Item - 2022.AU12.4

The Audit Committee recommends that:

1. City Council adopt the confidential instructions to staff in Confidential Attachment 1 to the report (May 20, 2022) from the Auditor General.

2. City Council direct that Confidential Attachment 1 to the report (May 20, 2022) from the Auditor General be released publicly at the discretion of the Auditor General, after discussions with the appropriate officials at the City and its agencies and corporations.

Cyber threats are on the rise and continue to evolve. Many municipalities in Canada and the U.S. have been affected by cyberattacks in recent years. The Toronto Transit Commission was recently hit by a ransomware attack in October 2021.¹

In Canada, the estimated average cost of a data breach is $6.35 million.² As cybersecurity threats expand and become more complex, the Auditor General continues to proactively examine the controls and evolving cyber threats to the City, its agencies and corporations, and make recommendations to improve cybersecurity.

Cyber attackers leverage the data available over the internet for an organization and its staff to launch cyberattacks. It is important that the data available over the internet is monitored, and actions are taken to reduce the cyberattack surface. We used Open-Source Intelligence (OSINT) gathering for data available on the internet to perform this review.

The objective of this review was to identify information available over the internet that may present cybersecurity risks to the City and its agencies and corporations. The organizations reviewed included:

·         City of Toronto

·         Toronto Police Service

·         Toronto Public Library

·         Toronto Transit Commission (TTC)

·         Toronto Hydro

This report contains two recommendations. The confidential findings and recommendations from our review are contained in the Confidential Attachment 1 to this report.