Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce
Issue No. 27 - Evidence - October 26, 2017
OTTAWA, Thursday, October 26, 2017
The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:35 a.m. in public, to study and report on issues and concerns pertaining to cyber security and cyber fraud; and in camera, for the consideration of a draft agenda (future business).
Senator David Tkachuk (Chair) in the chair.
[English]
The Chair: Welcome to our invited guests and members of the general public who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here or listening via the web.
My name is David Tkachuk, and I’m the chair of this committee. Today is our fourth meeting studying issues and concerns pertaining to cybersecurity and cyberfraud, including cyber-threats to Canada’s financial and commercial sector. In the second portion of our meeting, we will have a brief in camera discussion regarding future business.
I’m pleased to welcome, from the Canadian Bankers Association, Darren Hannah, Vice President, Finance, Risk and Prudential Policy; Andrew Ross, Director, Payments and Cyber Security; and Sandy Stephens, Assistant General Counsel. Thank you for joining us today. After your opening statement, we will have our usual question and answer session. Please proceed.
Andrew Ross, Director, Payments and Cyber Security, Canadian Bankers Association: Good morning. I would like to thank the committee for the opportunity to speak with you today about cybersecurity and cyberfraud. As coincidence may have it, October is Cyber Security Awareness Month, so the committee’s hearings are timely.
The CBA is the voice of more than 60 domestic and foreign banks that help drive Canada’s economic growth and prosperity. The CBA advocates for public policies that contribute to a sound, thriving banking system to ensure Canadians can succeed in their financial goals.
Banks in Canada are leaders in cybersecurity and have invested heavily to protect the financial system and the personal information of their customers from cyber-threats. Despite the growing number of attempts, banks have an excellent record of protecting their systems from these threats. Banks take seriously the trust that has been placed in them by Canadians to keep their money safe and to protect their personal and financial information.
Canadians have come to expect greater convenience when using and accessing financial services, and banks have invested heavily to provide Canadians faster and more convenient ways to do their banking. Now, consumers can bank anytime from virtually anywhere in the world through online banking and mobile apps providing real-time access to their financial information. Today, 72 per cent of Canadians primarily do their banking online or via their mobile device. That’s up from 52 per cent just four years ago.
As more banking and other transactions are done electronically, networks and systems are becoming increasingly interconnected. This requires banks, government and other sectors to work together to ensure Canada’s cybersecurity framework is strong and able to adapt to the digital economy.
As the committee is well aware, the Department of Public Safety is currently leading a review of Canada’s cybersecurity strategy. The CBA has been an active participant in those consultations, and we would like to outline for the committee many of the recommendations we have already submitted to the government.
The Canadian cybersecurity framework would benefit from having one lead agency within the federal government to deal with cyber-threats. Within the current cybersecurity landscape, there are many federal government departments and agencies that have oversight of different critical infrastructure sectors. An opportunity exists to integrate all of these government cyberactivities across critical infrastructure sectors into one single government agency. This would improve Canada’s resilience by developing common standards, enhancing coordination for intelligent sharing across sectors and with law enforcement, and providing a single point of interaction for consumers and businesses to report cyber-related incidents and cybercrime.
The delivery of financial services relies on other sectors, such as telecommunications and electricity. Canadians need to be assured that all critical infrastructure sectors are protecting them from cyber-threats. Therefore, we encourage the government to create a consistent set of standards and rules for all critical infrastructure sectors. Consistent standards will provide stronger oversight and greater comfort to those using and relying on these services.
The telecommunications sector is the conduit through which electronic data flows. Identifying and blocking malicious traffic and sharing that information across sectors would benefit consumers and businesses, including banks. Once a cyber-threat is identified, allowing telecommunications providers to block known malicious traffic can help stop further transmission of bad data. Blocking bad data would significantly reduce the volume of malicious e-mails that target those most vulnerable, such as consumers and small businesses. This would also limit the spread of viruses, botnets and other forms of malicious software that target corporations and governments. It is our understanding that legislative changes are needed to allow telecommunications providers to proactively block bad traffic, and we encourage the government to study legislative options for making this possible.
Canadian banks and other businesses are also customers of telecommunications companies. Enabling those companies to share threat information with relevant customers would help improve cyber-resiliency. The converse is also true. The financial sector has invested heavily in robust cyber-resilience capabilities to identify malicious data on its systems. Sharing this information with telecommunications companies and allowing them to block malicious end points would stop traffic from spreading to other businesses and consumers. Accordingly, any legislative changes should enable this two-way sharing of information.
The benefits of sharing threat information extend beyond the financial and telecommunications sectors to other sectors, government and law enforcement. Rapid intelligent sharing of threats is a highly effective means of minimizing the impact of cyber-threats. In order to achieve timely sharing between the private sector and government agencies, improved sharing protocols and control integration is required. We support initiatives such as the Canadian Cyber Threat Exchange, which promotes the exchange of cybersecurity information and best practices between government and businesses.
While we support greater information sharing, we recognize that security and privacy go hand in hand. The Personal Information Protection and Electronic Documents Act, or PIPEDA, balances the privacy rights of individuals with the needs of organizations to collect, use and disclose personal information in the course of carrying out their business. However, recent amendments to PIPEDA impede the ability of organizations to share personal data to detect, prevent and suppress cybercrime. Banks fully support and adhere to PIPEDA; however, a mechanism to share information about cyber-criminals will be necessary to improve Canada’s cyber-resilience.
Similar to initiatives to improve financial literacy, we also recommend the development of a national cyberliteracy program. Cyber-criminals often target ordinary citizens; thus, greater cyberawareness is needed to reduce the number of victims. A national cyberliteracy program that educates and helps protect consumers would help to deal with current and future threats.
Today, there is a global shortage of cybersecurity personnel. A talent pool to address the demand is required, both now and for the future. Building Canada’s talent pool requires improved educational options for careers in cybersecurity, retraining options for the existing workforce, mature career development management practices and creative cross-pollination with high-demand disciplines that are closely linked to cybersecurity. We believe Canada has an enormous opportunity to leverage our strong education systems and to retrain our highly educated workforce to fill that gap.
As the financial sector undergoes tremendous change driven by technology, new entrants are able to deliver financial services digitally, fuelling competition. Of course, increased competition has a positive impact in the marketplace, accelerating innovation and increasing choice for Canadians. Throughout this change, protecting consumers’ security and privacy while ensuring the safety, soundness and stability of the overall financial system in Canada remains paramount.
Most new technology-based financial services firms are less regulated than established financial institutions, and many are largely unregulated. This makes it difficult to assess the cyber-resilience of these firms. Some may have the same risk controls as banks; however, most will not possess the same depth of experience in defending and protecting data in the rapidly evolving digital threat environment. Further, the connected nature of financial services means that this growing list of market participants has the ability to spread cybercontagion throughout the sector. As a result, cyber-resilience needs to be a central consideration for policymakers when defining the future framework for financial services.
In conclusion, I want to reiterate that cybersecurity is a priority for Canada’s banks. They continue to collaborate and invest to protect Canadians’ personal and financial information. Banks support the government’s work to protect Canadians while promoting innovation and competition. However, the industry recognizes that threats and challenges are constantly evolving. We want to work more collaboratively with the government and other sectors. In order to achieve that objective, we encourage the federal government to finalize and implement its renewed cybersecurity strategy to protect Canadians and improve Canada’s cyber-resilience.
Thank you very much for your time, and I look forward to your questions.
The Chair: Thank you. We will begin questions.
[Translation]
Senator Boisvenu: Welcome to our witnesses. Thank you for your excellent presentation, Mr. Ross. I have a few questions for you. First, have you prepared an inventory or done research on the origins of cyberattacks against the financial sector in Canada? Are some of these attacks related to terrorist organizations?
[English]
Mr. Ross: It’s safe to say that in many cases, origins are tracked, but it’s also true to recognize that this is a global phenomenon; it’s a borderless issue. As much as we may have some of that information, looking at nation states or particular sectors or countries actually does not necessarily address the full picture of ensuring resilience for the country.
[Translation]
Senator Boisvenu: There are two components in the financial sector: the portfolio administrators and those who invest their savings. Are these cyberattacks putting those savings at risk at this time? If there are no investors in the financial sector, there will be no sector as such. Is the security barrier between the administrators and the investors relatively secure, or are there risks for the investors?
[English]
Mr. Ross: First, let me assure you that banks treat cybersecurity as vitally important. Trust is paramount to everything banks do. The banks have invested heavily to ensure the cyber-resilience of their systems.
So the direct answer to your question is that Canadians’ money is safe in Canadian banks.
[Translation]
Senator Boisvenu: When I read your brief, Mr. Ross, I got the impression that the Canadian system was relatively behind with regard to the management of cybersecurity. Is this a global phenomenon, or is Canada currently lagging behind other countries?
[English]
Mr. Ross: You recognize this is a worldwide phenomenon. It’s also safe to say that the threat continues to evolve. Canada and other countries must evolve with it.
It is fair to say that other countries have developed and started to implement revised strategies, which is why we are encouraging the Canadian government to act quickly to implement the strategy being contemplated today.
Senator Moncion: I have a few questions, but they are all related. First, explain how you work with other financial institutions to avoid the spreading of attacks. How many attacks do you get a day? What are the losses incurred year over year? What has happened over the years? Because I think it started very high and I think it is going down. And how does the Equifax breach affect your members?
Mr. Ross: First, as it relates to collaboration, the banks in Canada work very closely among themselves and across other sectors, including law enforcement and government. The banks are involved in things like the cyber-threat exchange and CCIRC. We have great relationships with law enforcement and other agencies. From that perspective, I believe, and I think you have heard in some of the hearings you have had up to now, that the financial sector takes a leadership position as it relates to cybersecurity.
