Banks report an increase in 'high impact' breaches as federal cybersecurity bill idles

The number of «high impact» cyber incidents reported by Canada's banks nearly tripled last year, according to the industry's watchdog.

The increase comes as a federal bill meant to protect Canada's critical systems — including financial systems — has been sitting idle in parliamentary limbo for months.

«We are concerned with that number growing,» Tolga Yalkin, assistant superintendent at the Office of the Superintendent of Financial Institutions (OSFI), told a parliamentary committee studying the bill Monday evening.

First introduced in the spring of 2022, Bill C-26 would compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties. They'd also be expected to establish cyber security programs that can detect serious incidents and protect critical cyber systems.

Yalkin told MPs the number of «priority one» attacks reported by banks in Canada jumped from about 10 incidents in 2022 to 28 in 2023.

«Priority ones are basically high-impact incidents that cause disruption of service or leakage of data,» he said, adding that financial systems are expected to report cyber incidents to OSFI within 24 hours.

«We're eagerly watching to see whether or not the trajectory continues to grow. This is an area of risk for financial institutions.»

Bill C-26 was sent to the committee in March of 2023, but MPs only began their study of the proposed legislation last month.

If passed, the bill also would allow the federal government to direct how private companies in critical industries respond to potential attacks. But that information is unlikely to be made public because the bill also prohibits organizations from revealing orders from