Committee
Consult the user guide
For assistance, please contact us
Consult the user guide
For assistance, please contact us
Add search criteria
Results: 1 - 15 of 1641
View John McKay Profile
Lib. (ON)
Folks, we're trying to get back on our timeline here. We are waiting for our other witness, but in the meantime, we will proceed with RCMP captain Mark Flynn.
You will make your presentation, and if the folks from the Communications Security Establishment come, we'll make arrangements for them to speak as well.
The meeting is now public, by the way.
For those who are presenters, the real issue here is that the members wish to ask questions. Therefore, shorter presentations are preferable to longer ones.
With that, Superintendent Flynn, I'll ask you to make your presentation.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 13:52
Thank you, Mr. Chair. As requested, I'll keep my presentation on the shorter side.
Mr. Chair and honourable members of the committee, my name is André Boucher, and I am the associate deputy minister of operations at the Canadian Centre for Cyber Security.
Thank you for the opportunity to appear before you this afternoon.
Let me begin with a brief overview of who we are.
The Canadian Centre for Cyber Security was launched on October 1, 2018 as part of the Communications Security Establishment. We are Canada's national authority on cybersecurity and we lead the government's response to cybersecurity events.
As Canada's national computer security incident response team, the cyber centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response.
The cyber centre's partnerships with industry are key to this mission. Our goal is to promote the integration of cyber defence into the business model of industry partners to help strengthen Canada's overall resiliency to cyber threats. Despite these efforts and those of Canada's industry, cyber incidents do still happen.
This brings me to the topic we are here to discuss today. The cyber centre is not in a position to provide any details on this incident and does not comment on the cybersecurity practices of specific businesses or individuals. Any cyber breach, not just this specific instance, can be taken as an opportunity to revisit best practices and to refine systems, processes and safeguards.
In this case, media reporting and public statements indicate that the disclosure of personal information occurred as a result of the actions of an individual within the company—what is termed insider threat.
In our recent introduction to the cyber-threat environment, the cyber centre described the insider threat as individuals working within an organization who are particularly dangerous because of their access to internal networks that are protected by security parameters. For any malicious actor, access is key. The privileged access of insiders within an organization eliminates the need to employ other remote means and makes their job of collecting valuable information that much easier. More broadly, what this incident underscores is the human element of cybersecurity. The insider threat is only one example of this.
Cybercriminals have proven especially adept at exploiting human behaviour through social engineering to deceive targets into handing over valuable information. Fundamentally, the security of our systems depends on humans—users, administrators and security teams.
What can we do in a world of increasing cyber-threats? At the enterprise level, adopting a holistic approach to security is critical. This means starting with a culture of security and putting in place the right policies, procedures and cybersecurity practices. This ensures that when something goes wrong, as it almost inevitably will, there is a plan in place to address it.
Then we need to invest in knowing and empowering our people. Training and awareness for individuals and businesses are very important. Only with awareness can we continue to develop and instill good security practices, a fundamental step in securing Canada's cybe systems.
As well, we always need to identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond.
At the cyber centre, we'll continue to work with industry and to publish cybersecurity advice and guidance on our website. We regularly issue alerts and advisories on potential, imminent or actual cyber-threats, vulnerabilities or incidents affecting Canada's critical infrastructure.
Under, we hope, different circumstances, we'll continue to participate in conversations like this one, which help to keep the spotlight on these issues.
Ultimately, there is no silver bullet when it comes to cybersecurity. We cannot be complacent; there is too much at stake. While long-promised advances in technology may make the task easier, the need for skilled and trustworthy individuals will remain a constant.
Thank you, and I look forward to answering your questions.
View Glen Motz Profile
CPC (AB)
Approximately 2.9 million entities, individuals and Canadian businesses, are impacted by this particular occurrence, but millions of others across this country have also been victims of having their identities and credit card information stolen. They may not find solace in that particular statement that we have a mature banking industry in this country, because they continue to be victimized. I'm curious to know whether we are as vigorous in that way as we could or should be in pursuing the financial security of those institutions and of the people who put their trust in them.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:07
I can assure you that we're quite vigorous in taking all the measures at our disposal, whether they be best practices in collaboration or measures that are enforced and in place.
