Serious IT incidents in Canadian financial sector almost tripled in 2023

Share post:

Canadian federal financial institutions suffered almost three times as many serious reportable IT incidents in 2023 as in the year before, a parliamentary committee debating proposed cybersecurity legislation for overseeing the country’s critical infrastructure providers was told Monday.

In 2023, there were 28 Priority 1 incidents reported to the Office of the Superintendent of Financial Institutions (OSFI), compared to 2022, when there were only 10 Priority 1 incidents reported.

Priority 1 covers “high impact incidents that cause disruption of service or leakage of data,” Tolga Yalkin, an assistant superintendent at the OFSI, told MPs. The agency later clarified to IT World Canada that a Priority 1 incident covers various sources of potential technology disruption, including but not limited to cyber-attacks.

The OSFI oversees 400 federally-regulated institutions, including 80 banks and 43 trust companies, as well as insurance companies,

The release of the two numbers is a rare view into the extent of serious IT incidents suffered by federally regulated Canadian banks, trust companies, and insurance firms.

“We are concerned with that number growing,” Yalkin told MPs. “We are tracking it very carefully. We are eagerly watching to see whether or not the trajectory continues to grow. This [cybersecurity] is an area of risk for financial institutions.”

Yalkin was testifying before the House of Commons national security committee looking into Bill C-26, which would force designated banks, telecommunications companies, and interprovincial transportation and energy firms to meet certain cybersecurity standards to protect their IT networks and report incidents to the government.

The legislation would impose some obligations on Canadian banks. But, Yalkin said, banks already have to follow OFSI cybersecurity risk management guidelines.

Bill C-26 has two parts: One would amend the Telecommunications Act to give the federal cabinet and the Minister of Industry the power to order designated telecom providers to do “anything” to secure their systems against a range of threats.

The bill would also create the Critical Cyber Systems Protection Act (CCSPA), which would apply to other critical infrastructure providers. Initially, these would be limited to banking, financial clearing firms, interprovincial transport and energy companies, and nuclear power operators. Similar to the Telecommunications Act changes, it would create a cyber security compliance regime for designated firms. Included would be a requirement to report cyber incidents “immediately” to the Canadian Security Establishment (CSE), the branch of the Defence Department responsible for government cybersecurity.

Industry witnesses have worried about having to report serious incidents immediately, preferring the law or regulations follow the American practice of reporting to government regulators within 72 hours. The U.S. Federal Communications Commission just modified its data breach notification rules for telcos there to 30 days.

Also at Monday’s committee meeting, a University of Toronto IT professor emeritus called C-26 “a very one-sided bill” that allows CSE to gather too much sensitive information.

CSE has a “boundless appetite for data collection,” Andrew Clement told the committee.

The proposed legislation needs “substantial” amendments to ensure the “sweeping and secretive powers it grants the government do not override other equally vital values such as privacy, freedom of expression, judicial transparency and government accountability.”

Eric Smith, senior vice-president of the Canadian Telecommunications Association (CTA), which represents the country’s major telcos, said the legislation allowing the Industry minister to order telcos to do — or not do — anything in the name of security “could be broadly interpreted.”

That could range from cutting off service to an organization or individual, he said, or putting equipment on a telco’s network that would weaken encryption or intercept communications. The CTA is asking MPs to amend C-26 to give the government only the power to issue “reasonably necessary'” orders to telcos. The law should also say compliance orders can only be made after the Industry minister has consulted with a list of experts — some of whom may be in the government — to ensure the orders are proportionate to the risk. An order should only have a limited impact on a telco’s service availability, the CTA says, and should be economically and operationally feasible for affected service providers

Even without C-26, in 2022 the government ordered telcos to remove some equipment from specific companies, Smith noted. That was a reference to the removal of equipment made by China’s Huawei and ZTE.

The CTA is asking C-26 be amended so carriers can at least ask the government for compensation if it has to remove or add networking gear.

It is also asking that the legislation allow a carrier a due diligence defence – that it tried to protect its IT network in good faith – if the government alleges the carrier violated an order. A due diligence defence is allowed for other critical infrastructure providers, Smith noted.

Federal privacy commissioner Philippe Dufresne asked for several changes to C-26, including limiting the ability of the government to share sensitive information that critical infrastructure providers would have to hand over to CSE with other departments or foreign governments; and that the government would have to report to him or Parliament the number and purpose of secret orders it issues under the law to a critical infrastructure provider.

Angelina Mason, general counsel and senior vice-president of the Canadian Bankers Association, which represents 60 of the country’s banks, asked MPs to add greater safeguards for the protection of confidential information banks would have to give the government; protect banks from civil and criminal prosecution for good faith compliance with the act’s reporting requirements and cybersecurity directives; and make the government share its cybersecurity information with the private sector.

The post Serious IT incidents in Canadian financial sector almost tripled in 2023 first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways