01-30_GENERALS_Fall25_PT - Flipbook - Page 14
INNOVATION
The message from both
governments is clear:
critical infrastructure
protection is a strategic
imperative, and voluntary
best practices are no longer
sufficient. Organizations
must demonstrate
resilience, accountability,
and compliance through
documented cybersecurity
programs and timely
incident reporting.
90 days of notification, operators must
design and implement a comprehensive
cybersecurity program and submit it to
the Canadian Centre for Cyber Security
for annual review. These programs must
systematically identify and mitigate risks,
particularly those arising from thirdparty products and services.
Operators must report cybersecurity
incidents to the Communications Security
Establishment within 72 hours of discovery. Material changes in ownership, control,
or use of third-party products and services
require prompt notification to the appropriate regulator. All records of cybersecurity
programs and incidents must be preserved
and stored within Canada.
The legislation grants sector-specific
regulators broad enforcement powers. The Office of the Superintendent of
Financial Institutions oversees banking
systems, the Bank of Canada manages
clearing and settlement systems, and the
Canadian Energy Regulator supervises
interprovincial pipelines and power lines.
The Canadian Nuclear Safety Commission
regulates nuclear energy systems, while
the Ministers of Industry and Transport
oversee telecommunications and transportation, respectively.
Penalties and Enforcement
Non-compliance carries severe consequences. Corporate entities face penalties
of up to $15 million per day for violations,
while individuals may be fined up to $1
million daily. Officers and directors of
Your Trusted
Partner in Surety
and Insurance
Wade Corby | Vaughan
416.637.5687
wcorby@mastersinsurance.com
Justin Burke | Ottawa
613.845.1920
jburke@mastersinsurance.com
Doug Corby | Hamilton
289.816.4922 ext. 4208
dcorby@mastersinsurance.com
Adam Beck | Windsor
519.419.5917
abeck@mastersinsurance.com
14 the generals • FALL 2025
telecommunications providers could face
criminal prosecution and imprisonment
for violations of orders under the Telecommunications Act. Importantly, organizations will not receive compensation
for financial losses resulting from compliance with government orders.
The government maintains the authority to issue confidential cybersecurity
directives that operators must follow
without disclosure. While Bill C-8 introduces updated judicial review procedures
compared to its predecessor, organizations may have limited ability to challenge
urgent national security orders.
The U.S. Context: CIRCIA and CISA
Canadian organizations with U.S. operations or connections to American critical infrastructure should also monitor
developments under the Cyber Incident
Reporting for Critical Infrastructure Act of
2022. Signed into law by President Biden
in March 2022, CIRCIA mandates that
the U.S. Cybersecurity and Infrastructure
Security Agency (CISA) develop regulations requiring covered entities to report
significant cyber incidents within 72
hours and ransomware payments within
24 hours.
CISA released its Notice of Proposed
Rulemaking in April 2024 and has extended the timeline for finalizing the rule to
May 2026. The delay reflects the agency's
efforts to streamline requirements and
harmonize them with other federal cyber
regulations. CIRCIA applies to entities
across 16 critical infrastructure sectors,
using both size-based and sector-specific
criteria to determine coverage.
A covered cyber incident under CIRCIA
includes substantial loss of confidentiality, integrity, or availability of information
systems; serious impact on operational
systems; disruption of business operations; or unauthorized access facilitated
by technological vulnerabilities. Small
businesses, as defined by the Small
Business Administration, are generally
exempt, though information technology
companies meeting certain criteria must
report regardless of size.
Cross-Border Implications
Canadian organizations operating in
both countries must navigate potentially
overlapping reporting obligations. While
Bill C-8 requires 72-hour reporting to
Canadian authorities for designated
operators, CIRCIA imposes similar timelines for covered entities in the United
States. Companies must develop incident
THEGENERALS.NET
