Cybersecurity regulations encourage good corporate behaviour. Many people will get sloppy without guidelines, and the government can (and should) provide them. Without regulatory pressure, cybersecurity improvements tend to lag.

Unfortunately, the current political environment is not conducive to solid regulations. In Canada, Bill C-26 is dead for now, having timed out, but may reappear in a future session. In the United States, a volatile political situation has led to dramatic cuts to the Cybersecurity & Infrastructure Agency (CISA), potentially leading to lax enforcement and slow or nonexistent regulatory change. Regulations may even be rolled back. Therefore, in this environment, companies must stop reacting to regulations and be more proactive in their defence.

Bill C-26: A Missed Opportunity for Canada

Bill C-26 was intended to improve the enforcement of incident reporting, modernize critical infrastructure protection, and establish cybersecurity programs to mitigate supply-chain risks. The primary goal of the legislation was to designate and protect critical infrastructure such as the power grid. Still, it also set out to bring cybersecurity up to date across the Canadian government, likely impacting many government contractors.

However, the session ended while the House of Commons still considered the bill, essentially leaving it dead. While there’s a non-zero chance it will be reconsidered, for now, the opportunity represented by it has been lost. Without it, cyber regulation in Canada will continue to lag, likely discouraging security innovation or, at a minimum, not encouraging it. Companies may react by perceiving cybersecurity as less of a priority for the government and the nation.

United States Cuts to CISA: A Signal with Global Ripples

CISA is an agency that supports critical infrastructure, threat intelligence sharing, and cybersecurity coordination. In early 2025, the incoming administration slashed CISA funding and jobs, although the courts have ordered the reinstatement of some employees. Cuts included critical employees, and the agency’s ability to continue its mission has been compromised.

Furthermore, the United States federal government’s unstable situation leaves CISA’s future in the air. The US is now more vulnerable, and there is substantial uncertainty about its posture now and in the immediate future. Because of the close ties between the United States and Canada and infrastructure connections across the border, these cuts could impact Canada.

Canadian organizations should do their best not to react immediately to cuts or rumours of reductions. The situation remains in flux, especially with ongoing legal challenges.

The Danger of Political Volatility in Cybersecurity

As already mentioned, political volatility impacts innovation and improvements. Regulatory or legal pressure encourages continuous improvement and guides companies to increase their cybersecurity appropriately.

Furthermore, when regulations are up in the air and enforcement is lax or arbitrary, it becomes hard to plan for the long term. The rules might change, but they might not change, and between the US and the Canadian elections, the near future is highly uncertain.

Meanwhile, European and Asian competitors are not exactly waiting for us to catch up. And cybercriminals and foreign actors are seeing this uncertainty as an opportunity they can take advantage of, potentially increasing attacks.

Impact on Canadian Businesses

The regulation encourages prioritization. Without mandates like those in C-26, companies are less likely to work on improvements in cyber hygiene and security. Without legal pressure, leadership are likely to invest resources elsewhere.

This increases the burden on CISOs and consultants to convince leadership to make those changes and provide them with the necessary resources. In most cases, they know what needs to be done, but those making the decisions are unsure of the best course of action.

Companies will likely avoid proactive security and resort to reactionary behaviour, responding only to fix a breach. Needless to say, this is a poor approach that opens companies up to breaches, downtime and lawsuits.

What’s Next? Uncertain Regulatory Landscape in Canada

While C-26 or a similar bill may be reintroduced in the new session of parliament, there are no guarantees. Without federal action, provincial actions and sector-specific rules may fill the gap. Unfortunately, this risks a patchwork approach, and companies with locations in more than one province may face differing regulations and confusion.

Provincial governments also lack federal resources to pursue threats, and the nature of networked systems and the internet mean threat actors are unlikely to be in the same area. Arguments about jurisdiction and confusion about which rules to follow may leave some companies following the strictest rules while others do their best to ignore them.

Companies should plan for long-term resilience and think about ways of working without the need for regulatory “prodding” to get leaders to act. Following the strictest regulation is a good approach when multiple jurisdictions apply, but moving past this and setting your own standards is even better.

The Consultant’s Perspective: Navigating a Vacuum

For consultants, this is a particularly challenging situation. The hope of clear, modern guidelines has faded, leaving us with outdated regulations. And we can no longer turn to the United States for guidance, at least for now.

CEOs and other leaders tend towards breach response rather than compliance-driven engagements that are more proactive. With cyber breaches likely to increase, consultants often must persuade leaders that they need to do something ahead of time rather than waiting for a problem.

Other cyber professionals are left dealing with breaches and incidents when they are not given the resources to take proactive action, and their workload shifts to incident response. This can lead to “crunch” situations with heavy workloads, something we would all rather avoid.

Recommendations for Organizations in the Interim

Waiting for new legislation in Canada is unlikely to be helpful. Waiting for the confusion in the US to resolve is even less likely to be useful. Don’t wait for the government, but consider the following:

1. Prioritize risk assessments. It’s much cheaper to run a risk assessment and address any holes than to fix a breach.
2. Implement an incident response plan so that if a breach does happen, IT personnel can react quickly. Train end users on what to do if they find ransomware on their terminals.
3. Monitor threat intelligence and keep up to date with the latest problems. This is particularly important because CISA is weakened.
4. Adopt voluntary standards. Use NIST and ISO 27001 standards instead of regulatory guidance. These standards are higher than regulatory standards and are managed by professionals who aren’t as affected by politics.
5. Engage with cyber consultants and listen to them on proactive strategy and best practices.

Political decisions or their absence directly impact cyber resilience, not just at the national level. As regulation becomes more uncertain, organizations are responsible for handling and strengthening their own cybersecurity and working with local resources and consultants.

You can’t afford to wait until a breach happens. If you need help with your cybersecurity, contact Yobihouse for high-quality, proactive advice on improving your cybersecurity.