Skip to content

Canada's Business and Tech Newsroom

  • Professional Subscription
  • Partnerships & Advertising
  • Licensing & Syndication
Log In Subscribe
Welcome,
  • My Account
  • Log Out
  • Business
  • Tech
  • National
  • The Big Read
  • Briefings
  • Commentary
Search
Log In Subscribe
Welcome,
  • My Account
  • Log Out
News

Lack of ransomware reporting puts Canadian cyber bill out of step with U.S. law

OTTAWA — Ransomware is the most disruptive cybercrime in Canada and one of the most worrying of all cyber threats, according to the federal cyber-defence agency, but the Liberals’ bill to address those threats won’t require companies that pay ransoms for their own data to tell the authorities.

That gap is acknowledged in federal documents The Logic obtained through an access-to-information request, a multi-part package of briefing material prepared for Public Safety deputy minister Shawn Tupper.

News

Lack of ransomware reporting puts Canadian cyber bill out of step with U.S. law

Coordination with Americans crucial, federal documents say, while admitting inconsistencies

By David Reevely
The Ottawa headquarters of the Communications Security Establishment, which maintains a dedicated cybersecurity unit. Photo: The Canadian Press/Sean Kilpatrick
Jul 25, 2023
A A
A Small A Medium A Large
Share

Gift

Share

OTTAWA — Ransomware is the most disruptive cybercrime in Canada and one of the most worrying of all cyber threats, according to the federal cyber-defence agency, but the Liberals’ bill to address those threats won’t require companies that pay ransoms for their own data to tell the authorities.

That gap is acknowledged in federal documents The Logic obtained through an access-to-information request, a multi-part package of briefing material prepared for Public Safety deputy minister Shawn Tupper.

Talking Points

  • Canada’s stalled bill on cybersecurity wouldn’t make companies that pay off ransomware attackers notify federal authorities, unlike the equivalent U.S. law
  • Cyber authorities say ransomware is the biggest cyber threat to most Canadians, and most attacks end with victims paying the perpetrators

He was to chair a top-level meeting last November with Chris Inglis, who was then the U.S. national cyber director, and his scripted notes emphasized just how much the proposed Critical Cyber Systems Protection Act—part of Bill C-26, which Public Safety Minister Marco Mendicino tabled in June 2022—is like an American version that President Joe Biden had signed the previous March.

Cyber threats cross borders, and Canadian critical infrastructure is “intimately intertwined with that of you, our American neighbours to the south,” so it’s important that Canadian and U.S. laws line up, Tupper’s script said.

“While I won’t go into the details here, [Bill C-26] is consistent with the United States’s Cyber Incident Reporting for Critical Infrastructure Act of 2022,” Tupper’s script said. 

Yet also in the package was a comparison chart of the U.S. law and the Canadian bill, on which several key points of difference were marked with big Xs.

If the Canadian bill passes—it has not yet been taken up by a House of Commons committee for close examination—it will give Canadian authorities some powers regulators in the U.S. don’t have, such as requiring critical infrastructure operators to develop cybersecurity plans or to do specific things to avert or mitigate threats. 

Related Articles

Shortage of cybersecurity workers a ‘crisis’ at apex of federal government

By David Reevely

TransUnion staggers under load of customers seeking credit monitoring after cyberattack

By David Reevely

But the Canadian side of the chart had more gaps when lined up against the U.S. regime: No requirement to report ransomware payments. No task force on ransomware or active efforts to find vulnerabilities. No requirement for cyberattack victims to keep Canadian authorities apprised of new developments after an initial report. And no provisions to keep the contents of companies’ reports of their own breaches from being used against them in lawsuits.

If the government wants to change this, the public servants who prepared the document advised, it will need to amend its bill.

Some companies do have legal obligations to report cyber breaches to privacy commissioners (when private data has been stolen and there’s a “real risk of significant harm”) or the Office of the Superintendent of Financial Institutions. But not to police or cyber-defence authorities.

Given several days, Public Safety Canada could not explain to The Logic why Bill C-26 doesn’t include requirements to report ransomware payments.

The scale of the ransomware problem in Canada is huge. In its basic form, hackers break into a target’s computers and lock up either its systems or critical data, offering to return them for a fee. Sometimes the bad actors sell data they’ve stolen or threaten to expose a target for having lax security around customers’ private information.

“Ransomware is one of the most impactful cyber threats in Canada, benefiting significantly from the specialized cybercrime economy and the growing availability of stolen information,” the Communications Security Establishment (CSE) reported in its most recent public threat assessment.

High-profile recent targets include Indigo and Superior Plus propane. Other recent victims of cyberattacks that exposed customer data—the details of which are often kept murky—include Mackenzie Investments and Sun Life.

Those are just cases that have become public. Earlier in July, the cyber-law group at Blake, Cassels & Graydon estimated that ransomware accounted for nearly 70 per cent of cybersecurity incidents in Canada last year—and two-thirds of the targeted organizations ended up paying off the attackers, up from 56 per cent the year before.

Under Bill C-26, those ransom payments would not have to be reported, unlike in the United States.

“I’m always surprised at governments’ surprise when I talk about things that I see that they don’t,” said Ian Paterson, CEO of cybersecurity firm Plurilock, in an interview with The Logic. “The industry would be better overall if the people who can do something about ransomware—a.k.a. nation-states—had all of the details to make informed decisions about how to allocate resources to try and make it stop.”

If the Canadian Centre for Cyber Security (a unit within the CSE, which answers to the defence minister) had more information about ransomware attacks, it could spot patterns and potentially identify attackers sooner, he said.

But there’s a collective-action problem. “Everybody in industry recognizes that the community is better off the more disclosure that happens,” Paterson said. “But nobody wants to go first. They want to get the data; they don’t want to give the data.”

Firms would have legitimate concerns about reporting breaches to the CSE, which supplies technical expertise to authorities such as privacy commissioners, who might seek to penalize companies for being lax with data.

Gift the full article

“You have an agency that might be building a case against you, and therefore you don’t actually want to talk to them,” Paterson said.

They also might worry their reports of their own breaches might be revealed or leaked, he said—a very bad outcome for a company that has paid a ransom to keep the breach quiet, but one that’s less worrying than it used to be.

“For better or worse, because everybody’s getting hacked, I don’t think it matters as much as it did a couple years ago,” Paterson said.

#Communications Security Establishment #cybersecurity #ransomware

Loading...

Thanks for sharing!

You have shared 5 articles this month and reached the maximum amount of shares available.

Close
This account has reached its share limit.

If you would like to purchase a sharing license please contact The Logic support at [email protected].

Close
Want to share this article?

Upgrade to all-access now

Close
Gift the full article!

You have gifted 0 article(s) this month and have 5 remaining.

Copy link and gift
Copy Link
Email to a friend
Send Email
Gift on Social Media

Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.

Photo: The Canadian Press/Sean Kilpatrick

Most Popular This Week

Exclusive

PCO clerk Sabia stayed on Mastercard Foundation board for a year with no conflict screen

By Joanna Smith
Nakisa CEO Babak Varjavandi in a screencapture from the floor of a tech show. He's wearing a suit jacket and open-collared shirt.
News

Canadian firms are ready to help with digital sovereignty. Their challenge is getting approved

By Laura Osman
A shot of a small rocket sitting on a launch pad attached to its launch equipment. The backdrop is open sea and a light blue sky.
News

Canada’s submarine decision just paid off for Nova Scotia’s spaceport

By David Reevely
An aerial photo of Kearny mine, a mine surrounded by dense forest, with terraced rock walls that surround a deep blue body of water.
News

Canada bets on graphite as allies scramble for critical minerals

By Anita Balakrishnan

In-depth, agenda-setting reporting

Great journalism delivered straight to your inbox.

A shot of a sign bearing the Pfizer logo, with a lowrise office building in the background.
News

So far, foreign-owned firms have dominated Buy Canadian contracts

By Laura Osman

Briefing

Thomson Reuters sells majority stake in book business for US$500M

By Anita Balakrishnan   |   Jul 14, 2026 | 3:13 PM ET

Sabia upholding ‘highest standards of integrity’ after double duty with Mastercard Foundation, PMO says

By David Reevely   |   Jul 14, 2026 | 2:19 PM ET

CPP Investments backs German defence startup Helsing’s US$1.8B funding round

By Catherine McIntyre   |   Jul 13, 2026

Best business newsletter in Canada

Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.

Exclusive events

See the bigger picture with reporters and industry experts in subscriber-exclusive events.

Membership in The Logic Council

Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.

Recent Popular Stories

Commentary: Quebec Ink

Quebec’s era of endless, cheap electricity is coming to an end

By Martin Patriquin   |   Jul 6, 2026
A cityscape featuring two tall buildings; the right one has a large orange "Q" logo and a Quebec flag atop. The sky is clear and blue.
Exclusive

PCO clerk Sabia stayed on Mastercard Foundation board for a year with no conflict screen

By Joanna Smith   |   Jul 13, 2026
News

Canada’s submarine decision just paid off for Nova Scotia’s spaceport

By David Reevely   |   Jul 8, 2026
A shot of a small rocket sitting on a launch pad attached to its launch equipment. The backdrop is open sea and a light blue sky.
News

Canada bets on graphite as allies scramble for critical minerals

By Anita Balakrishnan   |   Jul 7, 2026
An aerial photo of Kearny mine, a mine surrounded by dense forest, with terraced rock walls that surround a deep blue body of water.
News

Meta to spend $13B on sprawling Alberta data-centre complex

By Meghan Potkins   |   Jul 8, 2026
An aerial-style rendering of a massive data centre on a prairie landscape of farm fields and trees.
News

Alberta wants to be a model for government AI and power Canada-wide adoption

By Murad Hemmadi   |   Jul 10, 2026
A shot of Nate Glubish at a lectern, against a backdrop of exposed brick partly covered by a white film screen.

Canada's most influential executives and policymakers are reading The Logic

  • CPP Investments
  • Sun Life Financial
  • C100
  • Amazon
  • Telus
  • Mastercard
  • bdc
  • Shopify
  • Rogers
  • RBC
  • General Motors
  • MaRS
  • Government of Canada
  • Uber
  • Loblaw Companies Limited
logic-logo

Canada's Business and Tech Newsroom

100% human-crafted journalism

Newsroom

  • News Tips
  • AI Policy
  • Editorial Disclosures
  • Story Pitches

Company

  • About Us
  • Terms of Service
  • Privacy Statement
  • Corporate Information

Contact

  • Contact Us
  • Advertise
  • FAQs
  • Work at The Logic

© 2026 The Logic Inc. All Rights Reserved.

Trusted by leaders

Error

Account creation failed.

Please email us at [email protected].

Create Account

[wppb-register form_name=”cozmo-registration-form-for-modal”]

I do have an account
Login
or

[wppb-login]

I don’t have an account