THE STANDING SENATE COMMITTEE ON BANKING, TRADE AND COMMERCE
EVIDENCE
OTTAWA, Wednesday, February 28, 2018
The Standing Senate Committee on Banking, Trade and Commerce met this day at 4:15 p.m. to study and report on issues and concerns pertaining to cyber security and cyber fraud.
Senator Douglas Black (Chair) in the chair.
[English]
The Chair: Good afternoon and welcome colleagues and members of the general public who may be watching this on the Web. Today, you are before the Standing Senate Committee on Banking, Trade and Commerce, and we welcome you. My name the Doug Black and I am the chair of this committee. Other senators will be joining us. I apologize, but we’ve just come from a vote in the Senate. I’m going to ask the senators who are here to introduce themselves.
Senator Marwah: Sabi Marwah, Ontario.
Senator Tannas: Scott Tannas, Alberta.
[Translation]
Senator Dagenais: Jean-Guy Dagenais from Quebec.
[English]
Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.
Senator Wetston: Howard Wetston, Ontario.
The Chair: Thank you very much for being here. Since we’re starting a little bit late and I don’t want to cramp the valuable information we will hear from you, we will extend this panel until 5:30 if we should need that.
Today we resume our study on issues and concerns pertaining to cybersecurity and cyberfraud. This study includes cyber-threats to Canada’s financial and commercial sectors; identity theft; privacy breach and other fraudulent activities targeting Canadian consumers and small business; the current state of cybersecurity technologies and cybersecurity measures and regulations in Canada and abroad.
I am pleased to welcome Annette Ryan, Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance Canada; Ron Morrow, Managing Director, Financial Stability Department, Bank of Canada; Judy Cameron, Senior Director, Legislation, Approvals and Strategic Policy, Office of the Superintendent of Financial Institutions Canada; and Theresa Hinz, Director, Approvals and Precedents from the Office of the Superintendent of Financial Institutions Canada.
I’m going to ask for a five-minute opening presentations and then the senators will have questions.
Annette Ryan, Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance Canada: Thank you for inviting my colleagues and I to speak to you today on the important topic of cybersecurity.
[Translation]
My name is Annette Ryan. I am Associate Assistant Deputy Minister of the Financial Sector Policy Branch at the Department of Finance. The Financial Sector Policy Branch is responsible for providing policy advice on Canada's financial sector, including the framework for federally regulated financial institutions, financial systems under federal jurisdiction, federal borrowing and investments, financial services trade, and capital markets matters. The branch works closely with a number of federal financial sector agencies, including the Bank of Canada and the Office of the Superintendent of Financial Institutions, which are both represented here today.
Cybersecurity is top of mind for both the private sector and the federal government. In recent years, this topic has become increasingly important at all levels of government and internationally.
[English]
Rapid changes in technology, many eagerly adopted by Canadians, are revolutionizing how the financial sector delivers its services and interacts with its customers. Before delving further into the risks entailed by technology, it is worth highlighting that financial technology innovations also bring many opportunities for business and consumers, including the convenience of performing financial transactions any time and anywhere.
Of course, along with these opportunities come major risks. As Canadians increasingly engage with financial service providers in an online and mobile environment, the risks increase in turn.
In the financial sector, cyberattacks threaten to disrupt the services provided by financial institutions, compromise the privacy of consumer information and bring about a reputational risk to financial institutions. Cyberattacks have the potential to disrupt financial services that are crucial to both national and international financial systems and so endanger financial stability. From a government regulations perspective, there are also important risks that need to be properly accounted for. In line with the Minister of Finance’s responsibility for the overall health of the Canadian financial system, we approach cybersecurity discussions from a financial stability angle.
The growing global roach of financial service providers, be they major financial institutions or an Internet-based money service provider, means one weak link in the chain can import risk into the broader financial system if not well governed and coordinated. As you’ve learned from previous witnesses, cyber-threats and the vulnerabilities which they exploit emerge and evolve constantly. As such, increasing the resiliency of the financial sector and reinforcing its recovery processes require coordinated action at all levels.
[Translation]
Finance Canada plays an active role in facilitating the coordination of multiple actors involved in discussions on cybersecurity within the financial sector, be it the financial institutions themselves, other federal and provincial government agencies and international partners. We maintain an ongoing dialogue with federally regulated financial institutions. It is important for us to hear firsthand what their key concerns are in relation to cybersecurity and what kind of actions the government may take to remediate them.
We act as a facilitator between the financial sector and other departments that have program responsibilities in relation to cybersecurity, notably, Public Safety, which leads on broader Government of Canada initiatives for cybersecurity, including Canada's Cyber Security Strategy.
[English]
I know you have heard these themes from past testimonies, and that brings us to yesterday’s budget as we have heard similar representations from these sources.
Budget 2018 announced significant investments — over half a billion dollars over five years — to launch a comprehensive national cybersecurity strategy to bolster the safety of Canadians and Canadian businesses online.
The centrepiece of the government’s new plan is the creation of the Canadian Centre for Cyber Security, establishing a single source of federal cybersecurity advice and expertise for key partners, including the private sector. The new strategy will also see the establishment of national cybercrime coordination unit, which creates a national reporting mechanism for Canadians to report cybercrime to law enforcement and gives them new resources to investigate cybercrimes and prosecute cybercriminals.
The national cybersecurity strategy will enhance Canada’s cybersecurity resilience, allow us to respond more quickly to cyberattacks and will raise the cybersecurity bar for all Canadians.
We also believe we can learn from other countries’ experiences and we participate actively at the international level, notably through the Financial Stability Board, the G20 and G7. To this end, Finance Canada, the Bank of Canada and Office of the Superintendent of Financial Institutions Canada have been active members of the G-7 Cyber Expert Group, which reports to the G7 finance ministers and central bank governors. This group has published documents that identify best practices G7 members can follow and provides guideposts to other countries seeking to improve their security. The group is advancing work to identify and manage third party risks and to promote timely international coordination of response and recovery efforts in the event of a successful material cyberattack in the financial sector.
As Canada has assumed the G7 presidency in 2018, we are leading further progress in these specific areas of coordination. We firmly believe reinforcing security and resilience in cyberspace requires close cooperation and collaboration nationally and internationally from the various actors touched by cybersecurity. Importantly, joint private and public sector roles should work in concert and we are very focused on continuing to work with industry, now within the national cybersecurity strategy, which was announced yesterday. We look forward the hearing the perspective of other witnesses called to your committee and, in particular, the insights of the committee in respect of the financial sector.
Ron Morrow, Managing Director, Financial Stability Department, Bank of Canada: Good afternoon, Mr. Chair and committee members. Thank you for the invitation to speak to you on this timely and important topic.