The sad or unfortunate reality that we all have to compose with is that, as was pointed out earlier, when data gets lost and gets in the wild, we never get to recover it. It is not like a tangible asset that you can go and purge and bring home. It is a new reality for clients, it is a new reality for customers and it is a new reality for enterprises.
I would go back to the comment I made earlier that it just puts more fuel into the need to invest early, with early investments in having programs, in choosing our employees better, and in making sure we have a holistic approach to security to make sure we don't find ourselves trying to recover our losses.
Annette Ryan
View Annette Ryan Profile
Annette Ryan
2019-07-15 14:39
Thank you, Mr. Chair. I will go first, if that's all right.
My name is Annette Ryan. I am the associate assistant deputy minister of the financial sector policy branch within the Department of Finance. I am joined by Robert Sample, director general of the financial stability and capital markets division, as well as Judy Cameron, managing director of the Office of the Superintendent of Financial Institutions Canada, and her colleague. We are pleased to appear before you today.
My remarks today will address two areas that, I believe, are pertinent to the issues before you. Specifically I will clarify the roles of government departments and agencies and private sector actors within the federal financial sector framework and update the committee on efforts being undertaken by the Department of Finance, federal regulatory agencies and banks in support of cybersecurity and data protection.
Protecting the privacy and security of Canadians' personal and financial data is an objective shared by both levels of government and the private sector, and it is one that's crucial for maintaining continued trust in Canada's banking system.
I'll address the roles within the federal government and then discuss provincial government and private sector roles.
The Department of Finance along with federal financial sector oversight agencies has responsibility for the laws and regulations that govern Canada's federally regulated banking system. We collectively set expectations and oversee implementation to ensure that operational risks related to cybersecurity and privacy are properly managed by the financial institutions that we regulate.
The Minister of Finance has overarching responsibility for the stability and integrity of Canada's financial system. Cybersecurity is a primary aspect of financial cyber-stability as it ensures the sector remains resilient in the face of cyber-threats and attacks
In turn, Public Safety has recognized the financial services industry as being a critically important sector within its wider national critical infrastructure strategy.
The Department of Finance works closely with a range of partners responsible for financial regulation and cybersecurity both domestically and internationally to ensure that the sector is adopting appropriate cyber-resiliency and data protection practices and that the specific needs of the financial sector are considered within economy-wide policies and statutes that relate to cybersecurity and data security.
I'll describe the general responsibilities among financial regulators. The Office of the Superintendent of Financial Institutions is the prudential regulator of federally regulated financial institutions, including banks. OSFI develops standards and rules for managing cyber-risks as is consistent with its wider oversight of operational risks that institutions must manage.
The Bank of Canada monitors financial market infrastructures, such as payment systems, to enhance resilience to cyber-threats, and the bank coordinates sector-wide responses to systemic-level operational incidents.
Other federal agencies have responsibilities for laws of general application in respect of privacy. The Office of the Privacy Commissioner of Canada oversees the banks' compliance with Canada's private sector privacy legislation, the Personal Information Protection and Electronic Documents Act, known as PIPEDA. PIPEDA sets out requirements that businesses must follow when collecting, using or disclosing personal data in the course of commercial activities. These include putting in place appropriate security safeguards to protect personal data against loss, theft or unauthorized disclosure.
The Department of Innovation, Science and Economic Development has overall policy responsibility for PIPEDA. In November of 2018 the Government of Canada implemented amendments to PIPEDA related to data breach reporting requirements and associated monetary penalties for failing to report.
As you've just heard, other federal departments and agencies, including Public Safety, the Canadian Centre for Cyber Security and the RCMP, share responsibilities with respect to broader Government of Canada cybersecurity initiatives.
It is important to note that supervisory responsibility for the financial sector in Canada is divided between federal and provincial governments. Provinces are responsible for the supervision of securities dealers, mutual fund and investment advisers, provincial credit unions and provincially incorporated trust, loan and insurance companies.
Accordingly, federal and provincial financial sector authorities have protocols in place for information sharing, particularly where matters of financial stability are concerned. Financial institutions, themselves, of course, are most immediately responsible for maintaining cyber and data security on a day-to-day basis, directly managing operational risks through an extensive series of protective and preventative measures, both individually and through industry-level co-operation.
These are supported by policies and standards that are continually updated to address the evolving threat landscape and remain in line with industry best practices.
Cyber-attacks are a serious and ongoing threat. I will focus on some of the steps being taken by the Government of Canada, the financial sector, regulatory agencies and the banks to ensure cybersecurity in the financial sector.
In budget 2018, the federal government invested over half a billion dollars in cybersecurity, and in October of 2018, it established the Canadian Centre for Cyber Security, which serves as a single window of technical expertise and advice to Canadians, governments and businesses. The centre defends against cyber-threat actors that target Canadian businesses, including federally or provincially regulated financial institutions, for their customer data, financial information and payment systems. Efforts to address cybercrime have been further bolstered by the newly created national cybercrime coordination unit within the RCMP, which provides a national cybercrime reporting mechanism for Canadians, including incidents related to data breaches or financial fraud.
More recently, in budget 2019, the government proposed legislation and funding to protect critical cyber systems in the Canadian financial, telecommunications, energy and transport sectors.
Our colleagues at the Treasury Board Secretariat continue their work with provincial governments, financial institutions and federal partners toward a pan-Canadian trust framework for digital identity with the goal of strengthening digital ID protection in the context of cyberthreats.
On the regulatory side, earlier this year OSFI published new expectations on technology and cybersecurity breach reporting via the technology and cybersecurity incident reporting advisory. This is intended to help OSFI identify areas where banks can take steps to proactively prevent cyber incidents, or in cases where incidents have occurred, to improve their cyber-resiliency.
While the first objective is to prevent data breaches, the reality is that these events happen and are not localized to the financial sector. Having said this, when cyber events occur at a federally regulated financial institution, control and oversight mechanisms are in place to manage them.
To summarize, cybersecurity is an area of critical importance for the Department of Finance. We are actively working with partners across government and in the private sector to ensure that Canadians are well-protected from cyber incidents and that when incidents do occur, they're managed in a way that mitigates the impact on consumers and the financial sector as a whole.
Thank you for your time. I'm happy to take questions.
Guy Cormier
View Guy Cormier Profile
Guy Cormier
2019-07-15 15:45
Thank you very much.
Good afternoon, Mr. Chair and members of the Standing Committee on Public Safety and National Security. I'm joined this afternoon by Denis Berthiaume, Senior Executive Vice-President and Chief Operating Officer, and Bernard Brun, Vice-President, Government Relations, Desjardins Group.
First, I want to say that, at Desjardins, we were ambivalent about this exceptional committee meeting.
On the one hand, this meeting may seem premature, since we're in the process of managing this situation and the police investigations are ongoing. It's far too early to assess the situation. As such, we intend to tell you everything that we know, but in a way that won't interfere with the ongoing investigations.
On the other hand, we see this special meeting as an opportunity to inform legislators and the public about the security of personal information and the need to rethink the concept of digital identity in Canada. In my reflection process, this point prevailed.
First, I'll state the obvious. What happened at Desjardins has happened elsewhere and could happen again in any private company or public organization whose mission involves personal information management. We can think of several banks around the world, such as the American bank Chase, Sun Trust, the Korea Credit Bureau, or a number of government entities in Canada and the United States, to name a few, that have been the victims of malicious employees.
Desjardins is a leading financial institution and one of the largest cooperative financial groups in the world, with more than $300 billion in assets. In 2015, Bloomberg ranked the Desjardins Group as the strongest financial institution in North America, ahead of all Canadian banks. In other words, even the best aren't immune, and we believe that this message must be heard.
