Cybersecurity – how to remain resilient and unlock future business growth

Zahid Fazal:

Good morning or good afternoon, everyone. My name is Zahid Fazal, and I'm EY Canada's Advanced Manufacturing and Mobility Leader. Today, I have the pleasure of kicking off our Innovation Forum of the Future series. This new series will include virtual events and thought leadership tailored to your needs and the needs of today's manufacturing and mobility organizations. So, please stay tuned for more events and great content over the next months to come. I know the reason many of you are here today, not because of me, but rather you want to hear some of the great panellists who've joined us today and I thank them in advance. We have a jam-packed agenda ahead of us and I'm looking forward to some robust discussions in the next hour or so. But before we start, just a couple of housekeeping details. Closed captioning can be accessed directly from the player controls CC1 is for English, CC2 is for French. Please also note that you might experience some minor delays in the closed captions. And finally, at the end of the session, please take a minute to complete the survey. We really appreciate your feedback. Let's now get down to the business. Today's webinar will shine a spotlight on a topic we hear a lot about, cybersecurity. According to our 2021 Global Information Security Survey, 40% of business leaders are concerned about managing cyber threats more than ever. Now we should be asking why are they concerned? And there are three main reasons. The first one, the risk itself has changed. Leaders are realizing that you cannot tackle the increase in this risk without drawing better connections between different functions within an organization. The second reason, innovation is happening everywhere. Cloud is now the foundation of emerging technology. Developers are building new codes and defining the servers to house it themselves. Nearly 40% of organizations view the relationship between security and product development teams as neutral, with a low level of consultation, and this no doubt prevents security and privacy by design from taking hold. The third reason we see is cybersecurity and privacy are invited too late to the party. Although many organizations are already looking beyond cloud 2.0 and addressing serverless technologies and blockchain through Cloud 3.0, cyber resources remain disconnected from the planning process. Less than a quarter of Canadian organizations bring cyber and privacy in at the planning stage, and this can lead to costly ramifications, resulting in design-build designs build without appropriate security safeguards and privacy settings. Now, all of this is as a result of something unexpected that happened over the course of the pandemic. The world shifted to immediately focusing on secure remote access and connectivity. So, what does all of this mean? New and emerging cyber risks are mounting as threat actors become increasingly mature, and legacy frameworks and internal disconnects within organizations represent serious gaps that must be addressed now. So, embracing new ways of managing the risk and creating a culture change can help entrench cybersecurity in every aspect of your business. And no doubt this will help build resiliency and drive future growth. Today's panellists will share their insights on how to effectively protect your organizations from cyber threats, drive security by design, remain resilient and unlock future growth. So, without further ado, let me welcome our moderator, Nicola Vizioli, Partner in EY Canada's Cybersecurity Consulting Leader and our three great panellists. Geneviève Bertrand, Senior Vice President, Information Technology at Kruger. Peter Elliott, Global Information Security Officer at Magna. And Stuart McDonald, Chief Information Officer at WestJet. Thank you.

Nicola Vizioli:

Thank you, Zahid. I appreciate the intro and good afternoon and good morning to those of you in western Canada. Hello to all, and welcome to our session on cybersecurity. Thank you for taking the time to attend the session on cybersecurity. Unfortunately, it is still a hot topic and something no company is really immune to. Cybersecurity is a risk that impacts every single company out there, every industry, and there is an increased focus of cybercriminals, groups specifically attacking the advanced manufacturing and mobility industry. So, let's jump right into it. We're going to break the ice with Geneviève Bertrand. Geneviève, I would like to ask you the first question. I know that you are very busy. Over the last few years, you have been in charge of a digital transformation and a shift to cloud information technology. You started to combine or create a convergence between information technology and operational technology. How has your cybersecurity evolved and what are you doing differently now to what Kruger was doing in the past?