[Translation]
Let me start with a brief description of the role the Bank of Canada plays in the Canadian financial system. Our mandate is to foster the stability and efficiency of the Canada’s financial system. We do this by providing central banking services, including various mechanisms for providing liquidity to the financial system; overseeing key Canadian financial market infrastructures; conducting and publishing analyses and research; and helping to develop and implement policy.
As the scope and seriousness of cyberthreats has increased, the bank has devoted more and more time and attention to the financial stability concerns they pose. That is why we consider such threats an important vulnerability, as we noted last November in our Financial System Review.
[English]
We consider cyber risks to be a structural vulnerability because they reflect structural features, such as the increase in use of information technology to deliver financial services. Complex information technology platforms have allowed the financial sector to deliver services to clients more efficiently. However, they have also created increased opportunities for a successful cyberattack.
The high degree of interconnectedness between institutions means a single attack against a financial institution could spread to the broader financial system. As a result, cyber-threats have become a key vulnerability that both financial system participants and regulators will have to confront for a long time to come.
[Translation]
So, how is the Bank of Canada helping to mitigate this vulnerability and ensure the ongoing stability of the Canadian financial system. It has identified three priorities: first, ensuring the financial market infrastructures we oversee are taking appropriate steps to mitigate cyberthreats; second, collaborating with financial system participants to support collective actions to improve the resilience of the financial system as a whole; and third, investing to ensure that the bank itself is resilient to cyberthreats.
[English]
I will give the committee a bit more detail on the initiatives we are taking in each of these three areas, but first I wanted to offer a brief background on financial market infrastructures, or FMIs, and their role in the financial system. FMIs, such as Canada’s wholesale payment system, the large value transfer system, act as a hub for financial transactions.
In turn, banks and other financial institutions are connected to FMIs, much like spokes in a wheel. These systems ultimately facilitate the safe and efficient exchange of funds and other financial products between financial market participants. As a result, protecting FMIs from cyber-threats is of the highest importance. With that background, let me tell you a bit more about our first area of focus, ensuring that the FMIs that are overseen by the bank are taking appropriate steps to mitigate cyber-threats. Financial market infrastructures themselves internally assess their cyber resilience and also have outside experts perform similar assessments.
Measures are then identified and undertaken to enhance their cyber resilience. In addition, the Bank of Canada, as the overseer, reviews these assessments and action plans to ensure appropriate cybersecurity tools and practices are in place to protect the critical systems of FMIs. This is an ongoing process because cyber-threats are constantly evolving.
For our second area of focus, collaborating with others to improve the cyber resilience of the financial system, we use our Financial System Review to draw attention to cyber-threats as we did last November. We also undertake more ad hoc initiatives. Let me give you a few examples.
In partnership with the main participants in the wholesale payments system, the bank is leading a business continuity initiative to support rapid recovery should a key participant in the payment system be affected by a serious cyber event. We’ve helped draft international guidance on cyber resilience for FMIs, which has been used to help assess the cyber posture of FMIs both within Canada and abroad.
We are contributing to the cyber work being undertaken by a number of international forums including the G-7 Cyber Expert Group and we are also planning a number of table-top exercises with FMIs to better understand how they would respond to and recover from a cyberattack.
Finally, our third area of focus is to ensure the bank itself is resilient to cyber-threats. We are engaged in a continuous process of reviewing our cyber risk management practices against international standards and we are making necessary investments to defend against a rapidly evolving array of cyber-threats.
[Translation]
Thank you for your attention.
[English]
I would be happy to answer any questions.
Judy Cameron, Senior Director, Legislation, Approvals and Strategic Policy, Office of the Superintendent of Financial Institutions Canada: Thank you for the invitation to appear before the committee today.
As you all know, OFSI is the prudential regulator of federal financial institutions, including Canadians largest banks and insurance companies. I’m Judy Cameron, Senior Director, Legislation, Approvals and Strategic Policy and I am here with my colleague Theresa Hinz.
[Translation]
I want to start by commending the committee for undertaking this study. As my colleagues have noted, technology has had a significant and positive impact on how financial institutions operate, but has also increased their exposure to cyberattacks.
[English]
The committee’s study of cybersecurity, including cyber-threats to Canada’s financial sector, is timely and important. My colleagues from Finance Canada and the bank have described their initiatives to promote the resilience of Canada’s financial sector to cyberattacks. I’d like to complement their remarks by touching on three themes. The first is reporting of major cyber incidents; the second is the unique nature of cyber risks and what it means for OSFI’s approach; and the third is OSFI’s guidance on outsourcing to third parties.
Let me start with reporting.
[Translation]
I understand why members of the committee are interested in centralized reporting of cyberthreats. This type of reporting could yield valuable information across diverse sectors of the economy.
[English]
OSFI expects the largest financial institutions to notify us when they observe a major cyber incident. These incidents should be reported even if they did not result in an observable cyber event, such as an online outage. We focus on major cyber incidents because they have the potential to disrupt the financial sector. We look for trends in the information we receive and then share important findings with the financial institutions.
Reporting is just one part of the answer. OSFI’s main concern is that financial institutions are resilient in the wake of a cyber attack.
Cyber risk is very different from the risks OSFI routinely manages, such as credit and market risk. These classic financial risks are much easier to predict and measure using financial data and indicators. We can use the information to develop standards and rules for managing risks and to make sure financial institutions are complying with our rules.
Cyber risk, on the other hand, is constantly evolving and hard to measure. As a result, OSFI takes a different approach. We don’t consider a financial institution’s capacity to detect and prevent threats; we put a lot of focus on its cyber resilience. Cyber resilience refers to an institution’s ability to anticipate, withstand, contain and rapidly recover from a cyber attack before it compromises operations or harms its customers.
OSFI issued a cybersecurity assessment template to help financial institutions evaluate their readiness to respond to cyber threats. The template sets out various desirable features of a cybersecurity framework. To complete the self-assessment, an institution needs to reflect on the current state of its cybersecurity practices. Knowing its own state of readiness is the first step in deciding whether it should enhance its cyber defences and recovery strategies.
OSFI also recently conducted a cyber review where we asked some of our larger institutions to respond to a severe but plausible cyber scenario. The scenario involved a data breach of customer information at a third party that led to a spike in bank accounts being hacked and drained of funds.
This review allowed OSFI to assess the institution’s detection and prevention capabilities as well as how they might react to a quickly evolving cyber event.
I will turn to cyber risk and outsourcing. Consumers have come to expect continual innovations in banking services. We’re aware of this. Over the past 30 years, we have seen the shift from cash and cheques to etransfers and tap-to-pay and the ability to access services through mobile devices from almost anywhere in the world.
