The number of “high-impact” cyber incidents reported by Canadian banks nearly tripled last year, according to the industry watchdog.
The increase comes as federal legislation aimed at protecting Canada’s critical systems, including the financial system, has languished in Parliament for months.
“We are concerned that the number is increasing,” Tolga Yarkin, assistant supervisor at the Office of the Superintendent of Financial Institutions (OSFI), told a parliamentary committee considering the bill on Monday night.
Bill C-26, first introduced in spring 2022, would force companies in the financial, telecommunications, energy and transport sectors to harden their cyber systems against attacks or face steep fines. It is also expected to establish a cyber security program that can detect major incidents and protect critical cyber systems.
Yalkin told MPs that the number of “Priority 1” attacks reported by Canadian banks jumped from about 10 in 2022 to 28 in 2023.
“Priority is primarily given to high-impact incidents that cause service disruptions or data breaches,” he said, adding that financial systems are expected to report cyber incidents to OSFI within 24 hours. Ta.
“We are keen to see if this trajectory continues to grow. This is an area of risk for financial institutions.”
Bill C-26 was sent to committee in March 2023, but MPs only began considering the bill last month.
If passed, the bill would allow the federal government to dictate how private companies in critical industries respond to potential attacks. But the bill also prohibits organizations from disclosing orders from Ottawa to fix their systems, so that information is unlikely to be made public.
Privacy Commissioner proposes bill tweaks
So far, the committee has heard that the bill needs improvement.
Yalkin was joined Monday night by Privacy Commissioner Philippe Dufresne, who signaled support for the bill’s main goals but said it needed amendments.
“Digital services delivered through cyber systems and telecommunications networks are central to how we live, work and interact, and impact large amounts of personal information and data. “It is important to protect against serious threats,” he said in his opening remarks.
“We must ensure that our efforts to secure these systems and networks protect and respect Canadians’ fundamental right to privacy. This is not a zero-sum game.”
Dufresne pointed to provisions in the bill that would allow certain people to collect and analyze information, including sensitive personal information, held by banks, telecommunications carriers and energy service providers.
He said the bill would allow that information to be shared with organizations such as intelligence agencies, state and foreign governments, and organizations established by foreign states.
Mr. Dufresne said these powers were broad and called on the commission to add stricter restrictions.