June 2022 was when the first reading of Bill C-26 was done in parliament. The full title of the Bill is:
“Act Respecting Cyber Security, amending the Telecommunications Act and making consequential amendments to other Acts”.
Bill C-26 can also be called “ARCS” for short.
If you want to dig into the actual wording on the bill, have a gander at it here.
There are a few things this bill does. The first is to provide an amendment to the Telecommunications Act. The second is to enact the CCSPA (Critical Cyber Systems Protection Act).
In this post I will discuss how the CCSPA will affect the Banking System.
How the CCSPA will affect Banking Systems and Clearing and Settlement Systems
| Scope | Banking Systems and Clearing and Settlement Systems have been identified in the legislation as systems that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation. The use of the term “banking system” in the legislation suggests that other federal financial institutions, such as insurers, are outside the scope of the designation power. |
| Responsible Regulator | OSFI (Office of the Superintendent of Financial Institutions) in respect of banking systems: The Bank of Canada in respect of clearing and settlement systems. The Communications Security Establishment (CSE), Canada’s national cryptologic agency. |
| Cybersecurity Programs | Designated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must: 1. Include reasonable steps to identify and manage organizational cybersecurity risks; 2. Include reasonable steps to protect critical cyber systems from being compromised, detect cyber security incidents and minimize related impacts; 3. Be reviewed and updated annually, or more frequently if specified by regulation; and 4. Be filed with OSFI/Bank of Canada including notices of any updates to the CSP following periodic reviews. For banking systems operators, the CSP requirements of the CCSPA will be in addition to the technology and cyber risk management requirements for financial institutions under OSFI’s draft Guideline B-13: Technology and Cyber Risk Management, which OSFI announced earlier this month will soon be published in final form. For clearing and settlement systems operators, the requirements of the CCSPA will complement the Bank of Canada’s Expectations for Cyber Resilience of Financial Market Infrastructures published in October 2021. |
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. While the CCSPA introduces obligations to mitigate cyber risks related to a designated operator’s supply chain, federal financial institutions are already subject to OSFI’s expectations in respect of third-party risk management, as set out in OSFI’s recently updated draft Guideline B-10: Third-Party Risk Management. |
| Change of Control Reporting | Designated operators are required to notify OSFI or the Bank of Canada, as applicable, of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. Although federal financial institutions are already subject to approval requirements in respect of change of control, and clearing and settlement systems must comply with broad notice and approval requirements under the PCSA, the notice requirement under the CCSPA is remarkably broad, given that it uses a material change as the threshold for notice. It remains to be seen how OSFI and the Bank of Canada will practically administer this requirement so that the flow of information remains manageable both for the designated operators and the regulators themselves. |
| Cybersecurity Incident Reporting | Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cyber security incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify OSFI or the Bank of Canada, as applicable, “immediately after reporting a cybersecurity incident” to the CSE. The reporting requirement under the CCSPA will be in addition to the current obligation for federal financial institutions to report a technology or cyber security incident to OSFI under OSFI’s Technology and Cyber Security Incident Reporting Advisory. The definition of a reportable incident under these two regimes is similar but not identical. |
| Recordkeeping | Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with additional guidance that may be established by OSFI/Bank of Canada or regulations. |
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. OSFI and the Bank of Canada are also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA. |
| Disclosure Restrictions on Confidential Information | The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or OSFI/Bank of Canada under the CCSPA is also generally prohibited. Both financial institutions and clearing and settlement systems will be familiar with restrictions on disclosure of supervisory information under their governing legislation although the CCSPA regime is somewhat more nuanced and several exceptions apply. |
| Inspections and Audits | OSFI and the Bank of Canada, as applicable, are granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. OSFI and the Bank of Canada, as applicable, may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA. |
| Enforcement | Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation. Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation. Similar to other financial institutions legislation, the CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding. The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment. The CCSPA also authorizes OSFI and the Bank of Canada, as applicable, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA. |
First off, let me state that I am not an expert in the financial system, or existing regulations, despite working with finserv organizations for many years from an architectural standpoint. So I will do my best to break down and interpret the scope and breadth of the applicability of the CCSPA to financial services organizations in Canada.
So let’s talk about the scope. The terms Banking Systems and Clearing and Settlement Systems refer to the following:
Banking System:
A network of COMMERCIAL BANKS and other more specialized BANKS (INVESTMENT BANKS, SAVINGS BANKS, MERCHANT BANKS) which accept deposits and savings from the general public, firms and other institutions, and which provide money transmission and other financial services for customers, operate loan and credit facilities for borrowers and invest in corporate and government securities.