This has been possible because financial institutions have leveraged technology to develop highly integrated systems with a wide variety of partners. Because of this reliance on partners, OSFI’s outsourcing guidelines set stringent expectations for how financial institutions manage third party relationships. We hold institutions accountable for services they outsource, and we expect them to conduct due diligence on third-party service providers.
We are reviewing the guideline to assess whether it remains appropriate in the context of growing cyber threats and OSFI’s focus on cyber resilience. I want to conclude with a few words about the way forward.
You have heard cyber risks are a shared threat and managing these risks requires a shared understanding of the problem and a coordinated response.
[Translation]
That is why the Office of the Superintendent of Financial Institutions Canada regularly engages with many of the witnesses appearing before this committee.
[English]
OSFI also works with standard setters and expert groups in other countries because Canada’s financial institutions are connected to partners around the globe. OSFI is an active member of the G7 Cyber Expert Group, and we also participate in information-sharing initiatives with the Financial Stability Board, the G20 and the Senior Supervisors Group.
OSFI’s mandate includes being ever vigilant toward new and growing risks such as those that threaten cybersecurity. That is why we look forward to the recommendations flowing from the committee’s study. Thank you, Mr. Chair.
The Chair: Ms. Hinz, do you have anything to say?
Theresa Hinz, Director, Approvals and Precedents, Office of the Superintendent of Financial Institutions Canada: No further opening comments.
The Chair: Thank you.
Senator Stewart Olsen: I have a couple of questions dealing with the announcement from yesterday and then another proposal I would like all of your comments on.
The announcement yesterday was very scant on details, and so I’m wondering when we can look at this being up and ready. Both of these are fairly involved, and I am wondering how long it may take before they get a viable organization together.
Ms. Ryan: Great question, senator. I cannot provide you with a firm date when the new centre will open. I would describe the resources as supplementing and augmenting efforts already under way in different departments, principally the Canadian Security Establishment and the RCMP as well as Public Safety. The resources are welcome. The effort that is involved going forward will involve meeting objectives in terms of renewing leadership governance collaboration in the entities that are working together already. The services will continue to be provided, but I don’t have a firm date to start operations.
Senator Stewart Olsen: I will ask for everyone to comment. It says to bring together what’s already happening and the cyber experts. I did not see anything in here. Is there any provision or should there be a provision for education to get our own homegrown experts, such as working with universities and colleges? It really is a young person’s area, and it’s rapidly evolving. I’m wondering what you would think. Would you be supportive of an initiative like that?
Ms. Ryan: The budget targets those objectives. It’s part of the framing around building a secure and adaptive ecosystem. It speaks to issues like training and bringing along the next wave of people who will have the right training, will bring innovation to the space and build that wider set of skills and abilities to train more people in cyber-resilient security.
Senator Stewart Olsen: Once again, scant on details so I don’t know how they will do that, but that’s good to hear.
Mr. Morrow: The type of initiative you’ve spoken of is something we do see happening in other jurisdictions. Other countries are taking the lead in trying to improve education and create a new wave of people to help with this threat. I’m sure the measures in the budget will stand us in good stead in that regard.
Market forces should also help here as the demand for cyber experts is quite strong. As a result, it will be lucrative for students to invest in that type of education.
Ms. Cameron: I would echo Ron’s comments that demand for people with these skills is very strong, and we know, through dialogue with our institutions and other regulators, because demand is strong it’s sometimes hard to track and keep these skills, and that’s very important to all of us to help deal with cyber threats. I would echo the comments of my colleagues that a program to support education is valuable, but how it all plays out, we have little information.
Senator Tannas: Thank you for being here. I wanted to try and understand where Canada is relative to other G7 countries.
Ms. Ryan, around the national cybersecurity strategy and Canadian Institute for Cybersecurity, are there other countries that have a similar strategy document and a centre for security up and running or are we at the forefront of this?
Ms. Ryan: From our work at the G7 table, I’m confident to say all countries are moving ahead very quickly to put in place similar arrangements and information sharing. In terms of a country that is a good model for Canada, I think the U.K. has done very good work with their cyber centre.
They typically publish a number of documents. Their annual report from last year was a good source in terms of the type of threats and how they’ve organized themselves as a centre to respond. So it’s a similar type of model.
Senator Tannas: How long have they been around for?
Ms. Ryan: I would have to get back you on that, senator.
Senator Tannas: On a similar theme for Canada’s financial institutions and for the Bank of Canada, could you give us a sense of where the Bank of Canada is compared to other similar organizations and functions in different countries? Where are Canadian financial institutions compared to the other G7 countries?
Mr. Morrow: For the Bank of Canada, I’ll address the question along two dimensions. First is the work we’re doing to help ensure the financial market infrastructures we oversee have a good, resilient set of cyber plans. I would say we are amongst the leaders in our global peers in working with the FMIs to ensure they have strong plans in place and are as resilient as they can possibly be.
On the second part, in terms of the Bank of Canada’s own cyber resiliency, I would say we are in a good position but it is very much a moving target. The bad guys are getting better every day. Like many institutions, there are a large number of attempts every day to try to compromise the systems of the bank and we’ve been successful thus far. It requires continual investment in technology and human resources to make sure we can stay ahead of the game.
Ms. Cameron: OSFI belongs to a number of international groups. We are part of the Senior Supervisors Group, which are regulatory agencies around the world that discuss a host of common challenges, including cyber. From those discussions, it’s my sense every country has a different strategy because the mandates of the regulators are slightly different. By and large, they are taking similar approaches. With the U.K., I would share in the observation that it seems to be a bit ahead and other countries can learn from it -- the Netherlands also -- but we are not laggers. We are learning from our international colleagues and I’m sure they’re picking up some stuff from the Canadian system.
Senator Tannas: That is good to know.
Senator Marwah: I was pleased to read about the Canadian centre for cybersecurity. This is a single point of expertise long overdue and it is very welcome.
All of you talked about financial sector vulnerability, and given your backgrounds and institutions, obviously that’s what you would talk about. But I believe Ms. Cameron said you are only as good as a shared threat. So in a shared threat, you are only as good as the weakest link. While we talk about the FIs and the insurance companies, what about the other sectors, the telcos, the hydros, the utilities? How do they get drawn into this analysis of cyber-threats? Clearly OSFI has no purview of the telcos; neither does the Bank of Canada. So who draws the other players into this analysis of cyber-threats to say we have to look at this collectivity because as hydro or telcos go down, we are hugely vulnerable. Who brings them together?
