Canadian Bill C-26 Introduces New Requirements for Federally Regulated Industries, Including Telecommunications

On June 14, 2022, the Minister of Public Safety of Canada, Marco Mendicino, introduced into Parliament the first reading of Bill C-26, An Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts (the “Bill”). The Bill amends the Telecommunications Act and enacts a new Act: the Critical Cyber Systems Protection Act (“CCSPA”), establishing a new cybersecurity compliance regime for federally regulated private industries and new powers for the Governor-in-Council and the Minister of Industry to order Canadian telecommunication services (“Telcos”) to take action to secure the protection of the Canadian telecommunications system, including against threats of interference, manipulation, or disruption. Noncompliance with either regime may result in high monetary penalties or imprisonment for individuals.

The Critial Cyber Systems Protection Act

The CCSPA introduces a new cybersecurity compliance regime for designated operators of critical cyber systems related to vital services and systems (“Designated Operators”). A critical cyber system is defined as a cyber system that, if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or system. Currently, the list of vital services and systems is comprised of the Canadian telecommunications system, the banking systems, and other federally regulated industries, such as energy and transportation. However, the Governor-in-Council may add new vital services and systems, and such Designated Operators will be governed by the CCSPA.

Under the CCSPA, Designated Operators must:

• establish a cybersecurity program (details of which are more fully provided in the CCSPA and its regulations) within ninety days of an order being made by the Governor-in-Council;
• implement and maintain a cybersecurity program, as well as annually review it;
• mitigate cybersecurity threats arising from their supply chains, or products and services offered by third parties;
• share their cybersecurity programs and notify appropriate regulators (namely, the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transportation) (the “Appropriate Regulators”) of material changes related to the business of Designated Operators and their cybersecurity programs;
• report cybersecurity incidents to the Canadian Security Establishment (the “CSE”);
• comply with and maintain the confidentiality of directions from the Governor-in-Council; and
• keep records related to the above.

To enforce these new obligations, the CCSPA grants to the Appropriate Regulators investigatory, auditing, and order-making powers, including issuing administrative monetary penalties (“AMPs”) of up to $1 million per day for individuals (such as directors and officers), and $15 million per day for other persons. Additionally, Designated Operators, and their directors and officers, may also be fined—or imprisoned if a director or officer—if either contravene specific provisions of the CCSPA; the amount of a fine is at the discretion of the federal court.

Telecommunication Act Amendments

The amendments to the Telecommunications Act (the “Amendments”) establish new order-making powers for the Governor-in-Council and the Minister of Industry (the “Minister”) to direct Telcos to take specific actions to secure the Canadian telecommunications system. Specifically, the Governor-in-Council may, by order,

• prohibit a Telco from using all the products and services offered by a specified person; and
• direct a Telco to remove all products provided by a specified person.

The Minister, after consultation with the Minister of Public Safety and Emergency Preparedness, may, by order,

• prohibit a Telco from providing services to a specified person; and
• direct a Telco to suspend any service to a specified person.

Additionally, the Amendments grant the Minister the power to direct Telcos to do anything or refrain from doing anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including the following:

• prohibiting Telcos from using any specified product in or in relation to Telcos’ network or facilities, or part thereof;
• prohibiting Telcos from entering service agreements for any product or service;
• requiring Telcos to terminate a service agreement;
• prohibiting the upgrade of any specified product or service; and
• subjecting the Telcos’ procurement plans to a review process.

Interestingly, Telcos will not be compensated for any financial losses resulting from these orders.

The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos’ compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000–$50,000 per day for individuals (such as directors and officers), and up to $10–$15 million per day for other persons. Moreover, contravention of orders or regulations may result in prosecution whereby the Telcos, and their directors and officers, may have to pay fines (whose amount is at the discretion of the court) or face imprisonment.

Information Sharing and Secrecy

The CCSPA and the Amendments require Designated Operators, Telcos, and any other person to share confidential information with the Appropriate Regulators, and Governor-in-Council and Minister, respectively, in furtherance of the objectives of the Bill. This confidential information may be shared with multiple federal government organizations, provincial and foreign counterparts, as well as international organizations, to pursue the objectives of the CCSPA and the Amendments. While these information exchanges will be governed by agreements and memorandums of understanding between the parties, the Minister may disclose the information if is necessary in the Minister’s opinion to secure the telecom system.

Given the national security purpose underlying this Bill, the secrecy of the orders is paramount. The orders from the Governor-in-Council and Minister may be subject to non-disclosure requirements. Moreover, for the sake of secrecy and expediency, the orders and directions of the Governor-in-Council and Minister do not follow the complete process outlined in the Statutory Instruments Act, and thus, are not registered, published, or debated in an open manner.

Recommendations

Given that the Bill has just been introduced, its passage is not guaranteed, and additional changes to the draft law may occur. However, and in the interim, if you are a provider of vital services and systems as described in the Bill, we recommend that you consider taking the following steps to improve your cyber resilience:

• Preemptively improve your security posture and processes to conform with the CSE’s best practices and guidance, or industry practices, and ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and
• given the secrecy and potential immediacy of Government orders and directives, Telcos and Designated Operators should draft contracts to flow down potential cyber security risks appropriately.

If you are a supplier of products and services related to the critical cyber systems of Designated Operators as described in the Bill, we recommend that you consider taking the following steps:

• Preemptively improve your security posture and processes as described immediately above in anticipation of more strenuous cybersecurity requirements requested by Designated Operators; and
• anticipate shouldering more risk when contracting with Designated Operators and consult with your insurance provider accordingly.