Public Safety Committee on April 1st, 2019

Oh, oh!

Thank you for inviting us to this session to provide insights and field questions on cybersecurity in the financial sector.

My name is Thomas Davies, and I am the National Financial Services Cybersecurity Leader for EY in Canada. I'm also a special adviser for financial crime for the firm globally with a focus on insider and outsider threats. Prior to joining EY, I spent eight years as a director of Scotiabank, supporting all three lines of defence.

Cyber-attacks are on the rise and the financial services industry is considered a high value target globally. The number of individuals, organizations and nation states with access to advanced tools has grown exponentially as service offerings for hacking have been developed and optimized by criminal organizations. Attacks on financial services are not limited to cyber-breaches. They can quickly move to fraud and money-laundering activities, which then create a strain on the talent and financial resources of any organization. These concerns are exacerbated by the shortage of skilled professionals across financial crime domains. A successful breach of payment systems, transaction networks or customer data could have a material impact on the economy.

Consider for a moment the implications of not being able to use your debit or credit card for a day or even a week. Imagine over one million Canadians trying to withdraw cash to pay for groceries, gas or medicine. Many global regulators consider the resiliency of financial services against a cyber-event to be a top priority for ensured economic health, as exhibited by new security requirements in Hong Kong, the United Kingdom and New York.

As Canadians demand greater access to financial services through digital platforms such as open banking, we need to consider embedding security and privacy principles into the design phase of a solution. In doing so, we will help to build customer trust, encourage adoption and proactively reduce the likelihood of costly fixes later. Implementing preventative measures such as training and awareness, access management, system hygiene, third party risk and corporate governance will reduce both the attack surface of these platforms and the maintenance required to support them.

Canada has an opportunity to become a global leader in security and privacy while continuing to be a great innovator of fintech. Through the continued support of shared intelligence, the development of talent through early and continuous education, and by enhancing public awareness of cyber-threats leading to financial crime, we can ready ourselves against this growing threat.

Thank you.

Chair and members of the committee, thank you very much for the opportunity to speak with you today.

Cybersecure Catalyst is a new centre for cybersecurity activities that was established last year by Ryerson University. It is permanently located in Brampton and will open its physical footprint in Brampton later this year. The centre will collaborate closely with governments and government agencies at all levels, private sector partners and other academic institutions across Canada to drive growth and innovation in the Canadian cybersecurity ecosystem.

We will deliver programming in four pillars. We will provide cybersecurity training for existing cybersecurity professionals, and introductory cybersecurity training for newcomers to the sector. We will support scaling-up Canadian cybersecurity companies through a unique commercial accelerator program. We will support applied cybersecurity R and D partnerships between academic institutions and private sector partners. Finally, we will deliver public education in cybersecurity, focusing on private citizens and small businesses.

In developing the mandate of Cybersecure Catalyst, Ryerson University engaged in a lengthy consultation process with industry and government, including a number of financial institutions. I think the results of this consultation process are important for our discussion of cybersecurity in the financial sector as a national economic security issue. When we asked major financial institutions and other private sector entities what they needed most from a university-based cybersecurity centre, the answer wasn't some specific technological tool or identified advance in the science. The overwhelming answer was more people. You have heard this from other witnesses before the committee today. In particular, we heard from financial institutions that they need their existing personnel to be upskilled to meet emerging threats, and they need more people to come into the sector to staff entry-level positions within their organizations. Every one of the major financial institutions in Canada has many current openings for cybersecurity personnel.

The anecdotal evidence taken from our consultation process is supported by the empirical evidence. As you have already heard from other witnesses in this hearing, in July of 2018 Deloitte and the Toronto Financial Services Alliance released a report that estimated that the demand for cybersecurity personnel in Canada was increasing by 7% annually and that 8,000 cybersecurity positions need to be filled by 2021.

It is important to note that this shortage is not just a security problem; it is an economic development problem. The lack of trained cybersecurity personnel creates staffing challenges for the regular operations of these financial institutions, but it also impacts these institutions' ability to create new and safe products and services for domestic and international markets. Crucially, the lack of trained personnel seriously impacts the ability for small and medium-sized Canadian cybersecurity companies to grow.