Ms. Cameron: It is an excellent question. It is beyond OSFI’s purview and I turn to Ms. Ryan.
Ms. Ryan: First, I would say that in terms of the Government of Canada, Public Safety has the overall lead in terms of mapping the cybersecurity of the country. That leads them to look at how different systems interact together in terms of financial sector, the telcos, the energy sector. They have active work to assess those risks and respond to them.
I would be keen to note that is one of the higher level objectives of the budget announcement of more than half of billion dollars over the coming five years to strengthen the attention paid to those critical systems, to make sure they are robust and resilient and, as Ron says, they continue to respond to the emerging risks in the best way possible.
I would flag that the bank, in particular, has led work on the resiliency side to test a number of scenarios that would involve risks coming from other sectors. We are pursuing these as active discussions with our G7 partners, in terms of the work I mentioned on third party risks. These can either be from another sector or another part of industry. Assessing those risks and planning measures to harden systems against those risks is actively under way.
Mr. Morrow: I had a couple of things. We have done some work with banks, financial institutions and FMIs to take a look at the sectors for which we are highly dependent, in particular energy, telecom and, to some extent, transportation. The outcome is we identified a number of areas where we had some concerns when it came to energy distribution, electricity, in particular in parts of Ontario, and some concerns around telecom resilience and the concentration of equipment in some areas.
We were able to have some good conversations with folks in the other sectors and learn a bit about what they’re doing to remediate those risks and walked away more comfortable and confident in terms of what they were doing.
The new centre and the new initiatives announced in the budget will be even more helpful to try to bring the sectors together to a common table where we can have more detailed and open discussions.
Senator Marwah: Is this new centre going to be the coordinating point for overseeing all risks or is it too early to tell? I understand you mentioned Public Works is taking the leadership role, and they are and they aren’t. It has generally been very fragmented and difficult to pull everything together to understand what the vulnerabilities are. Everybody is saying you are doing that. There is not a firm hand in looking at the risks in totality rather than every sector doing their piece and without understanding what gets dropped in the middle.
Ms. Ryan: That is very much the objective of the new effort. It is to bring a new level of leadership, cohesion, collaboration to these efforts that are under way. And the new centre will focus most specifically on risks related to cyber-threats. There remain wider threats to public safety that cross sectors and that wider sense of operational risk contains the set of cyber risks. We will need to continue to pay attention to those, but the new centre will focus more deliberately and in a more coordinative way on those cyber risks that face critical cyber systems.
[Translation]
Senator Dagenais: My question is for Ms. Ryan. Last September, Equifax was the victim of identity theft when the credit card numbers and personal information of more than 209,000 Americans were stolen. Forty days passed before Equifax informed the public of the theft, which gave the fraudsters ample time to act.
The company disclosed very little information about the theft in Canada also. Do you have any authority over these businesses, which work with all financial institutions and manage such quantities of personal information? Is there a timeframe within which the financial institution must inform its clients that they are victims of identity theft?
Ms. Ryan: That is an excellent question, senator. I will give you a more precise answer in English.
[English]
The question you pose does cross a number of responsibilities. In the first instance PIPEDA specifies the requirements businesses must follow in protecting the private information of Canadians in a similar type of institution as you describe.
Further, the reporting of cyber breaches are covered by that act, depending on the type of institution involved and for the credit agencies, as well as different regulators if they be provincial or federal. That fabric of requirements on businesses as well as the oversight, depending on what type of personal information they have, are in place. In terms of financial sector risk, we do think about these risks in terms of “at what point do they pose a systemic risk for the financial sector?” That’s a separate margin of work that plays in your space.
[Translation]
Senator Dagenais: On the same topic, with the information collected, have you analyzed the cyberattacks on our financial institutions? Perhaps Mr. Morrow can tell me. I don’t think you will have the answer, but could you tell us where in the world the perpetrators of these attacks are located?
[English]
Ms. Ryan: I am happy to let my colleagues answer as well. I see the real expertise for that type of analysis as being the CSE, the Canadian Security Establishment. It is a balance they have to strike in terms of doing their surveillance and analysis of risks that play out in cyberspace and working with specific institutions, businesses, and so on, to improve their resiliency and to work together in a collaborative and trusted space versus having a fulsome reporting of all attacks and incidents to the public.
I would assure you that type of analysis is in real time. It’s more than daily. It’s their constant vigilance. In terms of public reports, I would refer to institutions like CSE or Public Safety who are close to that surveillance.
[Translation]
Senator Dagenais: Perhaps centralizing the information might result in a tightening of the rules.
Would some cyberattacks be kept secret because the banks prefer to take the loss and compensate the victims in order to prevent creating a climate of concern among their clients?
[English]
Ms. Cameron: We have told our institutions we expect them to report any kind of material cyber incident. We don’t expect the banks to keep secrets from us but we don’t know what we don’t know.
[Translation]
Senator Dagenais: I tried. Thank you.
[English]
Ms. Cameron: We don’t oversee what happens in a bank. We can’t really comment on what we don’t hear about.
Senator Wetston: Thank you for coming here today.
Let me follow up on the last comment here about what you know and what you don’t know, which is always challenging. You are, of course, aware of the fact securities regulators have had some role in this area. As you know, from my background, I’ve spent some time in that area. I’ve done a lot of work personally on the principles of financial markets infrastructure, unfortunately, because it is well beyond my space.
On this last issue of disclosure, which I think is really important — and Ms. Cameron, I’m not directing it to you necessarily as you might all have a comment. The CSA has put out guidelines in this area and requires reporting issuers, and the banks are reporting issuers, to report and disclose publicly any cyberattacks or threats, material matters. I’m not sure if you review those as opposed to what is reported to you. How much time do you spend on that?
The SEC just announced updating because most of our banks and financial institutions are interlisted as you also know. The SEC now requires enhanced disclosure. I think Mr. Clayton has gone further in the guidelines that he expects with respect to this area. Disclosure and transparency are important. Do you have comments with respect to the extent of disclosure and the fact of its importance beyond the banks telling you what is going on?
Ms. Cameron: OSFI has a different regime from the security regulators, as I’m sure you know. When we get information, we don’t disclose it. We are prevented from disclosing it.
We have this expectation that our major financial institutions report major cyber incidents to us. As with the CSA’s regulations, what is material? It’s a bit like beauty is in the eye of the beholder.
We do get reporting, but we don’t get a large amount of reporting. I do have the details. Banks have reported eight major incidents since 2016. We also get them to advise us of noteworthy cyber incidents. We usually get two or three noteworthy cyber incidents per quarter. From a security commission’s perspective, “material” probably means does it have impact on their financial results and hence their share price. You would be the expert in this field.
