Banks report an increase in 'high impact' breaches as federal cybersecurity bill idles

The number of  "high impact" cyber incidents reported by Canada's banks nearly tripled last year, according to the industry's watchdog.

The increase comes as a federal bill meant to protect Canada's critical systems — including financial systems — has been sitting idle in parliamentary limbo for months.

"We are concerned with that number growing," Tolga Yalkin, assistant superintendent at the Office of the Superintendent of Financial Institutions (OSFI), told a parliamentary committee studying the bill Monday evening.

First introduced in the spring of 2022, Bill C-26 would compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties. They'd also be expected to establish cyber security programs that can detect serious incidents and protect critical cyber systems.

Yalkin told MPs the number of "priority one" attacks reported by banks in Canada jumped from about 10 incidents in 2022 to 28 in 2023.

"Priority ones are basically high-impact incidents that cause disruption of service or leakage of data," he said, adding that financial systems are expected to report cyber incidents to OSFI within 24 hours.

"We're eagerly watching to see whether or not the trajectory continues to grow. This is an area of risk for financial  institutions."

Bill C-26 was sent to the committee in March of 2023, but MPs only began their study of the proposed legislation last month.

If passed, the bill also would allow the federal government to direct how private companies in critical industries respond to potential attacks. But that information is unlikely to be made public because the bill also prohibits organizations from revealing orders from Ottawa to fix their systems.

Privacy commissioner suggests tweaks to bill 

So far, the committee has heard the bill is in need of improvements.

Yalkin was joined Monday night by Privacy Commissioner Philippe Dufresne, who suggested he supports the main goal of the bill but said it needs tweaks.

"Digital services that are delivered through cyber systems and telecommunications networks are central to the ways that we live, work and interact, and impact large volumes of personal information and data. That is why it is critical to protect Canada's cyber infrastructure from potential threats," he said during his opening remarks.

"We must ensure that efforts to secure these systems and networks also protect and respect Canadians' fundamental right to privacy. This is not a zero-sum game."

Dufresne pointed to sections of the bill that allow a specified person to collect and analyze information, including sensitive personal information that is held by banks, telecommunications operators and energy services providers.

He said the bill would allow for the sharing of that information with organizations such as intelligence agencies, provincial and foreign governments, and organizations established by foreign states.

Dufresne said those powers are broad and urged the committee to add stricter limits.