Geneviève Bertrand:

Nicola, thank you very much for your question. I'll be the French speaker today, so I hope the machine learning is amazing for all the other people out there.  When I joined Kruger, I had the pleasure of joining Kruger in November 2017. I came from Desjardins, so the financial industry, at that time, my discussions with the Kruger executives were them saying: “Oh you will see, the cybersecurity risks are not as high in the manufacturing field as in the financial field.” Clearly, the world has changed a lot, as was said in the introduction, and Kruger’s cybersecurity team is growing. It was a team that did not officially exist when I arrived at Kruger. Now, what we realized as well is that, in a certain way, it’s easier to speak about cybersecurity concepts at the information level rather than at the business applications systems level. The big transformation and the big topic of conversation that we had was with our colleagues of operations and engineering, whose operational technology we highly securitized. The topic of today, manufacturing, is very interesting, and it’s a pertinent conversation in the industry that will persist for a long time.

Nicola Vizioli:

In an operational technology environment, what changed everything for Kruger from a cybernetic perspective?

Geneviève Bertrand:

Well, Kruger is a vast company that impacts all kinds of things. In energy production centres, we know that unfortunately, these centres are targets. We also operate water treatment centres, electricity production centres for our own manufacturing needs or for sale. What changed for us is really the recognition of the interests of malicious persons and persons who want to cause tension and the critical importance that may have on our revenue, our prosperity, and our daily operations.

Nicola Vizioli:

Thank you very much. There is an increase in new technologies, and these new technologies are increasing the risks and exposure. They are often introduced very rapidly. And this, I'm sure, is concerning many of the leaders who need to manage security risks. Stuart, if I may ask you a question. From a cybersecurity and privacy perspective, these two topics are not always brought in during the planning stages of a solution development or selection, which often means that the designs aren't built with security safeguards and default privacy settings. How can we change this approach, and how are organizations such as WestJet balancing the speed of executing an IT project with security?

Stuart McDonald:

I will personally thank you for having me. I'm responding in Australian, so I don't know what they will do for your closed captioning processes today, so we'll see how that goes. I think there's sort of two sides to this equation. One, is you have to have a strong architectural practice where security is an equal partner. I do remember working in a prior company where the [INAUDIBLE] says generic response to is, that's it, we're going to shut everything down. And that for me was more of a, you know, a failure of governance and really sort of the cyber practice itself in terms of working out how to influence and build sort of itself into the fabric of the organization. Because when it comes to security, 80 to 90% of the workloads and use cases should be standards. They're not unique. They're not bespoke. And so, you have to make sure that you have an architectural practice that has teeth. And so here at WestJet, we do have a dedicated architectural team, architectural governance that sits behind that that I actually also attend just to make sure that everybody understands the importance of architectural-driven transformation of an organization. And then I think the second side of that is education of risk, whether it's operational risk, being a safety-first company as we are, I can easily translate something as simple as ransomware taking over our operational control center, which directly controls our aircraft. And so, it's about turning these ethereal risks into things that are very tangible for the organization or more specifically, given we also fly into Europe with regards to GDPR education around the risks of fines. The implications associated to a breach on GDPR is 4% of your revenue. So, when you're talking to the commercial teams about how quickly they want to go, you can very easily erode new revenue opportunities with a multimillion-dollar or hundreds of millions of dollars fines as we've seen some of our industry partners have already gone through. So, I think both of those have to go hand in hand with the educational side, both from a board level all the way through the operational sides of the teams and making sure that you enforce that with teeth through the architectural practice itself.

Nicola Vizioli:

Ok. I see that you embed security in everything that you do, so the security by design concept, would that be considered a good practice at WestJet and a practice that's commonly used during your development lifecycles and IT projects?

Stuart McDonald:

I'd like to say it was always the case for our 25 years of history, but that would probably not be necessarily completely true. So, I think there is always a catch up that goes with that. There's remediation and legacy, debt that you've built over a period of time. And you know, the first couple of years, even when I was at WestJet, it was dealing with some of those enterprise debt problems that we had and building the the awareness of Social Security, but everything going forward is now built in. Does it mean we have every pattern established? No. But it still means that we can use the architectural groups themselves to build those patterns as we move forward. So, over time, we should start to get faster and faster as we put new solutions in.

Nicola Vizioli:

All right, thank you. Thank you for sharing that insight. Peter, let's bring you into the conversation now. And I want to pick your brain a little bit as a Chief Information Security Officer for a global company like Magna. What would you consider is your biggest risk for an organization like yours from a cybersecurity perspective, obviously?

Peter Elliot:

Well, again, yeah, thank you for having me and great to be here with some of my colleagues in other industries. Yeah, they are numerous, right? So, there's a few that I can think of right off the top of my head. So, it was touched on in the intro here. I mean, the threats continue to escalate, and I mean, just to pull at that threat a little bit. I mean, the advent of ransomware as a service and the reduced, you know, sort of barrier to entry to be able to monetize attacks is really something that I think drives a lot of the sort of risk that we see out there, particularly in cyber. But along with that comes, and I think everyone, you know, feels this as of late is the challenge in finding and retaining talent. It's really become a challenge. The combination of the escalating threats and, you know, the scarcity of finding talented cybersecurity professionals are two of the big challenges. With Magna specifically, and I mean, probably not the only company that has a model like this. Magna also has, and it's fiercely proud about its decentralized or federated operating model. And what's happened over time is we've realized that it's impossible to defend an organization that approaches cybersecurity in a decentralized manner. You know, information is key. Being able to know your assets, being able to know what's going on in your environment is key to defending it. But I mean, and again, these are very common themes, right? Supply chain and digitization are, for a company like Magna that is a Tier One automotive supplier, that means that we supply products directly to the auto manufacturers. The massive supply chain, the scope is just enormous. Throw into that, sensors, and production environments, I mean, everything has an IP address on it now. It's just a very, very large sort of attack surface. So, you know, without sounding negative in answering your question, I mean, how do you address it? Well, it all comes down to prioritization, right? Understanding what those threats are, prioritizing them in terms of likelihood. And then, you know, implementing programs in order to address those at a reasonable risk tolerance level.

Nicola Vizioli:

Ok, thank you for that. And one of the key things I'm seeing when talking to different CEOs is really that talent shortage out there. What are some of the steps that you've been taking to attract and mostly retain the good cyber practitioners out there?

Peter Elliot:

Right. So, we've taken sort of a multi-faceted approach at Magna. So, definitely staff augmentation and leveraging managed security service providers is part of that. You know, the team that we have internally, obviously, we try to retain that talent as much as we can. But also, you know, again, I think it's really important to try and bring in new talent, right? I mean, we're all competing for the same very scarce resources, and we need to bring more resources into the pool, so to speak. So, you know, investing in training, you know, new graduates is also sort of a key to that. So, I think it's multi-faceted. I don't think there's really one answer to that question.

Nicola Vizioli:

Okay. And you really exposed really good reasons why a lot of people in the industry are of the saying, 'it's not if we will get breached, but when'. On this basis, Geneviève, I would like to ask you a question. In the case of a cybernetic instance, what measures have you created to prepare your company?

Geneviève Bertrand:

That’s a bit of a short question that maybe has a complex response. The first thing is concepts, that Peter spoke of, to have a standardized structural model on which hardware we want to deploy and how to do it. At Kruger we are lucky to still be opening new factories, like what has been done in the last 18 months in Cherbourg. That way we know that it has been done well, and we have a standardized way of protecting ourselves. That’s the first thing. We also deployed a managed detection service. It’s important to remain aware and have Artificial Intelligence constantly watching all of our endpoints. I think something like that is a super resource to protect from misery, and as Peter was saying, to help one sleep at night. The second thing, I would say, is an annual disaster recovery training exercise. And now, what we’re doing is really a partnership with the business sectors to identify the critical applications, at what tolerance to bring them back, which order to bring them back in, and we practice that. At a really specific level in operations, we are centralizing servers to become more efficient in recovery. The third thing, I would say, is to do an annual review of our emergency plans with our executives. What I call that, with people from all our sites, it’s like a “fire alarm.” Everyone does it, hotels, at home, well, it must be done with the same discipline in cybersecurity. One new thing we offered with much enthusiasm in December at Kruger was a specific three-hour meeting with our operational engineering agents, and we conducted a simulation with them. There, we were able to see the beauty of their brains saying: “Ah, what should we be doing for the water treatment plan?” “What should we be doing for the boiler?” Obviously, in the manufacturing sector, there are machines that cannot just be stopped immediately. One must engage in critical thinking and think about the resilience and continuation of affairs; what is the role of each employee. Because, unfortunately, over the past year with the water treatment centres in Florida, Nicola, you said it, it was only one employee that was attacked. And the last thing I would say, as I said it would be four things, is improving the conversation with our engineering and operations colleagues, as well as formalizing our informational procedures and routines to restore the back-ups and saved data, and what we should be doing on a daily basis to ensure data and employee security.

Nicola Vizioli:

Thank you, Geneviève, those are some very good points. Thank you, Geneviève. I think this highlights the importance of not only investing in prevention but if I heard you right, also having a response plan. And one of the key things I'm taking away from your responses is really preparing your executives to be ready in the event they need to match a cyber incident. Stuart, on this question for you. Have you seen a change at the executive level board level when it comes to cybersecurity over the past few years?

Stuart McDonald:

You know, I used to believe that, you know, the best way for getting a board member to explore new concepts was to put an article in an in-flight magazine. So, I think we've certainly moved on from that. I think the interesting thing in regards to COVID is it's actually given boards the experience of dealing with a biochemical type crisis that dramatically affects the supply chain. So, I think the same patent applies whether it's ransomware or other. So, I actually think boards have become better educated in potential cyber events as a result of that. And I have seen, even within our board, we've moved, even in my tenure from twice a year updates to meet our auditing requirements through to a standing agenda item at every board meeting. So, I think that has shifted. You know, I do get correspondence from our board members asking about things like Log4j. Now, I don't think they understood what Log4j was, but they knew enough to ask me the question that went with it. And so I am seeing that awareness is definitely there now. The ramifications though, and the impact, I think we still can do a lot more on. And it's important also to put it back in context, they can understand. And I saw an interesting data point the other day that said, you know, cyber events, whether it's criminal activities or impact to operations, is measured by GDP, is now the third-largest country in the world after the USA and China. And so I think when you sort of giving board members those kind of sort of metrics, it shows them the size and scale of the problem we're trying to deal with, so that when we're out looking for additional incremental funding to improve defences or other, there's a bit more context around. This is not just a trust me conversation. This threat landscape is expanding dramatically and exponentially in terms of its pace as well. So, I think we are seeing that conversation happen and the fact that for us, it is a standing broad agenda right now means it is top of mind.

Nicola Vizioli:

And Stuart, you mentioned metrics. Do you find that your board members and your executives are asking for more and more metrics?

Stuart McDonald:

They're looking at it more from commercial impact. So, when you're looking at whether it's a ransomware event that affects the utility companies and clearly cybersecurity insurance premiums, if you have insurance premiums associated to it, they're interested in terms of the impact of the business on that side of things. So, I think that's more the line they're questioning as opposed to specific cyber metrics in terms of what is your the rate of email that gets through without being trapped on the way through your perimeter defences, so they're not caught up in the mechanics of the technology itself. It's more just the commercial parts of the business.

Nicola Vizioli:

It's very interesting to me to see a change at the most executive levels, but also wanted to touch upon more from a seasonal perspective. So, my next question will be for Peter. In a recent survey that we carried out, we see that two-thirds of Chief Information Security Officers say that executive management wouldn't describe cybersecurity as a commercially minded meaning. We're investing a lot of money in cybersecurity, often increasing that the budget year over year, but not always seeing the return on investment. So, Peter, what can we do to change this perspective?

Peter Elliot:

Yeah, that's an excellent question. Yeah, and interesting to hear that result. So, from my perspective, I'm actually seeing this slowly start to change. I guess I'll use the word organically. We just went through our cyber insurance renewal at Magna recently, and I'm sure others that have gone through this process can attest to this. I mean, premiums are going up, doubling, tripling in some cases. Coverage is being reduced. There's more and more exclusions in these policies. So, you know where some companies may before have sort of fallen back on, 'Oh, we've got cyber insurance, so we're covered, or something happens'. That's not the case anymore. And increasingly, I think companies are going to realize they essentially are going to have to self-insure. So, I think that's one aspect. The other thing is, you know, customers are getting more savvy. In our case, it's the automotive manufacturer. So very generic questions. Do you have a process in place now? They want to know specifics about how you manage risk, how you're addressing it, sometimes even asking questions about what type of tooling you're using. So, I think those are, you know, organically that's changing. But your question is what can we do, I guess, as security professionals? Well, a couple of things that come to mind and I mean, Stuart touched on a couple of those things. I think focusing on company reputation, right? There's a stigma. Something bad happens at your company. It ends up in the press. Even if it was a non-event, you know your company name appearing on a headline along with the word ransomware can have real implications to your brand. So, I think there's increasing recognition about that. And you know, what I see, you know, sort of what I see from a compliance standpoint, what comes from our customers is that, you know, increasingly, I think you can start to use this as a differentiator. Magna is not the only parts supplier out there, and particularly in North America, it's quite a competitive business. So, you know, I see a shift potentially coming where our sales organization can say, you know, our business units have certification X or X standard, and they can really use that as a sales argument, you know, therefore, turning this on its head, this survey result that you got where people don't really see this as a commercially minded area or a cost center for lack of a better term.