In terms of numbers and data, I would say that Canada continues to protect the assets of Canadians, although we always hear the bad things in the news. It’s safe to say that obviously the digital economy has also created enormous opportunity, so we are seeing more volume going through digital channels than we would have before. We need to keep in mind not just the raw numbers but how those numbers equate to the opportunities that have presented themselves.
Sandy Stephens, Assistant General Counsel, Canadian Bankers Association: Banks obviously want to mitigate any harm that could come to their customers, so they would work with third parties to ensure that if they are able to help mitigate the harm to their customers, that they are able to do so. In this instance, credit card numbers have been provided to the banks by the networks, and they will monitor those credit cards for any unusual transaction. If they see any unusual activity, they will take appropriate steps, which could include notifying their customers.
Senator Moncion: How did Equifax affect your business?
Ms. Stephens: With regard to their breach, I know that Equifax did notify the impacted customers directly. I can’t speak to the banks’ interactions with Equifax as far as their business relationship.
Senator Moncion: What would be your concern, or are you concerned about that breach? Equifax is used by all financial institutions.
Ms. Stephens: Absolutely. Our banks will be looking into this matter and ensuring that services that they use and their customers’ information is protected.
Mr. Ross: If I can add to that, our recommendations point a lot to resilience. Obviously any breach, regardless of size, is an issue. It impacts customers and businesses. It’s not good for anyone. What we are advocating for is continuing to get in front of it and ensuring that Canadians are protected so that we do not have those types of breaches.
The Chair: When the information from Equifax was breached, did that information include not only the names of individuals but perhaps other matters that a credit agency would ask? Would it have included the customer, as in my case, the Royal Bank or Bank of Montreal? Would it have included all that information?
Darren Hannah, Vice President, Finance, Risk and Prudential Policy, Canadian Bankers Association: Just to be clear, senator, at this stage, only Equifax knows the extent of what the breach was. To get a precise answer to that question, you ultimately have to ask Equifax.
Are banks diligent about this? Absolutely. At the end of the day, a number of these people may well be bank clients. We want to be sure that our clients are properly protected.
The Chair: Would it not be the responsibility of Equifax to get ahold of the banks as soon as this happened to let them know that perhaps their customers have been jeopardized?
Mr. Hannah: We certainly have encouraged Equifax to be as forthcoming as they can. Certainly there has been dialogue. At the end of the day, I think your question was what specific information was potentially compromised. It’s a question that has to be addressed by Equifax. They are the only ones who can answer that question with certainty.
The Chair: I’m surprised they would not have provided that to their customers, their banks. If a bank is their customer, should they not have provided that information and said, “Look, we have a problem; 10,000 of your customers’ data have been jeopardized”? Would that not have been provided almost immediately?
Ms. Stephens: Equifax has been in dialogue with their customers and with the banks.
Senator Moncion: The bank is the customer of Equifax, not your customers. You are using the service so that you can get information on your customers, so the responsibility lies with the financial institution. If the breach comes, you’re responsible at the end of the day for the information that is provided by you to Equifax. I find the answer a little bit awkward. You’re saying that Equifax will get in touch with your customers, when you are the customer of Equifax, not me as a bank customer.
Ms. Stephens: I think that Equifax will have products that are direct to a consumer as well, but definitely banks work with third parties to mitigate the risk to their customers, so if there is a way that banks can manage to help mitigate a risk, but the actual breach was with Equifax and they have notified those customers. They have the data that would allow them to assess that risk and notify the impacted consumers.
Senator Unger: Thank you for your presentation. Speaking of a breach, a week ago researchers at a university in Belgium announced that they had discovered a way to completely defeat the encryption on Wi-Fi networks. It’s alarming, but the response from government agencies and the media has been quite muted about this issue. I’m assuming that you’re aware of it.
Mr. Ross: We are certainly aware of it. We hear stories of these types of things all the time. One of the benefits of researchers is obviously to identify where there may be gaps or issues prior to malicious actors identifying them. That’s something that banks obviously are informed of. It is expected that providers would also be informed of that and that remediation plans would be put in place and that those who use those types of systems would in fact patch those systems to ensure that no one is affected.
Mr. Hannah: Senator, if I can build on what my colleague has said, in some respects, what you’re saying points to why we made the recommendations we have made. Ultimately, cybersecurity has to be a layered approach. There has to be information sharing to try to build resilience; there has to be traffic monitoring to reduce the amount of malicious traffic that filters through; there has to then be education awareness so that I know, as a consumer or as an individual, what to look for. Ultimately, it has to be a multilayered approach because at the end of the day the threat evolves all the time. The intent is to have multiple layers so there is awareness, there is prevention and there is greater capacity to respond.
Senator Unger: This breach is specifically known as Krack. It has discovered a way to completely defeat the encryption that WPA2 provides on Wi-Fi networks. It affects all modern Wi-Fi equipment for mobile phones, tablets and work stations, routers, printers and the usual things.
My question is specific to Krack. Have you found a way to notify your clients? This issue is not really being talked about. It’s only coming from sort of top levels, although there is a large article that was released by the National Post in a specific article. They talk about “it could be about to hit the Wi-Fi fan.” Specifically, with regard to Krack, have you done anything to alert clients of banks?
