Government bodies and the private sector need more ways to share information about cybersecurity threats, and that may require new regulations or legislation, a Bank of Canada official said Tuesday.
Filipe Dinis, the central bank’s chief operating officer, said in a speech to a cybersecurity conference in Toronto that sometimes the regulatory frameworks that are designed to protect institutions and customers “can get in the way” of collaboration.
“Our regulatory environment has historically focused on protecting privacy and promoting competition. These are important objectives, but we need to increase our focus on the resilience of the financial sector.”
That means it’s necessary to reconsider current regulations and think about the necessary tradeoffs between cybersecurity, competition and privacy, he said.
Dinis didn’t recommend specific changes but said “at a minimum, regulatory frameworks should not be an impediment to collaboration.”
Among his suggestions: put in place secure channels to transmit sensitive information between companies, agencies or other trusted sources and government-mandated testing throughout industries and between sectors of the industry.
He also suggested Canadian regulations and terminology be compatible with international norms to help cross-border collaboration and decrease opportunities for companies to exploit jurisdictions with weaker cybersecurity regulations.
Dinis gave his speech to a conference organized by the Information Technology Association of Canada, about a week before the Bank of Canada releases a semi-annual report on the state of the country’s financial system.
Recent reports have stated that threats to cybersecurity are a top concern and Dinis said he expects that will be the case in the next update.
He said there have been improvements to the Bank of Canada’s cybersecurity protections over the past five years — including a new operations centre in Calgary that can take over the central bank’s critical functions in an emergency.
But he added the best defence for Canada’s overall economy is broad collaboration and information sharing — particularly in critical industries such as banking, telecommunications, energy and transportation.
“Some of that is occurring now. I’d love to see more,” Dinis said.
He emphasized, repeatedly, that he’s “very mindful” of the need for privacy protections but added that the ideal collaboration would allow the free flow of information about detected threats between trusted partners.
“Ideally, when I’m talking about sharing information — threat information, in particular — that would occur within a trusted environment and it would occur across sectorial ecosystems (such as the financial and telecom sectors).”
Dinis didn’t address specific Canadian security or data breaches but his comments come after Desjardins Group reported on Nov. 1 that all 4.2 million members of its financial co-operative had personal information stolen in a security breach, up from the original estimate of 2.9 million customers when the breach was disclosed in June.
Quebec provincial police, the province’s access to information commission and the federal privacy commissioner are investigating the Desjardins breach.