Finance Department at risk of big-impact cyberattack: analysis
OTTAWA — A newly released internal analysis says the federal Finance Department faces a moderate risk of a cyberattack that could deliver a significant blow to its ability to carry out crucial government operations.
Finance, like other federal departments, publicly discloses a handful of its corporate risks — but a list obtained by The Canadian Press provides a deeper look at key concerns for 2018-19 left out of the public’s view.
Unlike the public document, the internal analysis gauges both the likelihood and severity for seven corporate risks facing Finance Minister Bill Morneau’s department.
The analysis says given the sensitivity of data under its control and the prevalence of security incidents in the public and private sectors, there’s a medium risk of a breach or disruption that delivers a significant hit to the department’s reputation and ability to provide policy advice and execute critical government operations.
The internal list, obtained under the Access to Information Act, also features four additional threats that were not made public in the department’s annual report, released in the spring.
They range from the risk the department will be unable to attract and retain skilled staff for key positions, to the lack of a formal, consistent structure to store and manage information.
“Of the seven corporate risks ... five are now considered key corporate risks because of their significant risk score (high and medium-high level) and their link to the departmental mandate,” said the document, prepared in late February for deputy finance minister Paul Rochon and restricted to “very limited distribution.”
For each risk, Finance laid out strategies to mitigate them.
Finance and the Treasury Board have been targeted before.