Politics

Banks report an increase in 'high impact' breaches as federal cybersecurity bill idles

MPs studying a cybersecurity bill aimed at protecting critical infrastructure like banks from devastating attacks heard Monday how the number of "high impact” cyber incidents hitting Canada’s financial institutions nearly tripled in the last year while the legislation sat in limbo.

First introduced in the spring of 2022, Bill C-26 would compel companies to shore up their systems

A older person with wrinkled hands, wearing a grey suit jacket, is shown holding a bank card in front of an ATM machine.
The Office of the Superintendent of Financial Institutions says cyberattacks continue to grow in frequency and sophistication. (hedgehog94/Shutterstock)

The number of  "high impact" cyber incidents reported by Canada's banks nearly tripled last year, according to the industry's watchdog.

The increase comes as a federal bill meant to protect Canada's critical systems — including financial systems — has been sitting idle in parliamentary limbo for months.

"We are concerned with that number growing," Tolga Yalkin, assistant superintendent at the Office of the Superintendent of Financial Institutions (OSFI), told a parliamentary committee studying the bill Monday evening. 

First introduced in the spring of 2022, Bill C-26 would compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties. They'd also be expected to establish cyber security programs that can detect serious incidents and protect critical cyber systems. 

Yalkin told MPs the number of "priority one" attacks reported by banks in Canada jumped from about 10 incidents in 2022 to 28 in 2023.

"Priority ones are basically high-impact incidents that cause disruption of service or leakage of data," he said, adding that financial systems are expected to report cyber incidents to OSFI within 24 hours.

"We're eagerly watching to see whether or not the trajectory continues to grow. This is an area of risk for financial  institutions."

Bill C-26 was sent to the committee in March of 2023, but MPs only began their study of the proposed legislation last month. 

If passed, the bill also would allow the federal government to direct how private companies in critical industries respond to potential attacks. But that information is unlikely to be made public because the bill also prohibits organizations from revealing orders from Ottawa to fix their systems.

Privacy commissioner suggests tweaks to bill 

So far, the committee has heard the bill is in need of improvements. 

Yalkin was joined Monday night by Privacy Commissioner Philippe Dufresne, who suggested he supports the main goal of the bill but said it needs tweaks.

"Digital services that are delivered through cyber systems and telecommunications networks are central to the ways that we live, work and interact, and impact large volumes of personal information and data. That is why it is critical to protect Canada's cyber infrastructure from potential threats," he said during his opening remarks.

"We must ensure that efforts to secure these systems and networks also protect and respect Canadians' fundamental right to privacy. This is not a zero-sum game."

Dufresne pointed to sections of the bill that allow a specified person to collect and analyze information, including sensitive personal information that is held by banks, telecommunications operators and energy services providers.

He said the bill would allow for the sharing of that information with organizations such as intelligence agencies, provincial and foreign governments, and organizations established by foreign states.

Dufresne said those powers are broad and urged the committee to add stricter limits.

ABOUT THE AUTHOR

Catharine Tunney is a reporter with CBC's Parliament Hill bureau, where she covers national security and the RCMP. She worked previously for CBC in Nova Scotia. You can reach her at catharine.tunney@cbc.ca

Add some “good” to your morning and evening.

Your weekly guide to what you need to know about federal politics and the minority Liberal government. Get the latest news and sharp analysis delivered to your inbox every Sunday morning.

...

The next issue of Minority Report will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.