Public Safety Committee on April 1st, 2019

Yes.

We have to be compliant with Canadian law for the data for Canadian citizens. Right now the majority of transactions take place at our St. Louis or Kansas City facility. There are other locations that also do work for us. The data needs to remain local only. From where I sit globally I can see threat actors attempt to work against the payment system no matter where they are. But as countries localize or look for localization of data, and that data can't be used in other places, the ability for me to analyze and see where the threat actor moves becomes more difficult.

The threat actors don't care about borders. They're willing to attack Latin America or Europe or Canada or the U.S. If I can see their attacks taking place in Latin America, but I'm not allowed to use that information to help protect another country, the attacker can then move without my using the learning to protect the other, so attackers can continue to attack different places without my using the information to help protect it.

I would say that they are investing heavily in protection in cybersecurity. There is brand and reputational risk. While in the community we talk about not competing on security itself, I believe the financial institutions do compete on customer trust.

The biggest issue the financial institutions have today is actually having the individuals necessary to deploy the capital. They have robust budgets and they set aside adequate funding, but to try to get through as many projects as they do with the limit in skill shortage becomes a challenge.

Third parties that service financial institutions are considered one of their greatest risks. The financial institutions develop a really strong security program but then can be weakened by an external party. Third party risk is something taken very seriously by the financial institutions.

I think one of the issues is that people believe that cybersecurity is an overly complicated domain when a lot of breaches occur due to the basics being missed. I think that proper education, in terms of what the basics are and how to go about resolving them, can greatly mitigate that risk. We are seeing financial institutions start to basically mandate that their third parties have certain minimum controls inside of contracts and that there is an assumption of risk along with them. In Canada we have OSFI that regulates the banks. If a third party is the reason for a breach, OSFI doesn't really care that it was a third party. It still holds the bank liable, so the banks are taking this very seriously and are going through heavy risk programs to mitigate this issue.

We do a great deal of background checking on our employees before we bring them on, but we also have insider threat programs. We know what the correct or usual behaviour is, and then we look for anomalies. I had an opportunity to take my board through what we have in our insider threat program, but we have a way of sensing when people are acting abnormally.

When those triggers are set, then my team will launch an investigation to see if the employee is acting in a way that is not in the best interests of the company.

Additional to that, we have employees who have high-risk roles. The things that they do allow them the ability to make or destroy machines, or things like that.

We have an increased level of monitoring, so my guys watch what it is that they're doing. It's all in behind the scenes, but it happens to make sure they they're doing the things that they are supposed to. If they're not, then we respond to it.

I'll add that the insider threat is the number one concern of most chief risk officers, because of the magnitude of the event when it occurs. You know, the Edward Snowden discussion comes up often in terms of national security. The idea that an insider has access to privileged information is always a concern.

There is a discussion around enhanced monitoring under what we call powerful users, people who have—to Mr. Green's point—powerful privileges inside the organization, and making sure to mitigate the risks.

So one account is frauded, that's a mitigated risk, and there's a certain risk tolerance you have to have internally. You can't guarantee that nobody will do a bad thing, but you can minimize the impact and do some basic training and awareness.

When I was a member at Scotiabank the code of ethics, business conduct, know your customer, and anti-money and laundering training were mandatory. It is important to have that be a mandatory component and to at least give everybody the sense that you're here to do the right thing.

I think we actually are improving. I think one of the big steps was creating the new cyber centre to do that. It's one of the reasons why we're working so closely with them to do that linkage between what the private sector is doing and what the government's doing.

As a matter of fact, we're working with some Australian organizations to create an organization in Australia similar to the CCTX, to do that cross-sector piece. It's one of the ways of bringing together all of the companies, all regardless of size or what they're doing, and bring them forward in a way they can start to interact with the government.

The government's going to be looking after the cyber centre, a fairly narrow window into the critical infrastructure—that's what they are going to scale to—and they're looking at us to expand that out to all the those sectors and areas that aren't going to be covered by what they're doing. The government can be providing some general advice, but a lot of it is taking the general advice and saying, we need to do something in technology, but as an individual within a company, how do I actually do that?

It's a little bit of the skills development that Mr. Finlay was talking about. We're trying to bring that along, to take the knowledge the government is providing and then translate that by getting individuals who are going to execute on using that technology to sit down and figure out how you actually do some of these things.

On the companies that we have, no, but that's been happening.

A lot of examples come out of small companies. Part of the supply chain is being the source of the target into the much larger organizations. It's one of the reasons—and it was said previously— the banks are so interested in looking at their third parties and what they can be doing to try to enhance the cyber-resiliency of that third party, because they're all hooking into their systems.

It extends beyond that into literally every sector. For example, when dealing with the owners of large buildings who are now worried about all the tenants of their building hooking into them, you're only as strong as your weakest link. Every sector is going through the same issue.

That we're being attacked first, or...?

Yes. The attackers will come after countries for a variety of reasons.

In some instances, we may be the only target of an attack coming in, and other times we'll be a jumping-off point for attacks starting here and going elsewhere, or we can be the second country going down, where the attack starts somewhere else and then comes over to Canada. We get hit in all three areas.

The biggest issue they have is legacy sprawling systems, and proper hygiene over those systems is still extremely challenging. Security tooling doesn't really exist for a lot of older systems, where they have to build what we call a ring fence to protect that asset. It's still the number one issue. It sucks time.