Insurers urge feds to protect critical services from cyberattacks

Canada’s insurers are urging the federal government to move forward with a bill to mandate protection of the nation’s critical services from cyberattacks.

“Effective cyber security requires more than market forces,” says a new report issued by Insurance Bureau of Canada (IBC), The Canadian Cyber Insurance Market. “It also depends on clear, enforceable regulatory frameworks. In Canada, regulatory progress on this front has been uneven.”

In particular, the report cites Bill C-26, introduced in 2024 and intended to modernize Canada’s cyber security framework for critical infrastructure.The law passed through several legislative stages last year, but it died on the order paper when the federal government suspended Parliament in January 2025 and called an election in April.

Since the election, the federal government has introduced the bill in a new form, Bill C-8, which passed second reading on Oct. 3 and has been referred to the Standing Committee on Public Safety and National Security. The committee’s website shows no meetings have yet taken place, although papers before the committee argue it doesn’t go far enough to deter white collar crime.

Without a national cyber framework for critical infrastructure in place, IBC says, this leaves “essential sectors — like energy, telecom, and finance — without consistent, enforceable cyber standards, increasing systemic risk.”

As drafted during first reading, Bill C-8 requires designated critical infrastructure operations to “establish a cyber security program in respect of its critical cyber systems.”

The law requires any cybersecurity program to:

• Identify and manage any organizational cyber security risks, including risks associated with the designated operator’s supply chain and its use of third-party products and services
• Protect its critical cyber systems from being compromised
• Detect any cyber security incidents affecting, or having the potential to affect, its critical cyber systems
• Minimize the impact of cyber security incidents affecting critical cyber systems.

Also in the news: Insurers more reluctant to settle claims quickly

IBC notes other countries are ahead of Canada when it comes to protecting their critical infrastructure from cyber threats.

“The United States has enacted mandatory incident reporting requirements under its CIRCIA [the Cyber Incident Reporting for Critical Infrastructure Act, which then-president Joe Biden signed into law in 2022], and the European Union’s NIS2 Directive has introduced obligations across critical sectors,” IBC states in its report.

“By contrast, Canada lacks a cross-sector cyber framework, potentially making Canadian systems more attractive targets, vulnerable to cyber threats, and complicating international collaborations.

“For global insurers, Canada’s regulatory posture may translate into heightened caution when deploying capital.”

Meanwhile, IBC would like to see the re-introduction of privacy legislation related to the use of artificial intelligence (AI).

Why innovative customer experience will define the future of personal auto insurance Image

Insights Paid Content

Why innovative customer experience will define the future of personal auto insurance

Technology is helping insurers reimagine how they support personal auto customers — and it starts the moment a collision is reported, say experts at Accident Support Services International.

By 

Sponsor Image

In tandem with Bill C-26, the federal government introduced Bill C-27: Digital Charter Implementation Act, which proposed the introduction of the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act.

“If enacted, [Bill C-27] would have strengthened privacy rights, increased penalties for non-compliance, and added new obligations around data use and AI systems,” as IBC explains.

“Bill C-27, which would have modernized privacy legislation and established a framework for AI regulation, died on the order paper [before the federal election], leaving Canada’s data protection framework outdated and fragmented.”

David Gambrill

David has twice served as Canadian Underwriter’s senior editor, both from 2005 to 2012, and again from 2017 to the present.