Mr. Hannah: The challenge with something of that nature, senator, is that it goes beyond banking. Then you are getting into the question of how secure is my personal situation at home and all the things I do over top of it. On an institutional issue, that becomes more of a national issue at that point in time. Awareness raising has to go beyond anything that would be related to banking if you are talking about something that is more generic in its threat from a customer and citizen point of view.
Senator Unger: One last question on your concern about PIPEDA: You said that recent amendments to PIPEDA impede the ability of organizations to share personal information. That kind of speaks to what I have been asking about. What are your concerns?
Mr. Ross: A while back, PIPEDA made changes to eliminate what was called an investigative body and replaced it with rules that still allows for fraudulent data to be shared. However, it doesn’t allow the sharing of intelligence. If you see anomalies or things that look odd but may not be confirmed fraud, those are the activities that aren’t allowed to be shared as a result of the changes. We are suggesting that we need the ability to share some of that intelligence so that, as a collective, we may start to see patterns and threats evolve and grow. Then we can actually put a remediation plan in place to avoid the impacts of that.
Ms. Stephens: In the changes where the investigative body was removed, they added two new exceptions for consent to allow for sharing. One of them is in order to prevent fraud, but it’s only related to fraud, and I think there are many other areas where there would be a benefit of sharing to prevent criminal offences other than fraud and along those lines with cyber as well.
Senator Massicotte: Give me a sense of the big picture. All of us are using Canadian banks. We rely on Canadian banks. All we have is a statement or reading off your iPad of maybe the sums we have either lent or in deposit with you. It’s all electronic; it’s all in the air. Sometimes when we wake up in the night, there’s the feeling that it could disappear and how could you prove what you had before? What is the risk of someone hacking into your accounts and some of that money disappearing, on a risk of 100 per cent? You seem very sure. Is it 99.99 per cent certain that we shouldn’t worry about that risk?
Mr. Ross: It’s difficult to put a number on it, to be fair, because the risk continues to evolve. What I can share with you is that trust is paramount to what banking is. Without trust, banks would struggle to exist. Canadians losing that trust would —
Senator Massicotte: I understand that. You may lose our trust, but if you lose my money it’s even more serious.
Mr. Ross: Absolutely. Canadians are protected. If they lose money or are defrauded of their money through a cyberattack, they are protected. The banks have I believe what we refer to as zero liability. If there are any losses that a consumer or business undertakes as a result of fraudulent events, the banks make them whole.
Senator Massicotte: You will automatically put the cash back? There is no argument and no need to hire a lawyer; it is 100 per cent guaranteed?
Mr. Ross: The banks will keep them whole.
Senator Massicotte: Let me tell you about my frustration. Look at the credit bureaus. In this case, there has been a hack, and they left with a lot of information, including names and social insurance numbers. If one of the banks had your balance sheet, they would have that. All of that could be public. It really bugs me to think that these companies get this information with the presumption that they will take the same measures you do relative to your clients and we find ourselves having trust in people who disappoint us and the information is out there. I think 10,000 Canadians have been violated to that degree. While I’m a little bit pissed off at them, I must admit, where did they get that information? They got it from you.
The Chair: Strike that last sentence there. He’s upset.
Senator Massicotte: It does get me upset. What gets me more upset is the information came largely from you, or from Wal-Mart or whatever, because most of you have relationships with these firms and use them significantly. While I’m upset at them, I could be upset at you and I probably should be upset at you because you did not take the measures or assurance to make sure they had adequate safeguards to make sure you never lost that information. You gave that personal information to them and now it’s in the public domain. How do you deal with that? How do you regain my trust?
Mr. Ross: First, senators, let me say I’ve heard worse language than the language that was struck.
Having said that, it goes back to our recommendations. We believe there needs to be consistent standards and we need to be building off of resilience, not reaction. We need to avoid these threats and avoid these issues before they become issues. We need to have consistent standards and oversight to ensure and give Canadians a comfort that their data is being protected throughout the ecosystem. The ecosystem continues to evolve and grow through competition and innovation. Foundational to all of this, we need to make sure those standards are consistent.
Senator Massicotte: I appreciate that, but before you shared my information with these industries, did you take any measures to make sure they had adequate safeguards in place? If that is the case, why did it take six or nine months for it to become public after it occurred?
Mr. Ross: Banks, as part of their risk management and any relationships with third parties, do ensure that there are security standards and safeguards in place. I can’t speak about Equifax specifically; nor can I speak, quite frankly, to what is happening today in that we are seeing a lot of non-banks and suppliers that don’t have a relationship with the banks and are still getting that information. As a customer, I can sign up to a third party and allow banking information to flow to that third party without the banks being aware of that. As much as we can protect — and we have plans in place and we do review the security of the parties that we partner with — there is a big gap, and the gap is growing of those third parties that we don’t have relationships with and don’t have any oversight of.