Personally, I've been working at the Desjardins Group for 27 years. I chose this organization at the start of my career because the financial institution has managed, after nearly 120 years, to successfully combine the economic and social aspects of our society.
The malicious actions of one employee led to this deplorable situation. That employee has now been dismissed. He violated all the rules of our cooperative. In this situation, we acted as quickly as possible and as transparently as possible, with the sole objective of protecting the interests of our members. That was our priority.
On June 20, a few days after learning of the extent of the situation, we went public and shared all the information available, in conjunction with the police forces. At that time, we also announced the measures implemented to address the privacy breach.
We've taken all the necessary measures to address the situation. We quickly implemented additional monitoring and protection measures to protect the personal and financial information of our members and clients. We informed all the relevant authorities, including the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Autorité des marchés financiers, the Office of the Superintendent of Financial Institutions, and the Quebec and federal departments of finance.
We've implemented additional measures to confirm the identity of individuals when they contact us. We're constantly monitoring all our members' accounts. The procedures for confirming the identity of our members and clients when they call the Desjardins caisses, Desjardins Business centres and our AccèsD call centre have also been the focus of additional measures.
We contacted the affected members through the AccèsD private messaging system and by personalized letter, to inform them of the situation and of the steps that they needed to take.
We've also added extra measures to help with the activation of the Equifax monitoring package. The affected members can now register in four ways. They can register on the Equifax website, through the AccèsD telephone service, through the AccèsD web and mobile application, and directly in our Desjardins caisses by speaking with their advisor.
We're actively working with the different police forces. Lastly, we're working with external experts to continue to protect our members' personal information.
I can confirm that we acted diligently. After we received information from the Laval police service, we conducted an internal investigation and quickly traced the source of the breach to a single employee. The employee was suspended and then dismissed.
At this time, our main priority is to reassure, assist, support and protect each and every member affected by the situation.
Again this morning, we announced new protection measures for all our members. In this digital age, we at Desjardins believe that all our members must be protected.
As I was saying, Desjardins announced this morning that, from now on, all members of our cooperative will be protected from unauthorized financial transactions and identity theft. Membership is automatic and free of charge, regardless of whether they've been affected by the data breach. Since this morning, Desjardins has been protecting all its individual and corporate members. This sets a precedent in the financial services world in Canada. We're the first institution to take this step. In this situation, Desjardins is acting with rigour, a sense of duty and the willingness to honour its special relationship with its members.
We've entered an age where data is a resource on par with water, wood and the raw material needed to run entire sectors of our economy. Data is now the raw material for a whole innovative economy that will lead to tremendous productivity gains and make life easier for Canadians.
Canada is a few months away from the implementation of 5G mobile connectivity, which will increase the flow of data tenfold. According to experts, this ultra-fast connectivity will lead to futuristic applications related to artificial intelligence. Canada is already among the world leaders in this area with its three hubs, Montreal, Toronto and Edmonton. In addition, as we speak, the Department of Finance Canada is in the process of conducting a consultation on open banking, which would help open up the transactional sector. Several European countries have already made the shift.
I'll humbly ask you, the legislators, the following questions.
Is Canada currently well equipped to manage these promising technological developments, which also involve new risks? Should our identification systems be adapted to the digital age to ensure the protection of privacy and to better deal with cybercriminals? This issue is the whole notion of digital identity, which I referred to a few minutes ago.
I want to respectfully point out that these are real issues raised by the situation at Desjardins.
In closing, I want to make a proposal. I'd like to invite the committee to recommend to the Government of Canada the creation of an ad hoc multi-stakeholder working group to advise the government on how to regulate the management of personal data and digital identities. We believe that a group that listens to Canadians' concerns should at least include representatives of governments, the financial services and insurance sector, and the telecommunications sector, along with jurists and experts, or any other group that the government deems it appropriate to involve in the reflection process.
