October 4, 2022
October 4, 2022
Here’s how proposals for stricter cyber security regulations and oversight could change the Energy & Utilities landscape in Canada.
Bill C-26, also known as An Act Respecting Cyber Security (ARCS), was introduced in June 2022. The bill contains two parts, both of which are generally designed to protect Canada’s cyber infrastructure from attackers or other system failures.
Part one is an amendment to the Telecommunications Act giving regulators more administrative and monetary authority to ensure the security of Canada’s telecommunications networks. Part two, which is the primary focus of this article, would enact the Critical Cyber Systems Protection Act (CCSPA), which gives special designation to four industries as being “vital to national security and public safety,” thus requiring companies in these sectors to adhere to stricter cyber security standards in Canada. They are:
This means energy and utilities companies must act swiftly to prepare to navigate the changing cyber security landscape and remain compliant.
With the introduction of Bill C-26, there is much more focus on critical infrastructure when it comes to cyber security.
Consider the example of a cyber security breach, causing broad systems shutdowns, at a company that operates critical infrastructure like pipelines or power lines. Consider now that this infrastructure is connected by multiple provinces or even countries. With the advent of the CCSPA, the Government of Canada is signaling in no uncertain terms that protecting this kind of infrastructure is a top priority.
If you work in the energy and utilities industry, you should expect to be held to a higher standard of cyber resilience.
Designated operators must comply with four key requirements under CCSPA. You must:
Each of Canada’s vital industries under the CCSPA has a designated regulator with broad authority to verify compliance and enforce new and existing mandates. For example, they can:
For the energy and utilities industry, the regulators that hold this authority are the Canada Energy Regulator and the Canadian Nuclear Safety Commission.
The proposed Bill C-26 also has stricter provisions for security incident reporting. It’s mandatory to report all incidents that could impact your critical infrastructure to the Communications Security Establishment, as well as the regulator overseeing your industry.
Maximum penalties for non-compliance and violations of the CCSPA can reach $15 million, which is a significant fine. Beyond monetary penalties though, regulators can initiate investigations and proceedings that can lead to fines and even possible imprisonment.
This is becoming an increasingly time-sensitive and urgent challenge for energy and utilities companies — your company cannot afford to be reactive if Bill C-26 is passed into law, nor can it afford to risk violating the stricter and more demanding cyber security requirements.
Fortunately, there are some things you can do now to prepare your business for this new cyber security landscape: