Thank you.
Good evening.
I would like to thank the committee for inviting us here today to provide our views on part 2 of Bill C-26, an act to enact the critical cyber systems protection act.
My name is Angelina Mason, and I am general counsel and SVP of legal and risk at the Canadian Bankers Association. I am joined by my colleague, Charles Docherty, assistant general counsel and vice-president, legal and risk.
The CBA is the voice of more than 60 domestic and foreign banks that help drive Canada's economic growth and prosperity. The CBA advocates for public policies that contribute to a sound, thriving banking system to ensure Canadians can succeed in their financial goals.
Banks in Canada are leaders in cybersecurity and have invested heavily to protect the financial system and the personal information of their customers from cyber-threats. We are also a highly regulated industry and comply with robust requirements from the Office of the Superintendent of Financial Institutions in respect of cybersecurity risk, supply chain and third party risk management, and incident reporting.
The security of Canada's critical infrastructure sectors is essential to protect the safety, security and economic well-being of Canadians. The banking industry counts on other critical infrastructure sectors, such as telecommunications and energy, to deliver financial services for Canadians. We have encouraged the government to leverage and promote common industry cybersecurity standards that would apply to those within the critical infrastructure sectors, and we support the government's efforts to achieve this under the act. We recognize that critical infrastructure, such as energy, crosses jurisdictional boundaries. We have also recommended that the federal government work with provinces and territories to define a cybersecurity framework across all critical infrastructure sectors.
Having consistent, well-defined cybersecurity standards will provide for greater oversight and assurance that these systems are effective and protected. Protecting against state-sponsored and other threat actors requires a coordinated approach between the government and the private sector. The government can play a pivotal role in bringing together critical infrastructure partners and other stakeholders and building upon existing efforts to respond to cyber-threats.
While recognizing the importance of the act, we need to get this right. Some of the proposed provisions need to be better tailored to address operational and other risk concerns, including being able to leverage existing robust requirements of specific sectors, like banks, to mitigate duplicative or inconsistent requirements, providing greater safeguards for the protection of confidential information, and improving the threshold and timing for cybersecurity incident reporting.
In addition, there should be appropriate guardrails for the invocation of the government's very broad powers under the act. Consistent with other legislation, the act should also include safe harbour provisions that provide designated operators immunity from civil and criminal proceedings for good-faith compliance with the act's reporting requirements and cybersecurity directives.
Looking beyond mandatory incident reporting, the act should also support broader voluntary sharing of incidents, cyber-threat information and expertise about cyber-protection with the Communications Security Establishment and among classes of designated operators, while also including safe harbour provisions to enable this sharing without creating additional risk. Effective sharing of this type of information is a critical component to cyber-resiliency and should be fostered through the act.
Finally, we believe it is necessary to allow the CSE and CSIS to share relevant intelligence and information with designated operators of critical cybersecurity infrastructure in Canada to help them effectively prevent and mitigate cybersecurity incidents.
We will be following up to provide the committee with additional written details on these recommendations. We want to work collaboratively with the government and with other sectors to ensure that Canada remains a safe, strong and secure country.
We look forward to your questions.