Sure. With respect to the cybersecurity work, there were five primary bodies of work. The first was to assess vulnerability management practices around the ArriveCAN environment. How do you identify vulnerabilities and mitigate them in a timely manner? The second was to assess compliance with certain privacy regulations, particularly those surrounding the cloud hosting platform. The third was to assess the cloud hosting platform itself to understand if appropriate security controls were embedded. The fourth was to understand whether appropriate incident response processes were in place. If there was an incident or a breach of some sort, would it be possible to respond and recover in a timely fashion? The last was to do with understanding whether appropriate security practices were integrated within the development processes.
On April 4th, 2024. See this statement in context.