Nicola Vizioli:

Thank you, Peter. I heard the word pandemic and COVID once or twice, I believe from Stuart, so I'm just going to, it wouldn't be fair if we don't touch upon COVID a little bit, as COVID is still driving a lot of changes, a lot of technology changes and accelerating a lot of the digital transformations, which is opening up the door to cybersecurity risk. So, my next question is for you Geneviève. How has the COVID pandemic changed your perspective on cybersecurity risks?

Geneviève Bertrand:

Obviously, this greatly extended our footprint because we saw two things at once: the pandemic sent people to work from home, and previously we had only had 500 people working remotely for Kruger. That’s the first thing, it was a great revolution to give them tools and to continue securely operating. Then, what we saw and what has continued to evolve, with the unfortunate persistence of people working from home was that people were not working from their homes, but from their chalets and other environments. We started to get closer to our employees and tried to explain the standards on how to work from home and how to ensure secure access and monitor who can hear what is being discussed. We continue into the next wave with much more training and sensitization. In Canada, we know that all the laws regarding personal information will change this autumn, what does it mean for our employees and day-to-day operations, and we try to work closely with them to inform and securitize.

Nicola Vizioli:

Have you found that the human aspect has also changed, in speaking with various directors, that it has been necessary to intervene with certain employees, to give advice? Has the “Big Brother” effect had an impact on Kruger employees?

Geneviève Bertrand:

We really see it in two ways. I think it’s necessary to become, as a leader or a director, to create certain zones, because in the past you had at least 5 minutes before a meeting to walk around, say hello to someone. On a cultural level, it’s a change and one will have to engage in supporting people because COVID will have deeply changed us. Earlier, Peter talked about recruiting talent. Even in that field, it changed things. Now, there are people who absolutely don’t want to work outside out of their home, and there are others who cry out for help to come back because they want to collaborate. I think yes, COVID will have deeply changed the workers, men, women, generations to come, as well as the data securitization habits and business processes for people in information technologies.

Nicola Vizioli:

Thank you very much. This opens the door to ask some questions around privacy, as Geneviève mentioned in French, COVID 19 did bring up a lot of privacy questions, both from a company perspective but also from an employee perspective. But I wanted to touch privacy more from a consumer-facing perspective. Stuart, the next question will be for you, as out of the three panellists, I believe you're the most client-facing one and the most regulated industry as well. So, how has WestJet adapted to the new normality of collecting even more data than you were previously collecting, and more specifically around health data from your passengers and perhaps even employees?

Stuart McDonald:

This is a topic that's near and dear to my heart. I've spent the last two years negotiating with the government of Canada between Transport Canada, CBSA, Public Health, IRCC, airport authorities and even, I would use the word cautiously, our partners over at Air Canada in defining the QR codes that everybody now has, so that the QR code implementation that's Canada wide as a result of basically what was the initiative driven from the aviation side. Because we are so heavily regulated, and the key focus for us was we needed a way to enforce the random policies of the day. I do believe that we are a free outsourced [INAUDIBLE] for the Canadian government at this point in time for the whims of the moment. However, we needed a way that we could programmatically validate information so that we could still board aircraft. If we had to do things manually, no airport in this country would work, and a lot of the policies that have been asked of us basically would destroy the industry completely. Even though the government has done a reasonable job at trying that in the first place, but I think we're slowly improving from that one. But part of the design of those QR codes is we don't want your health information. We're not a health care provider. We don't want to be a health care provider. And I took that very strong position with government from day one, is that we don't want to be collecting information. So, what we are doing at that point is validation of those codes is we do have all the credentials so that we can check that they digitally signed. So, we had that relationship with government. There's two sides of the QR codes, reading them and validating them in terms of if they are true and valid record. So, we are doing both of those, and we are looking at the vaccination records themselves to make sure it's a known vaccine. It's within certain [INAUDIBLE]. You've got two doses or three as it may soon be as well, but that just translates into a simple flag on our tickets that says you're OK to fly. And so, that's the only record we keep, is you're OK to fly and we do that already. If you're on a no-fly list, if you've been on a special charter plane running down to Cancun and having lots of fun disobeying Transport Canada rules, you may be on that list. But at the end of the day, we don't know why you are or are not okay to fly, we just know that you're okay to fly, and that's really the piece that we hang onto as a result of that. And that's why also when it comes to the PCR testing, we are the only country in the world that requires PCR testing before you get on our plane and when you get off our plane when you're coming into the country. If you can imagine being in downtown Toronto, getting on the Go train, testing once and then testing as you get off the go train again, you know, that is what has been asked of us. We're careful, again, not to capture any of that information. And then sort of the last piece of it, which is we have been forced into capturing some health care information, is being a federally regulated company. All of our employees have to be vaccinated, so we have to capture that information that they have been vaccinated. And then equally, as I'm in the office today, I did my antigen test, and I did my antigen testing every single day. I have a whole antigen testing platform that we implemented to support this process as well, and that is segregated from every other system that we have. Because again, I want to keep my regulatory landscape small for hopefully something that I can throw away at the end of this process.

Nicola Vizioli:

Thank you for that, but I still want to double click on the privacy subject because, and speaking to many different CIOs and CEOs, but and also in a security survey that we did not too long ago, many leaders expect regulations to become increasingly demanding in Canada, but also the rest of the world; That will be cybersecurity regulations or privacy regulatory requirements. How is WestJet or how did WestJet prepare for this? Because I do believe your industry is a little bit, or even a lot more advanced than other types of industries from a regulatory perspective. But how do you manage to respond to more and more regulatory requirements? We see in Quebec the introduction of Law 64? We're seeing it in the rest of Canada, GDPR in Europe. So, we're seeing a lot more demand. So, what advice would you have for some of the audience who perhaps are not as advanced as WestJet would be?

Stuart McDonald:

So, we have things, We have stood up. I have a dedicated data governance department, which is separate from my dedicated privacy risk and compliance department because there are two different things and different lens that goes with that. So, you have to have a group that sits outside interpreting those regulations. We are GDPR compliant because of the nature of where we fly as well. So, we see the Quebec regulations just more of an extension of the GDPR regulations, as they said. And personally, I'm a big privacy first. I don't believe in holding onto the data. We're having some interesting debates right now in regards to credit card data in, terms of what you would do or not do with it. So, there is an ethical piece that goes with that as well. And so, we actually have a board session coming up around the ethical use of data beyond the privacy pieces of themselves because just because you can use it doesn't necessarily mean you want to use it. And so, I think it's really making sure that you look at the lenses from the ethics that serve the privacy itself and then the compliance that goes with that and how you want to enforce it. And then GDPR at the end of the day is some interesting things that come as a result of the right to be forgotten. And so, the right to be forgotten does create technical considerations. So, if someone's read an in-flight magazine and thinks that Blockchain's the next big thing, the ability to be forgotten from a Blockchain perspective doesn't exist. So, that rules that out as a solution for something. And so, you need to sort of think those things through. And then clearly, can you track where all the data is, every backup that you've ever made? Most likely not. So, there is a reasonable piece that is part of the assessments of GDPR. So, it's also working closely with your legal team to understand what position you want to take in regards to the regulations themselves. Because 4% of revenue is a lot of money at the end of the day if you're going to be fined. And it's not just the 4% of revenue, if you look at the data breach the British Airways had on the credit card data, they were able to negotiate down the GDPR fine but they're still dealing with a billion-dollar class action as a result of it.