An interesting way to see the Canadian labour market problem in cybersecurity is to travel to Israel. Israel is generally acknowledged to have the strongest cybersecurity technology ecosystem in the world. The Israeli government has established a new major centre for cybersecurity activities in a small town in the Negev Desert about an hour by car from Tel Aviv, called Beersheba. In January, I travelled Beersheba to meet not with Israeli companies but with representatives of Canadian financial institutions that have established offices at Beersheba because they can find cybersecurity talent in Israel much more readily than they can in Canada.

That is the bad news. The good news is that this problem is well understood and efforts are being made to address the issue. This federal government's investments in cybersecurity in the 2018 budget were significant, in particular with the establishment of the Canadian Centre for Cyber Security. The centre is already acting as an important partner and voice for the cybersecurity sector in Canada. In the recently released 2019 budget, this government made cybersecurity a priority, allocating $80 million to post-secondary institutions to expand the pipeline of cybersecurity talent in Canada, among other measures.

Of course there is always more to do. In our view, training programs should focus on two key cohorts: young people in K to 12 and demographic groups that are seriously under-represented in the cybersecurity sector. Young people are not necessarily inclined to view cybersecurity as an interesting or exciting field of study or future employment, but this can change with the right engagement.

We will not solve the labour market issue of cybersecurity for financial institutions or for any other institutions if we don't open the cybersecurity sector to more women, racialized groups, new Canadians, indigenous Canadians, veterans and to those who have been displaced from legacy sectors. Efforts should be made to focus specifically on opening training and industry placement opportunities to individuals from these groups, and we will focus on that at Cybersecure Catalyst.

Finally, as our economy continues to transform, we see exciting opportunities to build talent pipelines between sectors where human labour is being displaced, and the cybersecurity sector where the need for qualified personnel is growing.

Thank you very much.

I'd be pleased to take your questions.

Thank you, Chair.

I would like to thank the committee for giving me the opportunity to speak today about cybersecurity in the financial sector.

I'm the Executive Director of the Canadian Cyber Threat Exchange, CCTX. I'll highlight the work of the CCTX because I believe it has a direct bearing on the current focus of this committee's inquiries.

The CCTX is a not-for-profit organization established by the private sector with two broad mandates. First, we operate a cyber-threat information exchange to deliver actual intelligence to our members. Second, we provide a collaboration hub for the sharing of best practices among cybersecurity professionals. We're a relatively new organization, having commenced basic operational capacity just two years ago. I'll provide a few additional comments on our services in a minute.

The founding principles of the CCTX make it unique. First, our aim is to attract members from all sectors of the economy, not just those from critical infrastructure. We currently have members from accounting companies, law firms, the health sector, construction firms, entertainment companies, airport authorities and technology companies, among others.

Second, the large companies that founded the CCTX made it clear that the CCTX cannot be just for large organizations. We need to attract small and medium-sized organizations. In every sector of the economy, all sizes of organizations are experiencing cyber-attacks. We've grown from the initial nine founding members to just under 60 today, with additional applications being processed weekly.

In January this year, we changed our membership and fee structures to make membership more attractive to small and medium-sized organizations. Those changes have been really well received. Small organizations now represent 28% of our membership, and we're working to ensure this number grows significantly. As we increased the number of small organizations, we were developing cybersecurity reports and services specifically tailored to meet the needs of the small business owner.

I'll briefly highlight two of the service delivery areas.

We operate a cyber-threat information-sharing hub. Threat information is provided by participating member organizations. The threat intelligence received does not contain personal information, and the source of the information is anonymized.

The CCTX also receives cyber-threat information from the new cyber centre. We're pleased to be the first organization to sign a collaboration agreement with the new cyber centre. This is an important partnership for the CCTX and the government. We believe we will benefit from the full cybersecurity capability the government offers, and the government is going to benefit by our being able to extend the reach of what they're doing to small parts of the economy they no longer service, particularly those areas outside the core critical infrastructure.

