain and third-party risk management, and incident reporting.

The security of Canada’s critical infrastructure sectors is essential to protect the safety, security and economic well‑being of Canadians. The banking industry counts on other critical infrastructure sectors, such as telecommunications and energy, to deliver financial services for Canadians. We have encouraged the government to leverage and promote common industry cyber security standards that would apply to those within the critical infrastructure sectors and we support the government’s efforts to achieve this under the Act. We recognize that critical infrastructures such as energy cross jurisdictional boundaries, and we have also recommended that the federal government work with provinces and territories to define a cyber security framework across all critical infrastructure sectors.

Having consistent, well defined cyber security standards will provide for greater oversight and assurance that these systems are effective and protected. Protecting against state-sponsored and other threat actors requires a coordinated approach between the government and the private sector. The government can play a pivotal role, bringing together critical infrastructure partners and other stakeholders, and building upon existing efforts to respond to cyber threats.

While recognizing the importance of the Act, we need to get this right. Some of the proposed provisions need to be better tailored to address operational and other risk concerns including:

being able to leverage existing robust requirements of specific sectors like banks to mitigate against duplicative/inconsistent requirements,
providing greater safeguards for the protection of confidential information, and
improving the threshold and timing for cyber security incident reporting.

In addition, there should be appropriate guardrails for the invocation of the government’s very broad powers under the Act. Consistent with other legislation, the Act should also include “safe harbour” provisions that provide designated operators immunity from civil and criminal proceedings for good faith compliance with the Act’s reporting requirements and Cyber Security Directives.

Looking beyond mandatory incident reporting, the Act should also support broader voluntary sharing of incidents, cyber threat information, and expertise about cyber protection with the Communications Security Establishment (CSE) and among classes of designated operators, while including “safe harbour” provisions to enable this sharing without creating additional risk. Effective sharing of this type of information is a critical component to cyber resiliency and should be fostered through the Act. Finally, we believe that it is necessary to allow the CSE and CSIS to share relevant intelligence and information with the designated operators of critical cyber security infrastructure in Canada to help them effectively prevent and mitigate cybersecurity incidents.

We will be following up to provide the committee with additional written details on these recommendations. We want to work collaboratively with the government and with other sectors to ensure that Canada remains a safe, strong and secure country.

We look forward to your questions.

CBA Submission to the CSA/IIROC Consultation Paper on the Proposed Framework for Crypto-Asset Trading Platforms

Read the CBA’s remarks to the Finance Committee on the changes in Bill C-97 related to Anti Money Laundering and Anti-Terrorist Financing

Read the CBA’s remarks to the House of Commons Standing Committee on Access to Information, Privacy and Ethics re the privacy of digital government Services

Related articles