Senator Wetston: It’s getting close, that’s for sure.
Ms. Cameron: These incidents have not compromised their operations in a material way.
Senator Wetston: I see. The only reason I’m pursuing this is both the U.S. and Canada are getting closer on disclosure. With all our interlisted companies, that’s helpful. However, on both sides of border companies are expected to provide tailored, entity-specific, non-boilerplate information — you hope — about cybersecurity preparedness, risks and incidents. I’m asking whether or not you are aware of that or think about it in those terms. I recognize the confidentiality aspect with reporting to OSFI, which I have always had some questions about. However, I’m saying this particular area might help fill that void and I think it may be important. Mr. Morrow or Ms. Ryan may have some comment, too. I think it’s an important area.
Ms. Cameron: I am aware of the information and I read from the document you are reading from a few days ago. That is the kind of information OSFI expects institutions to provide but in a more detailed fashion than what they would release in a public statement.
Senator Wetston: That’s helpful. I think reporting is important.
I have a lot of materials. I have been reading and I can’t wait to ask questions. I liked what Senator Marwah is pursuing. A leader of another organization, in talking about the ecosystem, described it this way: “As one leader put it, my risk is your risk and your risk is my risk.” I thought that was an interesting way of putting it.
Ms. Cameron: Yes. This is the weakest link comment.
Senator Wetston: Are there standards or protocols generally to address that kind of issue? I see it as a waterfall of risk. I realize in the budget you announced some new initiatives and they are important, but what have you done to date at OSFI, or at finance, or at the bank, to address that particular issue?
Ms. Cameron: Their dependence or the impact of the risks of others on —
Senator Wetston: What are you doing to minimize them?
Senator Marwah was preceding me. Mr. Morrow, I have your paper here. I don’t know who gave it to me. Maybe it was something you supplied. It was written recently. Maybe I’ll supply it so you have it. It’s Cyber Security: Protecting the Resiliency of Canada’s Financial System. You are one of the authors. You emphasize cooperation and coordination, not just within government, within the public and private sector which is why I’m pursuing this. That’s important particularly if you go beyond financial services and not all financial services are federal. Any comments?
Mr. Morrow: Two dimensions; first, in terms of a framework to ensure people are achieving the right level of cyber resiliency, they are over the bar and you are correctly measuring the bar. There are a number of frameworks in the world to measure cybersecurity preparedness. Most of these frameworks are flexible; any one is the same as the others. We have adopted a particular framework and hold the FMIs up to a certain level of maturity within that framework and are able to demonstrate it.
In addition, to test interconnectedness, that’s where tabletop exercises come into play. Having exercises where you have not just the FMIs, but their participants and a range of others around the table and you test how well people are prepared in a coordinated act in an exercise as a way of helping to guard that resilience.
One final point: I would also note that a host of private and public sector groups have sprung up where people share very detailed, very confidential information about cyber breaches on the view that it’s not about competition. Everyone is better off if we share information.
It is happening. Sometimes the challenge is the amount of sharing you can do only goes as wide as the circle of trust you are willing to draw. That’s an ongoing challenge.
Senator Wetston: My next question is two parts and deals with the issue of interconnectedness. It was a trigger in the financial crisis, as we all know, and it can be a trigger again in cybersecurity risk or resilience, and interconnectedness can lead to systemic risk. What is your view about that with respect the cybersecurity threats, particularly in the context of your interconnectedness that exists within financial markets?
Mr. Morrow: It’s one of the reasons why cybersecurity is a key vulnerability that we face. A problem at one institution can very quickly spread to another, not necessarily the cyber-threat transmitting itself, but one institution or a central infrastructure is off-line means payments are not flowing, transactions are not flowing, it can create a cascade of failures to other institutions. It is a critical characteristic of this cybersecurity vulnerability we face. It is so very important to ensure everyone is well prepared and everyone is striving to be above a certain bar so there is no obvious weak link to the system.
Ms. Ryan: The new resources that have been dedicated recognize the importance of critical systems. We have been doing work to identify what are the components of systems that have that deepest interconnectedness that we need to worry about the most. We have been working together. There will be new resources coming for those critical cyber systems, and then beyond we’re trying to identify what is the next wider set of concentric circles out? That speaks to the work I mentioned earlier about third-party risks we are pursuing domestically, working with G7 partners to identify the next set of things to worry about.
Senator Wetston: Are you including blockchain technology in that?
Mr. Morrow: The next ring is less about block chain technology and far more about the third-party service providers. If everyone is using Amazon web services for cloud computing, then there is a new vulnerability.
The Chair: I have a couple of quick questions to focus a bit on the agency that was announced yesterday.
Do we understand public safety will take the lead in that agency or is it undetermined?
Ms. Ryan: I think it’s best to wait for the more detailed announcement, senator. It will have a heavy involvement of the Canadian security establishment.
The Chair: Fair enough, the question of the lead, if it has been determined, isn’t publicly available.
Ms. Ryan: The budget documents are the extent of public announcements and a number of details remain to be announced.
The Chair: Very well. Would the same answer apply to this question: To whom will the agency report?
Ms. Ryan: The same answer, senator.
The Chair: Thank you very much. Senator Stewart Olsen started with a very important question. This issue obviously, given the time you are dedicating and we are dedicating to this, is on the plate now. In fact we might even be a bit late to the kitchen. Timing becomes very important. In the document that will be released, will we have a discussion about when this agency will be operative or can you comment now?
Ms. Ryan: Senator, I prefer to echo the comments in the first answer, which is that many of these efforts are already under way within the resources that we have. As plans take shape, take place, get the appropriate approvals and so on, we are seized with the urgency of the need and keen to get them up and running.
The Chair: Key language, seized with the urgency of the need, I like that a great deal. I want to amplify what Senator Marwah said and his exploration of the concerns we have around the private sector. Basically, in our economy, I don’t think I would be worrying as much about the Canadian banks and their ability to deal with these challenges as I might around pipeline companies or air traffic controllers or “fill in the blanks”. So it becomes key in a strategy that we have those linkages as Senator Marwah clearly indicated.
Do you believe there is an understanding at the centre of government that is essential?
Ms. Ryan: Yes, very much so, senator. The budget documents do speak to that need to think of critical systems Canadians rely on, so financial services, transportation, energy, those are of a particular level of attention.
I would draw your attention to the announcement that spoke to the need to also protect Canadian businesses and Canadian citizens in their online existence more generally. That’s backed up not just with a trusted source of advice and building the ecosystem, but a very robust and tangible attention to the need to see these attacks as crimes and follow up with investigations and prosecutions so Canadians are protected, Canadian businesses are protected. When we identify certain systems as being more systemic risks to Canadians and Canadian businesses, that is where we are putting additional resources, liaison, governance and leadership going forward.