Canada has 81 banks in total, and 5,907 bank branches across the country. These are divided into two main categories. There are five national banks, which are commonly referred to as Canada’s “Big Five”. These are:
- Bank of Montreal (BMO)
- Scotiabank
- CIBC
- Royal Bank of Canada (RBC)
- Toronto Dominion Bank (TD)
The 6th largest bank is the National Bank of Canada (Banque Nationale du Canada).
These Canadian banks are multinational financial conglomerates with a large division in Canada.
The second-level banks of the banking sector are smaller in scale. Examples of these are Alterna Bank, Duo Bank, Laurentian Bank, Tangerine Bank, and VersaBank.
Second-tier organizations in the Canadian banking system include either domestic banks or foreign bank subsidiaries.
There are 35 domestic banks in the banking industry of Canada. Under the Canada Bank Act, these are classified as Schedule I banks. Such banks include Canadian Tire Bank, Haventree Bank, Motus Bank, and Toronto Dominion Bank.
Schedule II banks are subsidiaries of foreign banks, of which there are 15 in Canada. These include Bank of China, Citibank Canada, and J.P. Morgan Canada.
Schedule III banks are branches of foreign banks. There are 27 of these banks in Canada. They include Barclays Bank PLC, Deutsche Bank AG, and Mizuho Bank.
Clearing and Settlement Systems:
A clearing and settlement system brings together various financial system participants in a common arrangement, such as a clearing house, where the participants are explicitly interlinked so that the behaviour of one participant can have implications for others.
Three systems have been designated by the Bank of Canada:
- the Large Value Transfer System (LVTS), which deals with large-value Canadian-dollar payments. There are 16 participants in the LVTS https://en.wikipedia.org/wiki/Large_Value_Transfer_System
- CDSX, which clears and settles securities transactions; There are 100 participants in this. https://www.cds.ca/participants/participant-services/participant-list
- CLS Bank, a global system for the settlement of foreign-exchange transactions including the Canadian dollar. CLS Bank is overseen collaboratively by the central banks whose currencies are included in the system, with the U.S. Federal Reserve acting as lead overseer. All six major Canadian banks use CLS Bank as one means of settling their eligible FX transactions.
Now that we have determined what the scope is. What is required for these entities to do?
- Within 90 days of Bill C-26 being enacted, a Cybersecurity plan needs to be established.
- Within the CSP, it should include steps to identify and remediate cybersecurity risks. This should include a risk management practice that keeps a continual watch on threats, where the organization is vulnerable, the likelihood of breach and the impact thereof. There should also be a plan in place to increase the security posture over time. and to limit the attack surfaces.
- Annual reviews (at a minimum) of the CSP, with updates provided to OSFI and the Bank of Canada
2. OFSI has created a technology and cyber risk management guideline already (B-13) for the Banking System, and there is some overlap with C-26. However, they both need to be adhered to where there is no overlap.
- The Bank of Canada has published a document that covers cyber resilience for clearing and settlement (Expectations for Cyber Resilience of Financial Market Infrastructures. C-26 will also need to be adhered to in addition.
3. Any changes to the ownership / control of the organization require the OSFI to be informed. This also applies to any changes within the supply chain as well.
4. Any cybersecurity incident will have to immediately be reported to the Communications Security Establishment (CSE), then directly after to the OSFI.
5. All records of cybersecurity incidents, including logs and reports need to kept for a period of time defined by the OSFI, and they must remain in Canada.
The penalties for non-compliance can be pretty severe, with a max of $15M for the organizations and up to $1M for the directors and officers of the organization. It could also end up in criminal prosecution and imprisonment. So there is a very big incentive to follow the regulations here.
The legislation will improve the security posture of critical infrastructure in Canada, and something had to be done quickly and forcefully.
There is a full-scale global cyber war ongoing right now and it is not a matter of “if”, but “when” any given organization is breached. How well they are prepared will determine their continued viability as an entity. It’s like being told that a hurricane is coming and everybody needs to board up their homes. Whether or not it’s possible with the resources, time and skills at hand, remains to be seen for many.
However the onus is left on organizations to figure it out in very short order, and there is a massive shortage in staff with sufficient capabilities in the market. This is where an external company that focuses on cybersecurity can comes in and addresses all of the requirements of bill C-26 in a short period of time. I’ll write another article that describes in detail how they can do it, but in the meantime, have a look here.
Designing Risk in IT Infrastructure 