Public Safety Committee on April 3rd, 2019

[Inaudible--Editor] usually gets passwords or password reuse. It's commonly obtained through various breaches at less sophisticated companies.

We obviously can look at additional ways to educate customers and consumers along the way.

It would be to have more academic institutions offering cyber-related programs, and that goes to your point on different depths. Some are on basic security operations, as offered by local colleges, or basics of cybersecurity and networking. You could talk about the ethical hackers or the white hats that we talked about before. Moreover, there's the far more technical level of security that we commonly refer to as “application security”. That would be beneficial.

If you look at the number of schools that offer these types of programs, you see that although we have some leading programs within Canada, they're not as broad as they need to be, and the number of students going in there is not what we need it to be.

I see talent, over the next decade, as probably being the number one crisis within large institutions in how we're going to meet the growing cyber-threat.

Yes, we do.

On the first part of that question of whether we share information with each other, yes, there is a threat-intelligence working group under the CBA cybersecurity specialty group, which all the banks and CSE attend and provide updates to as well, which we find very helpful.

We share indicators of compromise. These are technical indicators on the types of threats and bad actors that we see and how to identify them. We find there's a great strength in doing that. We know that adversaries, criminals, share very broadly in the dark web and in other chatter about vulnerabilities they find in institutions and banks. I think likewise, we should take advantage of that.

On your second question of whether we see vulnerabilities that occur in the customer's home, no, we do not. Typically all we see is the transaction as it comes into our servers.

Where I sit organizationally, I report to the head of enterprise operational excellence, who reports to our group head, who reports directly to our CEO. My group has a head of innovation technology and shared services at TD Bank.

We felt that for strong governance, it was important to separate the CISO role from the technology organization, both for objectivity and as a reflection that cyber is really a business risk, not a technology risk.

We find that business engagement, in terms of process and products and how we engage our customers, is paramount to the success of our cybersecurity program.

As far as your other question is concerned, I had a bit of difficulty understanding whether you were talking about a percentage of spending or caps on spending.

I think there is variability among banks, partly because we're not necessarily all organized exactly the same way. If you look at any information security organizations, it's the 80-20 rule: 80% of us have the same things in our organization, and 20% may be federated or decentralized in other areas. It's very difficult to track apples to oranges.

At TD bank, cyber is the top risk. Getting budgets is not a problem for me. We have top executive support, we have board support, for the program. Any constraint I face would probably be in the form of two things.

First is the amount of change the organization can go through in a given year. This is a fast evolving space. My spend has been growing at a compound annual growth rate of about 35% to 40% year over year. That's a lot of change to try to push into the organization.

Second is the availability of commercial products. The explosion, as I would call it, of security products within the industry is a lot to weed through to decide what's more hype than legitimate protection. I would find that for the most advanced organizations—we talked about big data and AI—the most uplift in the coming years would be in investments in our own skills and our people with data science and to be able to solve the problems of our bespoke applications as opposed to the general use vendors.