The Chair: Let me take this opportunity to thank you all for being here today and helping us with our deliberations. You have been extremely helpful because you are very knowledgeable. Thank you also for the work you do on a daily basis serving Canadians. It was a pleasure to have you and we have benefitted from your attendance.
On our second panel, senators, representing Payments Canada, is Justin Ferrabee, Chief Operating Officer, and Martin Kyle, Chief Information Security Officer.
I understand we’re going to have an introductory presentation from Mr. Ferrabee and after the senators will undoubtedly have questions for you. Thanks for being here.
Mr. Ferrabee, the floor is yours.
Justin Ferrabee, Chief Operating Officer, Payments Canada:
Thank you, Mr. Chair and committee members, for inviting Payments Canada to contribute to your study and report on cybersecurity and cyberfraud. I am Justin Ferrabee, joined by my colleague Martin Kyle, Chief Information Security Officer.
I will spend a few moments helping you position Payments Canada, formerly the Canadian Payments Association, in the financial system before delving into Payments Canada’s approach to cybersecurity, fraud and some of the outstanding issues and concerns we feel have yet to be addressed.
Payments Canada is Canada’s financial market infrastructure for payments. We design and operate Canada’s national clearing and settlement systems and facilitate the interaction of those systems with other payment networks and financial market infrastructures. While Payments Canada is a little-known entity to most Canadians, it plays an essential role in the economy and day-to-day operations of financial institutions and businesses across the country.
Payments Canada’s systems ensure payments between financial institutions representing the aggregation of payments made by individual Canadians, businesses and governments are safely and securely completed each and every day.
We are guided by our mandate and the public policy objectives of safety, soundness and efficiency of the Canadian clearing and settlement system. These objectives are enshrined in our legislation under the Department of Finance, namely the Canadian Payments Act.
Financial institutions are members and are required to pay Payments Canada and to fund our operations. Our systems are overseen by the Bank of Canada because of their importance to the stability of the overall financial system.
Payments Canada does not operate at the retail layer of the payments value chain where emerging digital payment technologies are conceived. Our focus is at the macro or infrastructure level and is concerned with ensuring financial claims between financial institutions can be settled efficiently and without risk.
However, in consultation with members and stakeholders, we maintain a framework of rules and standards that facilitates the exchange of payments and the development of emerging payment products and services, an area of particular focus as we look to modernize our systems.
We take our highest priority of safety and soundness seriously. It commands the focus, resources and investments above all other needs, both now and in the future.
This means we design, review, modify and update our systems as we monitor risks. We remain in a constant state of vigilance and respond as required to ensure we manage risk appropriately.
Given the cyber-threat environment continues to evolve rapidly, Payments Canada continues to raise its defences against this area of operational risk. We have a cybersecurity action plan based on secure design principles and industry standards. The plan ensures we are constantly watching for and closing gaps to maintain the resiliency of our operations. It means identifying sensitive assets and their environmental context, protecting the infrastructure that contains those assets, detecting threats attempting to compromise the infrastructure, responding to events and incidents and recovering from potential intrusions.
Payments Canada operates within a network of financial institutions, regulators and other financial market infrastructures. Accordingly, we are held to a high standard of security that includes the Guidance on cyber resiliency for financial market infrastructures, the SWIFT Customer Security Program and the Cyber Security Framework from the National Institute of Standards.
In turn, we establish rules and standards around the security of payment items and connectivity of systems to which our members must adhere. With our partner banks in the financial sector, we collaborate on cybersecurity and coordinate management across the ecosystem through important industry groups such as the Canadian Financial Services Cybersecurity Governance Council, Cyber Security Specialist Group and Information Sharing and Analysis Centre.
We also plan for high resiliency and participate in interorganizational exercises for business continuity and disaster recovery. We remain connected and share intelligence with partner public agencies and non-governmental organizations in the cybersecurity community. These connections include Public Safety Canada, the Canadian Cyber Incident Response Centre and the Critical Infrastructure Protection Branch, Communications Security Establishment, the Cybersecurity Ecosystem Development, the RCMP National Critical Infrastructure Team and the Canadian Cyber Threat Exchange.
Working closely with our members, our overseer and our regulator, we are currently undertaking a major program that will result in a modernized infrastructure. We are bringing our focus, discipline and commitment to the safety and soundness principles to this modernization effort and will ensure the modernized environment continues to secure payments for the Canadian economy.
Through this diligence, we are able to see certain gaps that exist outside our control that this body may be able to influence and we would like to discuss those a bit today, if appropriate.
First, there is a clear need for public/private coordination in responding to attacks against critical infrastructure and a single clear point of contact in the public sector for chief information security officers in the private sector. These improvements will help us better share information in a protected fashion and will help us manage and prevent future attacks. We hope the new bodies identified in the 2018 federal government’s budget, a Canadian centre for cybersecurity and a national cyber crime coordination unit will help to resolve this issue.
Secondly, financial market infrastructures form the backbone of the economy. These systemic cyber systems must be prioritized for recovery with vendors and infrastructure in the event of a widespread disruption. Policy that extends cybersecurity requirements to the supply chain of critical systems will help improve resilience of dependent components to the national infrastructures and the financial system as a whole.
Finally, there is more that could be done to address the cybersecurity skills shortage. There is already a gap in capable people and given the increase and severity of threats, there is a need for policy and strategies to develop, attract and retain skilled workers.
While every organization has a responsibility to protect themselves from cyberattacks, the value of the network, including both public and private entities — doing so as a collective will be much more affective. Moving forward, it will be important to look at cybersecurity as an issue affecting the Canadian economy and our national security as a whole, as there are clear codependencies. Payments Canada is eager to contribute to and support a network defence strategy.
Payments Canada’s mandate is explicitly focused on safety and soundness. As such, we look forward to the recommendations coming from the committee’s study and report. Thank you for your time, and we’re happy to take questions.
The Chair: Thank you very much, Mr. Ferrabee. It was a very good presentation.
I’ll start questions with the deputy chair.
Senator Stewart Olsen: From what you have outlined, you already have an up-and-running, very good cybersecurity department. How do you see yourself interacting with this new agency? Are you a bit concerned — I know that when you have departments like CSIS or the RCMP, there’s not a huge sharing of their security issues. You become very protective of what you see as a threat. I’m not sure how we can overcome that with these new agencies. Could you comment on those two things, please?
Mr. Ferrabee: Yes. First, we don’t know enough about what’s coming down from the budget to know specifically. We are active across the federal family and in multiple areas. We are assuming those will be a part of it in some way, and we would connect through that or whatever regime is coming forward.