Senator Massicotte: I appreciate that, but most of the information they had is confidential, personal information — balance sheets and so on. I suspect most of us don’t give that information to anybody other than our bank. To accept that they had that information means it came from one of your bank members. You do an internal audit and measure your risks, but obviously you made a mistake. Maybe I should have the right to sue you because of the damage you caused because you did not do your homework.
Ms. Stephens: You’re right, but the system is important. In order for people to be able to obtain credit and have a system where you can underwrite credit is important. To Mr. Ross’ point, there are contractual obligations for having sufficient security safeguards for this type of data.
Again, this is an Equifax issue. It’s probably best to address some of these questions to Equifax.
Senator Wetston: I’m interested in the papers you have written on cybersecurity. One that I took a quick look at was your 2014 report entitledCyber Security: Protecting the Resilience of Canada’s Financial System, and I have your CBA response to Public Safety Canada as well. Just looking at your presentation today, it’s very consistent with the approach obviously. I wouldn’t suggest otherwise.
I’m trying to understand, because the banks are integrated institutions. I asked this question of the previous witness somewhat differently, but the transfer of risk, particularly on a systemic level, can occur without a cybersecurity attack. It’s not all potentially as a result of cybersecurity. The financial crisis we had 10 years ago was not as a result of cybersecurity issues. I think you would probably agree with me there. It was probably as a result of greed and other such factors, poor behaviour on the part of industry. You might agree with me there, or not.
The point I’m trying to get at here, you talk a little bit about the future framework for financial services, and there is the good and the bad of security of technology, the benefits that we get and the harms that it can create. We understand that cybersecurity threats are probably one of the harms that flow from innovation and technology advancement.
When I look at your sector, the banking sector, it wouldn’t surprise you that most of the banks are also in the capital markets as well on the banking side. Much of your focus has been on the banking side. Can you tell me what you are doing on the capital market side to deal with cybersecurity threats? Are they the same? Are they different?
I know all the banks have spent I think billions of dollars on cybersecurity collectively in Canada to deal with these threats and the processes you need to put in place to address these attacks. I’m sure you’ve done a lot of that. Can you help me with the scenario that banks are more than just banks in the traditional sense and are regulated by OSFI?
Mr. Hannah: Absolutely. At the end of the day, from a bank financial group perspective, you are dealing with these issues at a group level and trying to leverage the infrastructure and the expertise you have across the group, whether that be a touch point on the wealth management side, the banking side, the insurance side or mutual funds.
My interaction with the client is often multifaceted, so I have an interest in making sure that client is protected across vectors. I want to try to make sure that I don’t have any vulnerable points in there that can create the issue that you’re talking about. When you are looking at an issue like that from a financial services perspective, from a bank perspective, if I multiple lines of business, I have to protect multiple lines of business.
Senator Wetston: The reason I was getting at that is there is a very large amount of business outside of the regulatory sphere of OSFI. I know that OSFI has — what do you call the guide here? There is a guide they put out. Help me with this, although I’ll be searching for it. Do they have a guide that they produced on cybersecurity?
Mr. Ross: Self-assessment questionnaire, yes.
Senator Wetston: Yes. Is it a guide or questionnaire?
Mr. Ross: It’s a questionnaire that OSFI uses to measure the financial institutions for which they regulate for their cyber-resilience.
Senator Wetston: In that regard, do the banks provide the data on breaches to OSFI so they have a better understanding of the threats to the system, including any systemic risks that might be included? I asked this question last week and I couldn’t get an answer. I’m going to keep trying, perhaps when OSFI appears, chair.
Mr. Ross: Certainly as part of the questionnaire, banks do provide information to OSFI based on the guidelines that are in that. I don’t recall, I’ll be honest, if there are facts and figures, but certainly there are a number of components of cyber-resilience included in that questionnaire.
Senator Wetston: I will ask you to see if you have any data on that and provide it to the clerk of the committee, if possible. I’m interested to try and understand the magnitude of threats. Maybe each individual institution has to answer that question, or OSFI, but it would be helpful if you could provide that.
I see where financial services is going, and you may agree or disagree with me here. My sense is that some of the financial services that are being provided could be less threatened by cyberthreats than the traditional banking and financial market system. If we start with cybersecurity, generally speaking, and we think about fintech, crypto currencies and blockchain technology — and I know you’re talking about large value transfer systems that could also be threatened through the clearing and settlement process, which is also potentially threatened by a cybersecurity attack.
As the technology continues to evolve, the challenges are there. Do you see greater threats in these areas to investors, consumers and the public generally or less so as a result of these technologies developing?
Mr. Ross: I don’t know whether the answer is increased threats. I think when you have more suppliers that are not regulated, you just don’t have that information. You don’t have that level of trust that these entities have the resilience that a financial institution has built.
Now, I’m not suggesting that a fintech would require the same magnitude of resilience and regulation, but it’s risk-based and today there’s fundamentally none for players not regulated. What we are suggesting through a number of consultations is, as it relates to cybersecurity, there at least needs to be a minimum standard based on the risk that any participant has or brings to the ecosystem.
