Canada Cyber Incident Disclosures: New Law for Critical Infrastructure Reporting?

canadian flag in front of modern building

A newly proposed law in Canada would require critical infrastructure owners and operators to report cybersecurity incidents to the federal government and to strengthen their defenses, according to a Reuters report.

The legislation named energy, finance, telecommunications and transportation as critical infrastructure. Affected operators and owners in those sectors will be identified after consulting with the sectors, said Marco Mendicino, Canada’s public safety minister. "There was a lot of thought given into identifying which sectors are vital to national security and public safety," he said. (via Reuters). "This new legislation ... will help both the public and private sectors better protect themselves against cyberattacks."

The bill, which is in its early stages and has yet to come up for debate, would extend to telecommunications carriers who would be prohibited from using gear made by high risk suppliers. Last month, Canada joined the U.S., U.K., Australia and New Zealand to no longer sanction use of equipment made by China’s Huawei and ZTE citing security concerns.

In the U.S., a similar measure that would require critical infrastructure businesses to report cyber incidents, such as a ransomware payment, to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours, was not included as an amendment to the National Defense Authorization Act.

The cyber incident reporting measure would have also directed federal contractors–including MSSPs, MSPs and managed detection and response (MDR) service providers–to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of making a ransom payment. Many businesses, nonprofits, and state and local governments would have been included in that rider.

The now excluded cyber reporting segment of the NDAA sprung from an amendment proposal backed by Sens. Gary Peters (D-MI), who chairs the Homeland Security and Governmental Affairs Committee, Mark Warner (D-VA), Rob Portman (R-OH) and Susan Collins (R-ME). Its foundation is Peters’ earlier Cyber Incident Reporting Act and separate Federal Information Security Modernization Act of 2021 that would require critical public and private organizations to notify CISA within 24 hours of discovering the system compromise.

In early October, 2021, the U.S. Department of Justice launched a new action to slap hefty fines on government contractors, including MSSPs and MSPs, that fail to report a cybersecurity incident.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.