We would be proactive in building those relationships to understand how that works. We’d be first in line, if you will, to participate.
Second, the challenge of sharing information is progressive in that you start with what you can, then you don’t share what you can’t, and then you build trust, share more, then add conditions and circumstances and safety to share more. As Ron Morrow mentioned, it’s the circle trust, and you would like that to get bigger in time. There are conditions and prerequisites for that to happen.
We have experience and have had success in that. We think we can do it. As the awareness of cyber grows, collective interest also grows. We have confidence we will see more of that and some standards for participating.
Martin Kyle, Chief Information Security Officer, Payments Canada: We currently receive threat intelligence information from some of the agencies as they exist now. I expect that will continue in a reorganized fashion in the future. As Justin Ferrabee indicated, as we continue to build the circles of trust and increase our maturity, we’ll be sharing information back to those agencies.
Senator Stewart Olsen: Good. I look forward to seeing that. Thank you.
Senator Marwah: Thank you both. I really enjoyed reading your briefs and draft remarks.
You make a point here that you feel strongly more could be done to address the cybersecurity skills shortage, and that’s certainly people. You go on to say, “It will be important to look at cybersecurity as an issue affecting the Canadian economy and national security as a whole, as there are clear codependencies.”
When I read that, I ask, “Who should be assigned this role to pull this together?” Is this a new agency or the many agencies involved already? Who has the responsibility today? Forget about the new one, but who has the responsibility to pull this together to make sure nothing is falling between the cracks?
Mr. Kyle: Public Safety Canada operates a national cross-sector forum on critical infrastructure. That agency brings together parties within 10 identified critical infrastructure areas. It coordinates information, sessions and potentially exercises across those sectors.
Again, as the announcement yesterday suggests, there may be some reorganization. I’m not exactly sure how that will change in the future, but as of today, Public Safety is the agency we interact with at a national level for critical infrastructure.
Senator Marwah: Do you feel what they are doing is adequate, or do you feel in that role alone there are other places that we could do with strengthening our overall strategies and policies?
Mr. Kyle: We’re moving down the right path. I was moderating a panel at the OECD a few weeks ago, and a question came up about how critical infrastructure players interact with each other when there’s a cyber event. We received some feedback from a U.S. representative that they are conducting cross-sector cyber exercises between, for example, finance, telecom and energy, electrical in particular.
So I know that the critical infrastructure branch has been discussing this possibility with the critical infrastructure players in Canada. We’re on that road, but we can continue to do more there.
Senator Marwah: In your judgment, which is the best-in-class model you have seen? Is there one you could say has it absolutely right in terms of how they organize themselves, whether it’s the U.K. or the EU? The U.S. is more fragmented than us. Which country or model has it right — or as right as you can get?
Mr. Kyle: I can’t really comment on other countries’ models other than to say every country is facing the same issues that we are right now. The number, the frequency and the severity of cyber attacks are increasing. Just as we are meeting here to study this problem, the nations I have been interacting with are doing the same.
The Chair: Mr. Ferrabee, do you have anything to add? Senator Marwah asked a specific question as to whether there is a model or a country we should be looking at.
Mr. Ferrabee: Specifically around payments infrastructure and the way we interact with other infrastructures, each country varies widely in how it’s done. We do work closely with them. We initiated about four years ago a committee of the CEOs of the G7 for addressing these exact issues. I would say we are in the upper quartile in terms of how we’re managing. Without disclosing too much on it, we are in the category on a model that seems to work.
The Chair: Thank you very much.
Senator Tannas: Thank you for being here. We talked a lot about what I would call the macro issues of thousands and potentially millions of attempts to breach big systems and so on. But I wonder if maybe you folks are uniquely positioned to talk about some of the micro issues, in addition to what you are trying to do and what concerns everyday Canadians. I’m talking about the hostage-taking of computers where you get to pay somebody $200 to get your own computer back, and you make a payment to them. There’s also the tax department scam things where little old ladies are sending money off, because they think they’re behind in their taxes, because somebody contacted them through email or phone. There’s also phishing or phony invoices from companies.
I have never heard that anybody suffers redress from that. They send it off, and the response is, “Oh, well, sorry it’s gone.” Where has it gone? Is there not some way, or is there any discussion about how to coordinate so that money can’t just disappear out of a Canadian financial institution to an American financial institution and then wherever it goes — into the ether?
In other words, is there any discussion about trying to find ways to get money back for ordinary citizens in all of this discussion?
I know it’s one citizen at a time. We’ve heard there are potentially millions of these things that happen. It has happened to me both in business, for a very large amount of money, and I also had my computer hijacked and I paid the money, and the response is, “Too bad. You lost your money.”
Aren’t you guys at the forefront of figuring out how to get money back or stop that flow? Is anyone focused on that, or are we just focused on the macro risks to the big banks and hydroelectric and so on? That is important but isn’t there an “and” we should be doing here?
Mr. Ferrabee: I will take a first attempt and try not to disappoint you. As a financial market infrastructure, we’re down much deeper than that, so we would do the exchange between financial institutions, which is a very small group. They have the customer-facing interface, so they would work with consumers and we would see the FCAC as the agency that would advocate for Canadians on financial matter in terms of financial consumers.
We aren’t active at that layer in the payment system. We may have some views or not, but Payments Canada is an infrastructure and our focus is narrow. It’s small and important but it doesn’t cover consumer activity.
Senator Tannas: If I’m sending a payment somewhere, that is not facilitated by your infrastructure in any way.
Mr. Ferrabee: It would go through our members — the banks — and eventually, at the infrastructure layer, when they transact between each other, we would do that. But we don’t participate in any of the authorizing of payments or anything at the consumer level.
Senator Tannas: What about to financial institutions in the United States? Would you be doing that or are you solely contained in the Canadian financial system?
Mr. Ferrabee: We would do the wire transfer as well.
Senator Tannas: Then, my financial institution, facilitated by you, is sending my payment somewhere. Is there any discussion anywhere about where it goes and how you could get it back if it turns out a day later that it’s fraud?
Mr. Kyle: A wire transfer goes over a separate network called the SWIFT network and the financial institutions are participants. Drawing upon my previous experience before Payments Canada, the ability to recall payments in the case of fraud is largely in the remit of the financial institutions themselves and their ability to leverage the relationships they have with their counterparts.
To the point of a previous panel that was here as part of this study, the difficulty in finding these perpetrators and prosecuting them is the inter-jurisdictional nature of the crime itself, which I think refers to the first part of your question.
