Evidence of meeting #112 for Public Accounts in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was kpmg.
A video is available from Parliament.
11:10 a.m.
Conservative
Arnold Viersen Conservative Peace River—Westlock, AB
Has this kind of situation ever happened to you before, with a Government of Canada official suggesting that you pursue a contract with another company?
11:10 a.m.
Partner and National Leader, Cybersecurity, KPMG
Again, KPMG is subcontracted in numerous different scenarios. However, with respect to your specific question, I'm not aware of an exact scenario outside of this one.
11:10 a.m.
Conservative
April 4th, 2024 / 11:10 a.m.
Conservative
Arnold Viersen Conservative Peace River—Westlock, AB
As a taxpayer of Canada, would you not have concerns around the oddity of this? Did you not think, “Perhaps we should flag this”?
It's something that doesn't happen often. It was being suggested that you pursue a contract with another company. Did it ever occur to anybody at KPMG that perhaps this should be flagged?
11:10 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
Thank you for the question. I'll take this one, since it sounds like it's a bit more general than just the CBSA-related work.
As we've both said this morning, KPMG has extremely strict protocols around client and engagement acceptance. We have to go through a very in-depth process every single time we undertake to work with a new client or an existing client to look for any irregularities, any independence conflicts or other areas of risk that would be a risk either to the client and/or to us, and we follow them to the letter.
11:15 a.m.
Conservative
11:15 a.m.
Conservative
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Thank you, Mr. Chair.
Mr. Nijjar, you're coined as skilled in multiple areas of cybersecurity, including information security governance and incident management.
Is there a higher risk of information security breaches when you have to run through the main contractor in GC Strategies? Does the risk increase when you're running through other people?
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
In terms of the risk to us in completing and executing the work, no, it did not increase, as we were working directly with the CBSA.
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
In your professional view, is there a higher risk of information breaches when passing information along through multiple middlemen?
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
We were not actually passed sensitive information through GC Strategies on the ArriveCAN application. Again, we worked directly with the CBSA team when we were executing the work.
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
In your professional view, with the rise in cyber-threats and data breaches, does a private company outsourcing to multiple third party contractors bring any benefit to stopping potential leaks or breaches of private security?
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
I'm sorry. Could you rephrase the question?
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
We now know that there are increased cybersecurity risks and data breaches happening all over the place, or so it seems. Does a private company outsourcing to multiple third party contractors bring any benefit to potentially stopping some breaches of private security?
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
I believe the risk remains the same regardless, because again, the subcontractor in this case asked that we primarily work directly with the CBSA when we were executing the work.
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
In your role, your department and company more broadly, do you provide your contractors with services, or are you hired in more of a consultancy role?
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
I'm sorry. Could you clarify? To our subcontractors...?
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Right. In your role in your company, would you say that you provide contractors with services, or are you acting more as a consultant?
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
If I've understood you correctly, in this case, we were the subcontractor and GC Strategies was the prime. We were providing professional services to the CBSA.
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
You weren't really a consultant in this case. You were actually providing services.
11:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
We were consulting to the CBSA, but the services we were consulting on were cybersecurity services.
11:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Right, so I guess, just to be clear, you were basically doing both: You were providing services, but in a consulting capacity.