Senator Ringuette: I’m hearing you talk about a multi-layered approach, being proactive and that Canadians are being protected against fraud. There are bank guarantees.
However, as with previous colleagues, I question with regard to Equifax. You are not acknowledging your responsibility toward your clients in regard to a multi-layered approach and to being proactive in protecting their information and this bank guarantee that you keep talking about. As yet, that we have not been able to get the banks to acknowledge their responsibility and being proactive in a specific event with regard to Equifax. That’s a comment. It’s not a question because I know you’re not going to provide us with the detailed process that you are going through with regard to Equifax and your clients.
That being said, last week I read an article that TD Bank was moving its data processing to India. You are here today saying:
Banks support the government’s work to protect Canadians while promoting innovation and competition. We encourage the federal government to finalize and implement its renewed cybersecurity strategy to protect Canadians and improve.
What are the specific steps that you take when you decide to take a banking customer’s data and move it outside of the Canadian jurisdiction? That in itself is a major concern to me as a Canadian consumer who takes their financial services to a bank.
You’re here in front of us saying, “Well, it’s not our fault. Equifax has to deal with their own issue.” You don’t seem to acknowledge any kind of responsibility or proactive process, on the one hand, and then you have one of your major associate members that is taking its banking data, which is all of its customers, outside of the country. What is the process? Even though we have Canadian legislation, the data is not within our geographic territory. What are the steps that you are taking to make sure that Canadian banking data that is outside of our jurisdiction is protected? Where is your guarantee?
Mr. Ross: First, Canadian banks are regulated based on Canadian regulations and Canadian law.
Second, it’s safe to say that regardless of where data is housed, whether it’s down the street or around the world, it’s still travelling through systems and telecommunication lines. At the end of the day, regardless of whether it’s down the street or around the world, there are the same protections that Canadian banks put on that communication regardless.
When I talked about a measured approach, all of Canada’s data is going somewhere else. Data is segregated based on the activities of employees, again, regardless of where they reside and work. As a result, only the data that is required for them to do their duties would be available to them. It’s all monitored and audited. There is a multilevel approach. Banks take cybersecurity extremely seriously. The reality is the threat is the same threat whether it’s piping information to a different country or down the street.
Ms. Stephens: I just don’t want to leave the misrepresentation that our banks aren’t keenly aware of the Equifax breach. It’s a top priority for them to mitigate any risks to their customers.
Also, further to Mr. Ross’ comments, under PIPEDA, it’s clear that there is an accountability principle. The accountability is with, in this case, the bank. There is no way for that to be changed. Whether it’s with vendors, onshore or offshore, that accountability stays with the bank, and there is a layered process, due diligence, on-site reviews and contractual protections. There is a layered, risk-management approach to selecting and monitoring a vendor to ensure compliance with the rules we have and to protect against cyber risks, et cetera.
Senator Ringuette: Ms. Stephens, you are repeating the same thing right now; you take every measure, you’re being proactive and so forth. You have not proven that to me in regard to Equifax. Why should I believe and trust banking data from TD Bank residing in India? Why should I trust banking information in regards to Visa or Mastercard that resides in the U.S.? Even though we would legislate, at the end of the day, for anything that’s outside of Canada, we have no jurisdiction. We can’t implement laws that would be applicable in the U.S. or in India.
I appreciate the spin that you’re providing this morning, but I also have to indicate to you that it is not very reassuring. There is the Equifax breach. A good portion of that information was most likely provided to that entity by a banking institution. At the end of the day, it’s not the banks that are the victims, and it’s not Equifax that is the victim. It’s the 10,000 Canadians who are the victims.
Mr. Hannah: You have put your finger on something, and I want to pick up on it because I think in some respects it answers the question. Banking is a trust-based business. I will put my funds only with an institution that I trust. I trust they will take care of it. If I lose that trust as an institution, then my business will migrate to somewhere else. If you are a bank, you have every incentive to take as much care as possible because it is a trust-based business, and we recognize that. That’s ultimately the driving force beyond anything else. It’s that trust basis that you know is at the heart of your franchise.
[Translation]
Senator Maltais: Thank you for your testimony. I have two short questions. Senator Ringuette asked you a question, but I’m not sure I understood your answer.
Senator Ringuette: There wasn’t any.
Senator Maltais: Is the cybersecurity of banks equally secure in all of the bank branches and their subsidiaries throughout the world? If, for instance, Scotiabank has a branch in Cuba, do you ensure its cybersecurity there?
[English]
Mr. Ross: The answer is yes. As Mr. Hannah mentioned earlier, banks look at this holistically. They look at their entire operation. Regardless of where these institutions reside, they do typically take an organizational approach. The same regulations, law or care that they take protecting their data for Canadians is the same protections that they would use regardless of where their data is stored.
[Translation]
Senator Maltais: Thank you.On page 2 of your brief, you refer to a lead federal organization, consistent standards for critical infrastructure sectors, and the blocking and sharing of malicious data communications. Do you share your information with the security systems of financial institutions that are not covered by the government Bank Act, such as for instance credit unions, caisse populaires, et cetera? Do you share information with them?