The mandate of this committee should consist of advising the government on legislation and regulations; ensuring the protection of the public; encouraging innovative technological development for the benefit of Canadians and communities; and ensuring the strategic monitoring of best practices around the world, so that Canada is always up to date.
I personally believe that Canada can't pursue excellence in digital technology and artificial intelligence without having the same ambition for data and personal information management. We must all learn from the current situation at the Desjardins Group.
Thank you.
View Rhéal Fortin Profile
BQ (QC)
Thank you, Mr. Chair.
Mr. Cormier, Mr. Brun and Mr. Berthiaume, I too will begin by congratulating you. I must admit that when I arrived here this morning, I had questions and concerns, which you answered. I think that your statement this morning is very beneficial to Desjardins. I too am affected by what happened at Desjardins, and I appreciate the measures you have taken.
About two or three weeks ago, the Bank of Canada established the Financial Sector Resiliency Group to address IT threats. As far as I know, Desjardins Group has not been invited to join this group. Chartered banks, among others, and systemically important banks were invited.
First, can you confirm that Desjardins Group has not been invited? Then, do you consider it would be appropriate for it to participate in such a working group?
Bernard Brun
View Bernard Brun Profile
Bernard Brun
2019-07-15 16:44
Thank you for this very relevant question.
The Bank of Canada obviously has an extremely important role to play in ensuring financial stability. Recently, it announced the creation of a committee to develop supervision and review oversight by discussing matters with all kinds of partners. Naturally, it turned to the big banks and the regulator. We have had discussions with people at the Bank of Canada and we feel that they have an opportunity to explore this.
As already mentioned, the financial system is extremely interconnected. All the players in this sector have issues, regulations and regulators, but they must be able to work together, go beyond that and discuss matters. We certainly have a great interest in participating in all of this. We felt that there was an opening in this direction and we are waiting to see what form this will take.
Desjardins Group is certainly a Canadian and Quebec financial institution of systemic importance. If there are discussions, we should be involved.
View Pierre-Luc Dusseault Profile
NDP (QC)
Okay, thank you.
I would like an update on another topic.
Last year, the budget implementation bill provided some flexibility for fintechs. The bill provided some regulatory powers to clarify how fintechs could operate in the sector, and it was expected that regulations would follow. Is the work still ongoing? When will these regulations be published in Part I of the Canada Gazette?
Leah Anderson
View Leah Anderson Profile
Leah Anderson
2019-06-18 11:34
Mr. Chair, I can take that one.
As part of our review of the financial sector statutes that we do every five years, we did a comprehensive review. One of our priority areas of recommendation was to provide greater flexibility for banks and FINTRAC to partner, either through outsourcing or having FINTRAC business activities in-house. We had the opportunity to engage with industry over the spring on how we would operationalize this added flexibility. We are well advanced in the policy development, and we are currently in the process of working on drafting that and would be in a position to bring it forward, we hope, this fall.
View Matthew Dubé Profile
NDP (QC)
Thank you, colleagues.
I will now move to our witness. I want to thank Mr. Johnson for his patience. The procedural wrangling that goes on in this place does have that impact sometimes. Joining us by video conference, we have Brian Johnson, who is Senior Director for Information Security at PayPal.
You have 10 minutes, Mr. Johnson, for your opening statement. We'll take questions from the members, and we thank you for taking the time this afternoon.
Brian Johnson
View Brian Johnson Profile
Brian Johnson
2019-05-29 16:21
Thank you very much. Good afternoon, Mr. Chairman and members of the committee.
Again, my name is Brian Johnson and I do serve as the Senior Director of Information Security at PayPal. I appreciate your giving us the opportunity to speak with you today and for making the time in your busy schedule.
I suspect you all know a bit about PayPal generally speaking, but allow me to add a bit of detail.
Founded in 1998, PayPal is a leading technology platform company that enables digital and mobile payments on behalf of more than 277 million consumers and merchants in more than 200 markets worldwide. We offer online and mobile merchant acquiring and money transfer services. PayPal is the most popular digital wallet in Canada.