Nicola Vizioli:

Yeah, that's a good point, because often with privacy, we see that it's not only the regulatory fines but there's also the other aspect of the commercial penalties that you may face with lawsuits and whatnot. Thank you for sharing that. Peter, I wanted to ask you a question as a Chief Information Security Officer, to kind of get your opinion as to where the industry is going. What do you foresee as an investment over the next couple of years from a cybersecurity perspective?

Peter Elliot:

Well, I mean, in terms of, so Magna, again, a tier one automotive supplier, manufacturing is core to our business and frankly where we regenerate our revenue. And I know from my colleagues, both at the OEMs and other manufacturers and happens to be our biggest, single biggest investment and multi-year project that we've just kicked off now is to really address the expansion in factory digitization. So, there's a, you know, an increasing and obvious need to, you know, in order to optimize processes to get data from operational technology environments. And, you know, with increasing business areas, you know, and we've probably heard all these buzzwords around autonomous driving and technology that Magna is developing in conjunction with the OEMs, really is sort of challenging us from our cyber risk posture, right? We've spent a lot of time and energy over the last several years bolstering our defences and our controls in the IT area. The OT area is definitely a gap that we have. I mean, we've got policies and standards and everything in place but as I had mentioned before, our decentralized operating model has led to some gaps there. And you know, I did not get paid by EY to say this, but we did engage EY last year to do kind of an independent assessment, and we found some gaps at some of our production facilities. So, a big challenge in an area investment that I see that manufacturing companies like Magna have to invest in is investing in tighter controls and those operational technology environments and really addressing what is the convergence that's going on between IT and OT environments. And that's really, that's more than technology, right? This is a people process and technology challenge. I know and a lot of our facilities, so you may have IT staff, you've got controls, engineers or what you would call operational technology staff. They don't always work together. They have sort of different drivers, right? So, in the IT side, you're managing data and applications and systems on the OT side, I mean, up times, everything. We have to be pumping widgets out the door and the right quality to our customer in order to deliver on our commitments. And this is a real challenge. So, for those here that are aware of how operational technology systems work, I mean, they certainly weren't, especially the legacy systems were not designed with security in mind. They were designed to be open. And as you can imagine, I mean, I mentioned a little bit earlier about the changing threat landscape. I mean, if you are a threat actor and you want to hold a company hostage to pay you, what better way than to completely impede their production. So, I mean, this is something that has been on, you know, industry notifications for the better part of the last couple of years, that threat actors are shifting over to verticals like manufacturing because they know the incentive to pay is incredibly high, right? So, that's, you know, in our industry, that is an area that I see is going to be an increasing focus. And I know it was an increasing focus because our customers are demanding to understand what our controls are for this particular risk.

Nicola Vizioli:

And I just wanted to touch one last question for you, Peter, and this is something that was brought up by Geneviève earlier in the conversation. But how important is it to invest in resilience and having a strong business continuity plan for a company such as yours?

Peter Elliot:

It's critical, right? I mean, it's been, you know, talked or mentioned a couple of times here. It's not a question of 'if' it's a question of 'when' you're going to have an incident. So, you know, you put these protections in place, you put the best sort of monitoring and threat intelligence around it. At the end of the day, controls fail, you know, often because, you know, at the end of the day, a person has done the wrong thing, whether it's configuring the technology or click the link or these types of things, so you can put, you know, the best controls in place, eventually, you're going to have an incident. And that's where you have those incident response plans, those crisis management plans, your business continuity plan, all these things in place so that you can respond to an incident quickly and effectively and ultimately mitigate the damage that is done to your business and to your organization.

Nicola Vizioli:

All right. Thank you, Peter. And before we open it up to questions from the virtual audience, and we have been collecting some during the session, I had one final question for all the participants. I'll ask it in English. What do you consider your biggest challenge in 2022 when it comes to cybersecurity? Geneviève, I will start with you. What do you consider your largest defect in 2022 from a cybersecurity perspective?