[English]
Mr. Ross: No personal information is shared. We do share intelligence. We do share through a number of avenues. One is obviously through CBA where in fact, as it relates to cybersecurity, we have invited and we include actually some non-members, including credit unions TMX and others to share intelligence. We also share that intelligence through the Canadian Cyber Threat Exchange, which was set up last year, and also we deal quite closely with CCIRC, an arm of public safety.
Within the financial services industry, we do a good job of sharing intelligence. Where there would be benefit is expanding that knowledge to other infrastructures and other critical sectors so that our knowledge can be shared with them and vice versa.
[Translation]
Senator Maltais: Do you work in cooperation with Canadian insurance companies?
[English]
Mr. Ross: We have some insurers at the table, and certainly a lot of financial institutions are also insurers. Again, taking that organizational view, by default, yes, they are part of that.
Certainly we continue to encourage Canadian organizations to get involved in CCIRC and CCTX and some of the structures that have been put in place. We would like to obviously see more. CCTX is relatively new. The banking industry was one of the driving forces in creating that entity.
Mr. Hannah: To build on what Mr. Ross has said and tie it back to the recommendations we have made, this is exactly why we think there would be value in having a lead coordinating agency creating common standards across critical infrastructures and improving information sharing. It’s to get at exactly the point you’re talking about, and that is that the industry is interrelated and critical infrastructure sectors rely on each other. To the extent that the government can play a role in building those bridges, help enhance the communication that’s already there and create a common language across which to talk, that would make things all the better.
The Chair: It is in your self-interest, obviously.
Mr. Hannah: Absolutely.
The Chair: A breach in one institution would not only affect that one, but all of them; right?
Mr. Hannah: Absolutely.
The Chair: People would panic’ right?
Mr. Hannah: It is certainly beneficial if you can share intelligence and knowledge across sectors because cybersecurity risks are, we’ll call it, fungible. The same attack vectors and malware can be used in multiple circumstances.
The Chair: We demand certain safety measures, such as monitoring reserves, that banks have to use, and all the rest of it. Are you suggesting that we have some overall policy or legislation that would ensure new entrants to the marketplace have the same protection that the banks already have? Is there a minimum standard that could be legislated, or is the legislative process so slow it can’t keep up with the technology of what is taking place?
Mr. Ross: I think legislation would be helpful. You mention that legislation and the pace of change may not necessarily coincide. What we recommend, obviously, is to build the legislation that does allow for minimum standards and let regulators and the regulatory environment determine what those standards are, because they will change over time as the threats, systems and whatnot evolve.
The Chair: I just don’t want the legislation to have minimum standards. In other words, I don’t want everybody to drive to the bottom. What you want is a lot of incentive for banks to continue increasing their standards of safety.
Mr. Ross: There is no doubt about it. Again, banks understand regulation and they understand risk. I think that some of the things that banks do and understand would be helpful for other sectors to also follow.
The Chair: I was just going to get to that.
Mr. Ross: That is why our recommendation is that there need to be some common standards. I’m not suggesting that the same standard would apply to a bank as a small player. What I’m saying is there could some tiering and risk-based standards as relate to cybersecurity.
There are some absolute minimums. Regardless of the size of an organization, they do in some cases have the ability to inject cybercontagion into the essentially interconnected financial services and, in fact, beyond that. Again, we’re talking about resilience and protection of Canadians across sectors that extend beyond banking.
The Chair: Senator Maltais, do you have another question? I didn’t mean to interrupt you. You said it was the last one.
Senator Maltais: It is a quick question.
[Translation]
Would you be in favour of the federal government creating a regulatory organization grouping all cybersecurity services in the banking, financial and insurance sectors under federal regulation? Would you agree that one organization, of which you would all be members, be in charge of exchanging confidential information?
[English]
Mr. Ross: We certainly encourage and support federal jurisdiction. I think that’s safe to say. I think there is an opportunity, again, to talk about having a lead agency, and we believe it should be at the federal level. Obviously, there may be some dynamics that need to be addressed as they relate to how financial institutions are regulated today. I mean, we have some that are under provincial bodies, but I absolutely think the value of creating a standard and a framework for all is that you can bring everyone up to a level of resilience.
At the end of the day, we are trying to create the resilience so we don’t have to deal with and/or avoid impacts of an actual cyberbreach. I think that’s fundamentally important and why our recommendations include things like the standardization of regulation and a centralized body.
The Chair: I’m going to a second round. Even though we have until 12:30, we probably have, I would say, 15 or maybe 20 minutes of business that has to be done in camera. If you want an earlier lunch, govern yourself accordingly. Otherwise, you’re going to run until 12:30.
[Translation]
Senator Boisvenu: What attracted my attention in your brief on page 2 is your statement that for the cybersecurity framework to be effective in Canada, we would need a single organization to take the lead. Obviously in the bureaucracy, the more people do the same tasks, the greater the risk of error. It’s a very well-known theorem.
