Public Safety Committee on April 3rd, 2019

I'll do my best.

Thank you.

My name is Glenn Foster. I'm the senior vice-president and chief information security officer of TD Bank Group. I'm responsible for TD's cybersecurity program across all of TD's activities globally.

TD is the sixth-largest bank in North America by branches and serves more than 25 million customers. We rank among the world's leading online financial services firms.

I'm here to talk to you about cybersecurity and its impact on financial services, Canadian consumers and national security. Traditional banking services have continued to become more digital. A recent CBA poll found that 76% of Canadians are using digital channels, both online and mobile, to conduct most of their banking transactions.

More than half of those polled say this is their most common banking method. This is true for TD customers as well. We have more than 12.5 million active digital customers and 7.5 million total active mobile customers. We complete 1.1 billion digital transactions per year in North America, and we have the highest digital penetration of any bank in Canada, the U.S., the U.K., and other parts of Europe.

Meanwhile, cyber-threats continue to become more sophisticated, driven by the commoditization of crime in the underground economy; the loss of top secret nation state intelligence technologies, when made available to bad actors; innovative technologies that spur advances in automation; geopolitical tensions and increased activity against global financial service participants and payment systems.

Recent economic sanctions have further increased tensions and have motivated retaliatory actions, cyberespionage campaigns, and attacks on financial services and critical infrastructure globally by nation state actors.

The proliferation of data breaches has significantly exposed consumer data and places pressure on banks' ability to authenticate customers.

This exposure of consumer data has also led to new automated attacks in which criminals leverage stolen account credentials and test them against online banking sites at a significant rate, an attack that's known as credential stuffing.

At TD, we have invested heavily in cybersecurity as one of our top priorities to ensure that we can protect our customers and live up to the high expectations of trust they place in us. We have a strong history of information sharing and collaboration with other Canadian banks through the Canadian Bankers Association, and across sectors of the Canadian economy through the newly formed Canadian Cyber Threat Exchange. We understand how critical it is to share intelligence on threat actors, and we consider it a best practice to combine our defences, as our ability to prevent, detect and contain cyber-attacks increases significantly when we work together as opposed to individually.

The effectiveness of our information sharing is limited based on current privacy laws and legal barriers. Legislative reforms allowing for safe harbour provisions for proactive protection could benefit our efforts. We support the government's creation of the Canadian Centre for Cyber Security under the Communications Security Establishment. We've been a long-time proponent of centralized authority for collaboration with the private sector.

Working with the Canadian Cyber Threat Exchange, we have established a solid structure for public-private partnerships and sharing. The critical part of the centre's mission should be not only information sharing and intelligence but also developing and implementing national strategies for cyber resiliency, preparedness and response.

The centre should be effectively resourced to engage with the private sector in establishing and measuring minimum security baselines for critical infrastructure sectors. The public and private sector would also benefit from coordinated resiliency tests and response capabilities verus systemic cyber events for critical infrastructure, which will prepare the centre to be the central point of coordination with the private sector in response to a national security threat.

It is important to note that cyber protection and safety are the responsibilities of not only financial institutions and government but also Canadian consumers.

Security practices fail when individuals do not understand their personal accountabilities and do not practise due care in their digital lives. Therefore the new national strategy is focused on educating Canadian citizens on cyber safe practices, which is vitally important to increasing their literacy with regard to risks and expectations.

The ever-increasing cybersecurity demands require a robust and highly skilled workforce. Various external benchmarks suggest an unmet demand of over one million open positions for cyber talent in North America alone.

At TD, a premier employer in Canada, our focus on talent is a top strategic pillar of our cyber program. We face increasing competition for cyber talent in Canada, and we are collaborating with academic institutions to create strategic partnerships such as the one mentioned in our announcement last year of our partnership with the cybersecurity institute of the University of New Brunswick.

We have also expanded our geographic footprint to the United States and Israel to meet talent demands. We are committed to growing the next generation of cyber talent here in Canada and encourage the federal government to accelerate the development of robust educational programs at Canadian universities to provide for the cyber workforce of tomorrow.

I am pleased to be here to discuss Canada's approach to cybersecurity, and I look forward to our discussion.

I don't know the exact number. I would have to get back to the clerk.

We're primarily a North American bank with other securities investments firms overseas.

We have various connection methods based on the products or the stores or branches themselves, but the majority of our transactional traffic is through our online and our mobile applications, which will be coming in over the Internet.

Those connections are based on both browsers and our proprietary mobile applications that customers very commonly put on their smart phones, and they use standard PKI-based encryption to protect those transmissions from end point to end point.

All of TD's data centres reside within Canada.

Yes.

For our core banking systems, there would be direct connectivity to us within our data centres in Canada. Now, TD does have external third party service providers for various banking services and customer services. Those services may reside within other countries, such as the United States.

As a security professional for a number of years, my opinion is that the integrity of any security scheme is reliant on a closed loop between the consumer of services and the service provider of the banking services. Any intermediary that's in between inherently weakens the security scheme.

Yes.

When it comes to authentication of credentials, a third party would inherently have to have access to those credentials for online banking. Of course, there are various models. There's the U.S. model, which is very much market driven, which allows us, as banks, to contract with these third parties and provide certain assurances over their security. The U.K. model is very much open; therefore, anyone could consume those services.

I'm sorry. Could you repeat the question?

Our primary regulator, which is OSFI, provides very prescriptive guidance on reporting requirements. The requirement is 72 hours, based on a described severity scale.