Thank you very much, Mr. Chair.
This is regarding the issue of Bill C-26 and to ask whether it needs operators to immediately report a cybersecurity incident.
The reality is that we heard testimony from the Canadian Chamber of Commerce and other witnesses about a 72-hour reporting period, with “immediate” being defined as 72 hours.
It's important to note that in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act also talks about a 72-hour reporting time frame.
Our witnesses said very clearly that “immediately” made it potentially difficult for them to resolve the issue and to respond to the cyber-attack, because they would be concerned about the impacts of not reporting in that immediate time frame. A 72-hour window would provide the ability to combat the cybersecurity incident and do the reporting in a very timely way.
I'd like to move what we heard from witnesses and move NDP-10 to essentially provide an amendment such that the designated operator must report the cybersecurity incident within 72 hours from the time the operator reasonably believes the incident occurred.