Canada faces a triple rise in bank cyber incidents amid delays in vital cybersecurity legislation
Canada's banking sector has experienced a marked increase in "high impact" cyber incidents, with reports nearly tripling last year, according to the industry's regulatory authority, as reported by CBC News.
This uptick in cybersecurity threats coincides with a notable delay in the progression of a critical federal cybersecurity bill, Bill C-26, which has remained stagnant in parliamentary proceedings for several months.
Initially introduced in the spring of 2022, Bill C-26 is designed to mandate significant cybersecurity enhancements across key sectors, including finance, telecommunications, energy, and transportation.
Failure to comply with these requirements could result in substantial penalties for companies, further emphasizing the bill's intent to fortify Canada's critical infrastructure against cyber threats. Additionally, the legislation necessitates the establishment of comprehensive cyber security programs capable of identifying and mitigating serious cyber incidents.
Tolga Yalkin, an assistant superintendent at the Office of the Superintendent of Financial Institutions (OSFI), expressed concerns over the increasing frequency of cyber incidents, particularly noting the surge in “priority one” attacks from about 10 in 2022 to 28 in 2023.
He defined “priority one” incidents as high-impact events that either disrupt services or lead to data breaches. Yalkin emphasized the requirement for financial institutions to report these incidents to OSFI within 24 hours, highlighting the significant risk they pose to the financial sector's integrity and security.
Bill C-26, which was forwarded to the committee in March of 2023, only began to be thoroughly examined by MPs in the previous month. The bill also proposes granting the federal government the authority to direct how private companies in critical industries respond to cyber threats.
However, it includes provisions that would prohibit these organizations from disclosing any government directives to remedy their cybersecurity systems, raising questions about transparency and oversight.
Privacy concerns have also been a focal point of discussions surrounding Bill C-26. Privacy Commissioner Philippe Dufresne supported the bill's primary objectives but advocated for modifications to ensure it does not infringe upon Canadians' privacy rights.
He highlighted the bill's allowance for specified individuals to collect and analyze sensitive personal information held by banks, telecommunications operators, and energy service providers.
Dufresne cautioned that the bill permits the sharing of this information with a wide array of entities, including intelligence agencies and foreign governments, suggesting that these powers are overly broad and recommending the imposition of stricter limitations.