Good afternoon.
My name is Justin Ferrabee. I'm the Chief Operating Officer of Payments Canada.
Thank you for inviting Payments Canada to contribute to the study.
Let me begin by reassuring the committee that security is Payments Canada's highest priority in all we do. It commands focus, resources and investment, above all other needs. This means that we design, review, modify, update and operate our systems as we monitor risks. We see security as a prerequisite for innovation in the payment space. We remain in a constant state of vigilance and respond decisively, as required, to ensure that we manage risk appropriately and that we remain secure.
Over the next few minutes, I'll share who we are and what we do, our collaborative approach to cybersecurity, and our recommendations for reducing the risk in the financial sector.
Payments Canada operates Canada's national clearing and settlement systems. While Payments Canada is a little-known entity to most Canadians, it plays an essential role in the economy and in the day-to-day operations of financial institutions and businesses across the country. Payments Canada's systems ensure that payments between financial institutions—the aggregation of all payments made in the economy—are safely and securely completed each and every day. The value transferred is over $50 trillion annually.
We are guided by our mandate and the public policy objectives of safety, security and efficiency of the Canadian clearing and settlement system. In consultation with members and stakeholders, we also maintain a framework of rules and standards that mitigate risk and facilitate the exchange of payments and the deployment of emerging payment products and services.
Given that cyber-threats evolve rapidly, Payments Canada is continually raising its defences. We have a cybersecurity action plan based on secure design principles and industry standards. The plan ensures that we are constantly watching for and closing gaps to maintain the resiliency of our operations.
Payments Canada operates within a network of financial institutions, regulators and other financial market infrastructures. We are held to the highest global security standards, including “Guidance on Cyber Resilience for Financial Market Infrastructures” from the Bank for International Settlements, the SWIFT customer security program, and the NIST cybersecurity framework.
We also work closely with the Bank of Canada to ensure that we meet the requirements for mitigating cyber-threats through internal and external assessments. Outside of these requirements, we establish rules and standards around the security of payment items and the connectivity of systems, to which our members must adhere.
From a wider, collaborative industry perspective, we work very closely with partners in the financial sector through cybersecurity industry groups such as the Canadian Financial Services Cybersecurity Governance Council, the Canadian Bankers Association cybersecurity specialist group, and the Financial Services Information Sharing and Analysis Center.
We also participate in and lead industry exercises for business continuity and cyber-resilience and share intelligence with partner agencies and organizations in the cyber community. These connections include the Canadian Centre for Cyber Security, Public Safety's critical infrastructure protection branch, RCMP's national critical infrastructure team, and the Canadian Cyber Threat Exchange. Further to these collaborations, we are actively engaged in the international cyber-risk community with our partners at the Bank of Canada.
Through all of these activities, we continually rank and benchmark ourselves internationally, and we are consistently in the top 1% of the global industry for safety and security.
Working closely with our financial institution members, the Bank of Canada and the Department of Finance, we are currently undertaking a major program to modernize Canada's payment systems to meet the growing demand for secure and innovative new payments products. Modernization will result in new payment infrastructure designed to strengthen the payment system.
Through our diligence and movement toward modern payment systems, we have identified gaps that exist outside our realm, which this study may be able to influence. There is a clear need for public-private coordination in responding to attacks against critical infrastructure and, with that, a single, clear point of contact in the public sector. These improvements will help us better share information, in a protected fashion, and help us manage and prevent future attacks. The release of the national cybersecurity strategy in 2018 and the recent developments with the Canadian Centre for Cyber Security will help in this area.
At the same time, the recovery of systemic cyber systems must be prioritized in the event of a widespread disruption. Policy that extends cybersecurity requirements to the supply chain of critical systems would help to improve the resilience of dependent components to the national infrastructure and the financial system as a whole.
Investments in policies and cybersecurity can also support digital supply chain risk. The modern supply chain often includes hundreds, or thousands, of software components that are embedded in critical systems sourced from companies and communities all around the world. It is a significant task to track and inventory all the ingredients of a system and make sure that those ingredients remain safe.
In the food safety world, we have labelling standards that inform customers about product ingredients and nutritional facts, but in the software world, we have no labelling standard to help consumers understand what components and what risks might exist within the software. Policy to support digital supply chain risk is necessary, and system labelling of software components should be studied for its benefits to the economy.
We also feel strongly that more could be done to address the cybersecurity skills shortage. There is already a gap in capable people and, given the increasing severity of threats, there is a need for policies and strategies to develop, attract and retain skilled workers. This would ensure that Canadian companies are able to safely grow and innovate as they expand their use of digital technologies.
Finally, we see a need to equip Canadians with the knowledge and awareness of good cyber hygiene to protect their personal and financial information online. For instance, right now millions of Canadians are seeking technologies and financial applications that mimic the services of open banking. In seeking such services, they aggregate account information across multiple platforms and thereby expose themselves to cyber-threats.
Payments Canada was pleased to see that several of these issues, and commitments to address them, were included in the 2019 federal budget, but we know that cyber-threats are not going away. They are evolving just as quickly, if not faster, than digitization and modernization across all industries. We must work together to build resilience in the face of these threats in a way that ensures that we do not hinder the pace of innovation.
While every organization has the responsibility to protect itself from cyber-attacks, doing so as a collective or a network is much more effective. Cybersecurity is an issue that affects the Canadian economy and our national security as a whole. Payments Canada is eager to contribute and support a network defence strategy.
Thank you.