We are based in San Jose, California, and our Canadian headquarters is in Toronto with offices in Vancouver. PayPal Canada was incorporated in 2006. We have more that 7.1 million customers including more than 250,000 small business customers in Canada.
Fuelled by a fundamental belief that having access to financial services creates opportunity, PayPal is committed to democratizing financial services and empowering people and businesses to join and thrive in the global economy. Our open digital payments platform gives PayPal's 277 million active account holders the confidence to connect and transact in new and powerful ways, whether they are online or on a mobile device. Through a combination of technological innovation and strategic partnerships, PayPal creates better ways to manage and move money, and offers choice and flexibility when sending payments, paying or getting paid.
We believe now is the time to reimagine money and to democratize financial services so that managing and moving money is a right for all citizens, not just the affluent. We believe that every person has a right to participate fully in the global economy. We have an obligation to empower people to exercise this right and improve their financial health. As a fintech pioneer and an established leader, we believe in providing simple, affordable, secure and reliable financial services and digital payments that enable the hopes, dreams and ambitions of millions of people around the world. We have a fundamental commitment to put our customers at the centre of everything we do.
Securing our customers and their data is central to our mission. For financial companies, data security is the main pillar. Through strong partnerships, strategic investments and a tireless commitment to protecting consumers, PayPal has resolved to be an industry leader in cybersecurity capabilities and to help make the Internet safer.
We have in our favour more than 20 years of experience in processing electronic transactions safely. PayPal has one of the most sophisticated fraud prevention engines in the world, which gets smarter with every transaction that goes through our system. With our advanced fraud monitoring technology, we detect and prevent attacks before they happen.
Security is in our DNA, and it's at the epicentre of all that we do at PayPal. We are the number one trusted brand of e-commerce and mobile commerce around the world. People trust PayPal because they know that we don't share customers' financial information with merchants, retailers or online sellers. Our robust security standards ensure that every part of a transaction is safe and secure.
At PayPal we believe we have a responsibility to help protect our users against harm. Privacy has always been one of our main concerns. Our customers trust us with their data. We take that trust very seriously. We collect only the data that's necessary to fulfill services that a customer requests, to improve product experiences and deliver relevant PayPal advertisements and to prevent fraud. We never sell or rent customer information.
It's commonly held among global law enforcement agencies that cybercrime and online methods of fraud are now more common than crimes committed in the offline and physical world. As the committee is certainly aware, over the last five years, the RCMP alone has observed an almost 50% increase in cybercrime reports from Canadians. I applaud the committee for aggressive action and for its support of Canada's national security strategy, by including significant funding for investments in cybersecurity as part of your commitment to safety and security. Building an innovative and adaptive cyber-ecosystem is a crucial step to being able to quickly scale and combat emerging threats to critical infrastructure, government, business and individuals' digital information.
To conclude, I would like to emphasize PayPal's commitment to cybersecurity and our willingness to work together with the Canadian government and industry.
Thank you again for the invitation to discuss these very relevant topics and to represent PayPay's strong position in support of consumer data protection and privacy.
I'd be happy to answer any questions you may have.
View Ruby Sahota Profile
Lib. (ON)
Thank you, Mr. Johnson, for being here today.
Are there any differences in how you operate in Canada versus the U.S., or are you mainly based out of the U.S. and that's where all the information ends up when Canadians are using your service?
Brian Johnson
View Brian Johnson Profile
Brian Johnson
2019-05-29 16:26
[Inaudible—Editor] by PayPal customers are stored within U.S. data centres and localized data housing, so localization of data of Canadian customers is also contained within the U.S.-hosted facilities.
View Ruby Sahota Profile
Lib. (ON)
To clarify, there's no difference in how you operate when it comes to Canadian customers versus the American customers, right?
Results: 1 - 15 of 1641 | Page: 1 of 110

1
2
3
4
5
6
7
8
9
10
>
>|
Export As: XML CSV RSS

For more data options, please see Open Data