I have two questions for you. First of all, do you feel that there is a will to act on the part of the government? Next, what is the state of your relationship with the current government regarding its awareness of a situation which in your opinion presents some risks?
[English]
Mr. Ross: First, let me address the single body and it being housed within the federal government. We fully support a federally led single entity to manage cybersecurity and cyberawareness. I think there is value in doing so.
In the interaction today, we work very closely with the Department of Public Safety. As I said, we’re partners in CCIRC under Public Safety. We also work with Finance and we work with law enforcement. So we do have a lot of interaction with federal agencies. Obviously, we have them with provincial counterparts as well.
We believe we have a lot of value to add to the ecosystem. We have a lot of knowledge. We invest heavily to ensure the safety and security of Canadians’ financial data. Quite frankly, we have the ability to share some of that knowledge, and we want to share some of that knowledge with other industries and other sectors.
[Translation]
Senator Boisvenu: You are giving me a political answer. You say you have a lot of contacts and communications with these organizations, but that is not the question I asked. Where do you see real progress in the implementation of a strategy to ensure the safety of the banking system against cyberattacks? What progress have you seen in terms of putting in place a safety system?
[English]
Mr. Ross: Within the financial sector, there is a large framework that has been set up in that sector to ensure cyber-resilience and protection of financial data. As I say, the threats continue to evolve, and we need to evolve with them. I do not believe we’ll ever be at the end of the job in building out our co-operation with agencies both within government and law enforcement on this topic.
Senator Unger: I would like to go back to my previous questions. One of your recommendations is a single lead federal agency.
One comment: The federal government is being tight-lipped about how our recent security flaw found in virtually all Wi-Fi devices is affecting its departments, and public servants bringing their work home with them could be most at risk. My point is, the government is being tight-lipped about this issue.
So, if the banking institution is aware of this Krack vulnerability, which basically leaves the door open on all Wi-Fi networks, why would you not be informing your clients and at least recommending to them that they should connect to the Internet using a cable instead of Wi-Fi?
Mr. Ross: I believe what you referred to was the notion of Krack and federal government infrastructure. That is what I heard the question being. I think, quite frankly, that’s something you would need to address with the federal government.
Senator Unger: I did. They were tight-lipped.
Mr. Ross: From our perspective, obviously there are instances where security issues reach beyond banking. Again, there is an opportunity and I think there is a need for federal leadership in this space to coordinate and build awareness out to those end points because, at the end of the day, we’re talking about individuals, consumers and small businesses who need to be the ones who take actions to deal with any sort of a threat, such as the one you described.
Senator Wetston: You’re well aware of the fact, as we all are, that federations invariably have extremely fragmented regulatory, legislative and constitutional systems to deal with significant issues like cybersecurity or other areas. If you can park this in the systemic risk area, you might have a chance to do it federally without any provincial or other concerns, given the Supreme Court reference on systemic risk a number of years ago that you would be familiar with.
My point is, if you look upstream, you talk about the telecommunications sector as a conduit through which electrical data flows. That’s a big challenge from regulating the Internet, from freedom of expression and Charter issues, privacy issues. You’re suggesting that the federal government should look at legislative options to deal with that — I call it more of an upstream issue, which, of course, is critical.
Do you have more to say about that? Have you done more thinking about that? What would those legislative options be? I realize you’re focused on banking through your membership, but it has a broad effect on the economy. Concerns in your area can certainly create systemic risk in the economy should you have those kinds of serious challenges. Do you have any thoughts about that that you can share with the committee?
Mr. Ross: I believe that telecommunications falls under federal jurisdiction.
Senator Wetston: It does.
Mr. Ross: I would suggest that is one of the easier sectors to provide greater oversight. We mentioned in our remarks some of the challenges we have related to PIPEDA that limit the ability to share intelligence. It goes back to trying to build resilience, not dealing with a fraud after the fact.
Senator Wetston: Let me stop you there. I’m asking whether you have done more detailed thinking about this issue that you might be able to share with the committee, other than these general observations, which I’m not taking issue with; they are very real. If you haven’t, you haven’t. I’m digging more deeply here as to whether you can share that information.
Mr. Hannah: If I can jump in here, the approach we have taken is to try and lay out the architecture that we think would be appropriate, trying to make sure there are common standards across sectors. Recognizing there are jurisdictional issues, we would hope they can be resolved because, at the end of the day, the threat doesn’t care about the jurisdiction in this particular case.
We believe that improved information sharing would be a key component of that. We think there needs to be a lead agency on that. We are strongly of the view that coming out of this, there has to be a mechanism to reduce the amount of malicious traffic because it flows out; there has to be a way to stop that.
We think irrespective of jurisdiction, there has to be an education effort, both for small businesses and for individuals to try to make sure that people understand and can take action themselves. From our point of view, we have taken the architectural approach. Once we have moved past that, then we can get to the substance of how one gives effect to that. But that has been our focus.
The Chair: Thank you. Are we all done? If we are, thank you witnesses. We will say goodbye to the witnesses, then reconvene and do our in camera business.
(The committee continued in camera.)