Provincial bill to regulate cybersecurity in public sector, municipalities
The RM of Gimli said last week that it was still trying to determine the scope of a cyber attack that took down its IT systems.
The RM had notified the public in late April that its IT systems were unavailable after a cyber incident.
RM spokesperson Christine Payne said the municipality takes matters of data security “extremely seriously” and that they’ll share updates as soon as they have more information.
“We are still determining the scope of the impact and working to bring our systems back online safely,” said Payne last Friday. “We know there is speculation and discussion in the community about the impact of the incident. Please be assured that we are doing everything that we can to resolve this and we will provide everyone details when we have them. We are very grateful to residents and our employees for their patience.”
The RM has not said whether ratepayer and/or employee data was stolen. But hackers going by the name Payload took responsibility for hacking the municipality and encrypting its data (see Express Weekly News’ May 7 edition).
Ransomware hackers copy data and encrypt it in order to extort moneyfrom victims for the release and/or deletion of the data. If companies fail to pay, the hackers can sell or post the data on the dark web, leading to victims having their identities stolen and suffering financial losses. Sometimes that happens years down the road.
Earlier last week, the RM’s chief administrative officer Diana Chapman posted a notice on the municipality’s website, saying the cyber attack continues to impact the IT systems and advising ratepayers to continue to use their banks to pay municipal bills as administration services are limited.
“Please note that we are still unable to process bill payments at the office. Residents are encouraged to continue making payments directly through their bank as this remains the quickest and most reliable option,” Chapman wrote on May 5. “To ensure residents are not disadvantaged during this disruption, no penalties will be applied to utility or tax accounts for the month of April.”
After the Municipality of Westlake-Gladstone lost over $472,000 in a cyber attack, Manitoba’s auditor general Tyson Shtykalo undertook an investigation, recommending that all municipalities implement “baseline cybersecurity controls” in the absence of provincial guidance in order to protect public funds and data.
Baseline controls include requiring two-factor authentication for “important” accounts such as financial accounts, system administrators, privileged users and senior executives, having an incident-response plan, and providing all employees with cybersecurity awareness training.
“The province of Manitoba’s Municipal Advisory Services confirmed it has not provided any guidance to municipalities regarding cybersecurity controls,” said Shtykalo in his 2025 report. “In the absence of guidance from the Province, we recommend municipalities implement controls to ensure they are protected from cybersecurity threats based on a recognized cybersecurity framework, such as the Canadian Centre for Cyber Security’s baseline cybersecurity controls.”
When asked by the Express if the provincial department of municipal and northern relations has implemented a process to monitor municipalities’ compliance to baseline controls, a media relations spokesperson said municipalities will be asked about their current practices and to identify their “baseline” security capabilities. Currently, the province doesn’t have data on how many Manitoba municipalities are not complying with baseline cybersecurity controls.
“After the OAG [office of the auditor general] report’s release, Manitoba Municipal and Northern Relations (MNR) shared the report with municipalities and communicated the need to increase cyber security measures,” said the spokesperson. “The department also began work with Manitoba Innovation and New Technology (MINT) to consult with AMM [Association of Manitoba Municipalities] on highlighting best practices and guidelines, such as the Canadian Centre for Cyber Security. The two departments are preparing to survey municipalities on their current cybersecurity practices this summer.”
Municipalities are “autonomous and independent” governments, added the spokesperson, and currently have sole authority over what IT systems they use, how they train their staff and how their systems are secured and maintained.
“While the Canadian Centre for Cybersecurity’s baseline cybersecurity controls are recommendations, municipalities are not currently required to comply with those or any other cybersecurity controls,” said the spokesperson.
But that’s set to change as the province intends have public sector entities comply with cybersecurity regulations.
The government gave third and final reading last week to Bill 51, the Public Sector Artificial Intelligence and Cybersecurity Governance Act, which was introduced by the Minister of Innovation and New Technology Mike Moroz (NDP River Heights). It will establish regulations to better support municipalities in protecting their communities.
“The proposed act would establish a framework that would permit the regulation of governing public sector entities, which can include municipalities, and could require them to comply with regulations governing cybersecurity,” said the spokesperson. “This includes requiring the development of accountability frameworks, the reporting of cybersecurity incidents and set technical standards for cybersecurity. In addition, the proposed legislation would allow the minister of MINT to issue directives about cybersecurity to specific public sector entities.”
As for the amount of cybersecurity funding municipalities receive from the province each year — as the auditor general alluded to in his report — the spokesperson said municipalities aren’t bound by how to use provincial funding.
“Municipalities are independent government and have sole authority on how they use their $233.6 million to municipalities in unconditional operating funding, which has received a two per cent increase year over year since 2023, to support local priorities, services and programs,” said the spokesperson.
“All municipalities also receive $12.6 [million] from the One Manitoba Growth Revenue Fund, which is separate from operating grants to further support service delivery in communities. This funding is not earmarked for any specific purpose, allowing municipalities the flexibility to allocate it based on local needs, including cybersecurity and other safety measures.”
The federal Canadian Centre for Cyber Security (called the Cyber Centre) said in its 2025-26 National Cyber Threat Assessment report that artificial intelligence technologies are “amplifying” cyberspace threats, hackers are “evolving” to evade detection, and IT vendor concentration is a “magnet” for hackers. Companies such as banks, health-care providers and private sector businesses outsource IT services to dominant providers, including cloud-based providers.
Among the threats to Canadians are state-sponsored cyber attacks from countries including Russia and China, a Cybercrime-as-a-Service (CaaS) business model whereby hackers sell stolen and leaked data online to other cybercriminals, and ransomware attacks.
“Ransomware is the top cybercrime threat facing Canada’s critical infrastructure. Ransomware directly disrupts critical infrastructure entities’ ability to deliver critical services, which can put the physical and emotional wellbeing of victims in jeopardy,” states the report. “In the next two years, ransomware actors will almost certainly escalate their extortion tactics and refine their capabilities to increase pressure on victims to pay ransoms and evade law enforcement detection.”
The Cyber Centre provides guidance and support that can help prevent cyber attacks, including information on common strategies hackers use to gain access to a system and how to investigate an attack.
Hackers “regularly” identify servers that are out of date or at the end of their life to gain access to IT systems.
Security measures should include controlling access to systems, hardening credentials, establishing centralized log management, using an antivirus, employing detection tools, operating services — ones that are exposed on internet-accessible hosts — with secure configurations, and keeping software updated.
The Cyber Centre also recommends that employees and admin accounts have multi-factor authentication (MFA) activated and implement phishing-resistant MFA. Complex passwords should be used and be a “minimum” of 12 characters consisting of upper and lower case letters, numbers, special characters and punctuation marks. A password for one system should never be re-used for other systems.
Emergency preparedness planning (business continuity, disaster recovery and incident response plans) can also improve cybersecurity resilience in organizations and ensure an organization can prevent, respond to and recover from a cyber attack, says the Cyber Centre.