The CCTX also offers its members an opportunity to provide threat-related information to the government, while keeping their identities anonymized. As we continue to grow, we'll provide the government with a broader understanding of how cyber-threats are impacting the entire Canadian economy.

This committee previously heard from witnesses on the importance of developing the cyber workforce required to defend the Canadian economy. The CCTX plays a role in assisting the private sector in developing and retaining the skills they require. Our cross-sector collaboration capability provides a variety of forms to bring together cybersecurity professionals to share best practices and ideas. Practitioners get together to discuss new topics such as the new techniques that are being used by attackers, new defence technologies and strategies, and changes in the legal landscape that companies should be aware of. We deliver this capability through monthly webinars and in-person collaboration events. The time employees devote to participating in these events contributes to their retention of their professional certifications.

Financial institutions understand the importance of collaboration, which is why all six of Canada's largest banks belong to the CCTX. The banks recognize that through collaboration they can raise their own defences and make it more expensive for the attacker. We provide a unique cross-sector sharing forum. As an example of the beneficial and unique relationship of the CCTX, work is being done through our portal between the financial institutions and telecommunications companies on a very specific cyber-threat.

Banks have built an impressive capability to defend their networks from cyber-attack, and they are now launching a new initiative through the CCTX. They would like to share their expertise with SMEs and are working with us in helping to raise the maturity of SMEs in every sector's supply chain, not just those relating to financial services. Each bank has identified an area of expertise and presentations have been developed that focus on the needs of small and medium-sized enterprises. We're currently working on the delivery mechanism for this important initiative.

Collaboration starts with building a trusted relationship. The CCTX provides an environment where the trust can flourish. We're building a community where members don't have to be operating in isolation. When a crisis occurs, they have a community to which they can reach out for assistance. Creating this organization that shares threats and best practices across sectors and all sizes of companies is a key pillar to achieving the desired level of security in order to protect Canada's economic prosperity. Collaboration means you don't have to do it all yourself because “none of us is as smart as all of us”.

I look forward to your questions.

Thank you.

As someone who has visited a number of small start-ups, I can say that for many of them security may not be top of mind. It needs to become part of everything we do, not just for small businesses, but just as people.

When you leave your house every day, you lock your door. You need to have a certain level of cybersecurity hygiene in your everyday life. For businesses, especially those that have data available to them, it needs to be a part of what they do now. We're at a point in time where we need to help them with that, through best-practice sharing and access to experts. That is one of the reasons we engage with Global Cyber Alliance. We are part of many groups that provide best practices and how-tos, but it's about making tools available to small businesses to actually help them do something, rather than just telling them, “These are the things you should think about.” Give them the tools and access to the expertise.

At the cyber centre, they're certainly working on ways to provide information to small businesses. They'll never have intelligence organizations like I have, but certainly, you can break down the information enough to help them on the journey to get more secure.

With cybersecurity incidents and breaches, there's a place where the victim can be victimized twice. You have the threat actors that steal the money, and then you have the ensuing civil and criminal cases that take place afterwards. Sometimes, depending on the company, they are then taxed more, or they spend more time on it.

From our perspective, we work with a body comprised of our lawyers, the acquiring company's lawyers and the merchants that are involved in the issuing. We work out a reasonable compensation between all of the impacted organizations. That's for payment card breaches. It may differ depending on other breaches that take place.

There is cybersecurity insurance. I guess it depends upon which country you are in and the insurance that's available to you. I go through a rigorous review annually with our insurance providers to make sure that I'm maintaining a proper level of security for the organization, so that we can then take advantage of the insurance opportunities that the company provides for us.

I can take that one.

We do a technical review of most...in our community. It's a small community, so we benefit from the fact that we typically know someone who has worked with these individuals before. It's a plus and a minus, a pro and a con, but we often look at references and understanding the environments that they worked in before and how that work has gone. Then we go through a technical vetting process to understand. It's usually a longer cycle, which also has its negatives, in that it takes us longer to board secure professionals in this area.