There are two parts to your question. There’s complexity in finding the perpetrators and prosecuting them from a jurisdictional point of view, and the second part was about redress for the consumer. That’s largely handled by the retail financial institution that has some ability to claw back payments that may have been done fraudulently, or recompense the victim in the scenario.
I hope that answers some of your questions, but it’s outside of the scope and realm of what we do in Payments Canada.
The Chair: These are great questions. Keep them for tomorrow, when we have the Canadian Chamber of Commerce and MasterCard. The interest of the consumer is very important.
Senator Wetston: A general question: The Bank for International Settlements has done a lot of working on financial market infrastructure. Have they done anything recently to guide your particular work in the area of cyber-attacks or cybersecurity risk?
Mr. Ferrabee: We work with the Bank of Canada on that. It’s very clear we work together in interpreting those and applying them to our context.
Mr. Kyle: There’s one particular document I think was in our briefing note at the beginning, which identifies a standard to which we adhere, and it is the Guidance on cyber resilience for financial market infrastructures. That guidance was published by the Bank for International Settlements and there were participants from the Bank of Canada that helped contribute the content.
Senator Wetston: You don’t directly participate?
Mr. Kyle: We didn’t participate in the crafting of the document but we adhere to the principles identified in it.
Senator Wetston: Can you tell me whether you think there are more vulnerabilities, if any, in payments versus clearing and settlement in the large value transfer system? Do you have any sense of where the vulnerabilities might be or what might be more accessible from the point of view of a cyber-attack?
Mr. Kyle: For reasons that perhaps are obvious, we don’t typically discuss security configurations or components. While we have a sense of where things are stronger or weaker, we don’t discuss that but would disclose them to authorized parties if appropriate.
Senator Wetston: I guess what’s important is if there are differences and you have identified what they are, you obviously don’t want to recognize them in case there are cyber criminals who want to know that as well, for apparent reasons. But is there a difference? If there is a difference, are you aware of it, and do you take whatever action is appropriate to deal with that? Can you answer that?
Mr. Ferrabee: There is a difference, partly on scale, the number of participants and the level of trust in the system. The smaller you are, the higher level of trust. We are quite small and have a small number of members, so we have a high degree of trust. That risk gets higher as you get further out.
Senator Wetston: I look at it generally in this way that everything in our society is becoming more digitized. I don’t know what we will call ourselves in 10 years but we may not call ourselves human beings. We may be robots entirely digitized and running on AI systems.
You will probably agree with me that today you can gather enough data for analysis or for whatever use you may want to make of it. Whereas five, six or seven years ago, it would have taken you a month to gather the same data, which makes that data more accessible to cyber-attacks, I would think.
Given that circumstance with AI and big data — or whatever it’s called; I can’t recall the exact technology term for it — do you have concerns around the amount of available and potentially important data that can be accessed and organized in a day, rather than taking a considerable amount of time, and make it more available for attacks?
Mr. Ferrabee: I will address it at a more general level. There is an acceleration of capability and a broadening of technologies happening, and the work for us is being current. We invest significantly in ensuring we are up to date and are also tracking what’s coming and what the impact is.
I think the short answer is yes, we are aware. It is more sophisticated and, as a result, carries more risk and that forces a greater vigilance on our side.
Senator Wetston: Is it more accessible?
Mr. Ferrabee: Because there is more of it? Possibly. We design our systems such that those conditions don’t compromise us further. We would be aware of that as a constraint.
Senator Wetston: Do you believe, in your experience and what you do, obviously, that cyberattackers are as sophisticated and as capable as you are?
Mr. Ferrabee: Absolutely.
Senator Wetston: Are they more capable?
Mr. Ferrabee: It’s very possible.
Senator Wetston: I guess that’s the concern.
Mr. Ferrabee: That’s the concern, and we don’t know to what extent we are there but we keep at it.
[Translation]
Senator Dagenais: I would like to thank our guests.
I want to come back to the culture of secrecy of certain organizations and even of some of the institutions involved. To what extent does this culture of secrecy threaten to delay decisions in the event of a cyberattack, and what are the consequences?
[English]
Mr. Ferrabee: That’s a very good question. It’s hard to know how secret colleagues or partners are being.
The challenge we have and we try to articulate here is as we move more quickly, the collaborative nature becomes more important and it is dependent on not hiding secrets.
We are trying to adjust that as well, which is almost more at a relational level to make things more transparent, and we are aware of that as an issue to address in the partner relationships we have.
[Translation]
Senator Dagenais: We know that financial institutions deal with their clients. Sometimes, for strategic reasons, they do not want to alert their clients or create a climate of suspicion, because that would be detrimental to the institution. Therefore, they cultivate a certain culture of secrecy.
It is important to quickly take matters in hand and notify the client, because if the client, for whatever reason, is not notified of what is happening, he or she may continue to put themselves in a highly critical situation.
[English]
Mr. Ferrabee: We would certainly not perpetuate secrecy in the event that something came to our attention or awareness. We would not perpetuate or in any way restrict the transparency for those reasons. If we are not aware of it, it becomes hard for us to know. To the extent that we can become aware through our systems, then we would act on that.
[Translation]
Senator Dagenais: Would you like to add something, Mr. Kyle?
Mr. Kyle: Yes, thank you.
[English]
When consumers are affected through cyber fraud or some malicious act that impacts them, there is recourse through the process with their financial institution. And there are changes coming in the regulatory regime under PIPEDA that would require breach notification. Those changes will increase the transparency of material breaches across the country.
Some jurisdictions, Alberta for example -- and I believe Quebec, but I’m not sure on that -- has a breach notification requirement. For those consumers in those jurisdictions, they can look to their Privacy Commissioners for information about breaches, even in the financial sector if their personal information has been so compromised.
That’s what happens on the retail side of banking with respect to consumers. Our community that connects into our systems and works to transfer funds is much smaller. With the banking community itself, we have strong relationships and so the level of trust, the interaction and the information sharing is much higher in our space. I wanted to clarify that distinction between who our stakeholders are directly and what happens with the consumer in the retail financial system.
[Translation]
Senator Dagenais: I have a more specific question. Do you have an idea of the number of persons that may be involved in fighting cyberattacks?
[English]
Mr. Ferrabee: At Payments Canada?
[Translation]
Senator Dagenais: Yes, among others.
[English]
Mr. Ferrabee: We wouldn’t specify the number of people we have and the resources we are deploying on it, but I assure you it’s material.
[Translation]
Senator Dagenais: Thank you very much.
[English]
The Chair: I want to thank you both very much. This has been extremely helpful to us. We are trying to broaden our understanding, and you have been very helpful with that today. We are indebted to you.
(The committee adjourned.)