Government mulled appointing director to oversee security of financial industry
As banks and other large financial institutions face a growing threat from cyberattacks, the federal Department of Finance has considered appointing a director to oversee the integrity and national security of the financial sector.
Assistant Deputy Minister Janelle Wright recommended the creation of the position in a briefing note to Deputy Finance Minister Michael Sabia dated Nov. 8, 2021. The document, which The Logic obtained through an access-to-information request, sought Sabia's approval by Dec. 18. The new role would be housed in Finance Canada's financial-institutions division, it shows.
“To address the needs of the organization, the Financial Sector Policy Branch has requested a reorganization of duties and responsibilities within their structure,” the briefing note says.
Finance Canada didn't answer The Logic's questions about whether the creation of the role has been approved, or if it has since been filled.
The recommendation dates from before Russia's February invasion of Ukraine, which has ratcheted up geopolitical tensions and prompted concern from western banks that they could be hit by cyberattacks in retaliation for sanctions on Russian entities.
In January, as the threat of conflict in Eastern Europe loomed, the Canadian Centre for Cyber Security issued a bulletin urging operators of critical infrastructure, which includes organizations in the financial sector, to boost their defences against Russian state-sponsored cyber threats.
A CSIS official said in March that domestic firms now see thousands of cyberattacks every day, including an uptick in state-sponsored cyberattacks.
The federal government has been taking steps for months to increase the oversight of threats to the country's financial sector. In August 2021, the Office of the Superintendent of Financial Institutions, also known as the OSFI, reduced the window for banks and other financial institutions to report cyber incidents from 72 hours to 24. The updated guidance also required financial institutions to indicate if they paid a ransom in ransomware attacks, and said companies that failed to report incidents could be subject to increased oversight.
The OSFI has also worked with the Communications Security Establishment and the Department of Public Safety on addressing cyber risks, according to documents obtained through a separate access-to-information request.
Mathieu Labrèche, a spokesperson for the Canadian Bankers Association, declined to comment on Finance's proposed appointment, but said protecting customers' money and personal information is a priority for banks.
“Banks in Canada are security-mature organizations that are widely recognized for their leading security practices in both the cyber and physical worlds,” Labrèche said. “Banks have over the years invested heavily in technology and security measures to protect their operations and help safeguard the integrity of the broader financial system.”
ESentire, a Waterloo, Ont.-based cybersecurity company, said it saw a fourfold increase in security incidents — in which hackers have gained a foothold inside an organization's network — involving its clients in the financial sector between the fourth quarter of 2021 and the first quarter of 2022. Security incidents involving its customers, which are based in Canada and the U.S., increased to 16 in Q1 after ranging between three and six in each quarter of last year.
The increase could be due to economic sanctions levied against Russia following its invasion of Ukraine, according to eSentire. Recently, the company has seen malware found in Russian hacking forums being used to search for credentials to cryptocurrency wallets.
ESentire's founder and chief innovation officer, Eldon Sprickerhoff, noted that the Canada Revenue Agency has been forced to shut down at least four times due to cyberattacks, including on Aug. 16, 2020 and Dec. 10, 2021. The relatively short interval between the last two shutdowns, compared with previous incidents in 2014 and 2017, points to an increase in attacks on Canada's financial sector, he said.
“Worldwide, the integrity of the financial sector is seen as critical in maintaining confidence in a country and its ability to maintain critical systems for its citizens,” Sprickerhoff said in a statement. “While there are (information-security) groups within the Canadian government, a team with that specific mandate has not yet been established.”
“Ideally, (Finance's) appointment will help to highlight this threat to the existing groups in place … and continue to draw on the expertise of the Communications Security Establishment and other established groups,” he added.