Geneviève Bertrand:

Here, I will contain myself to three things. The first is attracting and retaining talent, but specifically the talent of varied teams. So, the Kruger employee teams as well as our contracting partners and agencies.  Additionally, as to the talent issue, it’s really increasing the sensibility of what “cybersecurity” is for all Kruger employees because each employee owes a duty to protect the company. That’s the first thing. The second thing, I would say is the risk/reward balance of how much investment, how many dollars are going to be spent on protection and how is that going to benefit you. Earlier, Stuart spoke about patching; one of our big partners will deploy a patch, but to deploy the patch, the machine must be stopped. Peter spoke about that earlier. What patience will you have to patch a critical vulnerability versus the cost of stopping operations for the factory? This discussion, which Peter mentioned, is really very active. And the third thing is business continuity programs. What is the role of each person? The chat monitoring role, the anti-cyber team role, the admin systems role, and the role of daily operators. I’m smiling, I’ll put myself back on mute.

Nicola Vizioli:

As usual, you overdeliver because I asked for one and you give me four, or three or four. So, you overdeliver as usual, Geneviève. Same question to Peter this time. What would you say is your biggest challenge for 2022?

Peter Elliot:

Well, I guess I sort of answered it a little bit in the previous question. I mean, that's going to be one of our big focus areas. But yeah, I mean, I guess taking a step back from that project, it's bringing the various departments together that don't normally work together to address that particular challenge, right? Because I mean, I kind of already touched on that. Getting operational technology and information technology ITOTP people to work together to solve some of these problems. Something that they're not necessarily always used to doing. But again, the broader, you know, supply chain risk, I mean, you know, increasingly involved with our supply chain risk organization, which I think like a lot of companies, still, there's that kind of traditional view on supply chain risk, which is OK, is that supply are going to be here in six months? Are they financially viable? You know, and these sorts of, you know, traditional risk associated with some of your suppliers. I mean, again, I mentioned the ransomware topic a couple of times, but I mean, that can stop one of your suppliers being able to supply you as easily as, you know, them not being here in six months because it's a poorly run business. So, I guess really, I see cyber, you know, more or less playing a role in functions where they didn't before being able to articulate it in a way that these people can understand and then work together to address these risks. I mean, that's, you know, sort of an overarching challenge that I see in the coming year, just because of the convergence that I see happening across these different areas.

Nicola Vizioli:

Thank you very much. Stuart, same question. Biggest challenge?

Stuart McDonald:

Well, I think we're one of those fun industries where we're affected by volcanoes, snow, heat, rain, wind, fog, pandemics, and political instability as well. So, I think, you know, one of the things we really haven't talked about today is the implications in regards to sort of the emerging political threats in the Ukraine, which is one, and the Olympics in China which is two. As the old song, stuck in the middle of you says, you know, clowns to the left of me jokers to the right here I am stuck in the middle of you. We are seeing a risk on critical infrastructure across the world, but definitely against those that are deemed against either of those particular causes. So, I think that is something that is top of mind for us, which leads us back into the quest for talent. Making sure you have the right people. And our business is a little bit different. You know, we have all the traditional cyber threats, but we also have a perspective from an aviation and avionics view because we have a lot of infrastructure that we actually build and put on the aircraft. So, there's different things that we have to manage and support there. And then equally, for the 140 odd locations, we fly around the world, I have no control of any of those locations or the third parties that operate those locations as well. So, we have a unique threat landscape that creates where I can't control traditional endpoints or any of the things that people would be looking at to manage what's happening there as well. So, I think for us, it's still going to be the talent topic, is getting the right people in and technology in the cyberspace is shifting quite dramatically as well. So, the days of just looking at a screen and an old sock are gone. So, the people you're looking for are quite different from the traditional sort of cyber groups you had in the past as well.

Nicola Vizioli:

Perfect. We'll open it up for a few questions from the audience, and there's quite a bit of them. So, the question and answer triggered a lot of questions and I'll start with you, Peter. One of the questions that came in from one of the audiences, with many of our services on the cloud and other service providers, what are their responsibility and how can we make sure they are taking actions to counter these types of threats?

Peter Elliot:

Yeah, excellent question. And it's definitely an ongoing continuous improvement area that we have. So, yeah, I mean, that's been a challenge. I think it was mentioned in one of the previous answers about making sure security is considered, you know, from the beginning of a project, and not coming in, you know, towards the end or after the project has already been completed. Vetting those cloud providers, right? I mean, jeez, if I had a dollar for each time, someone told me that, oh, we're fine from a security perspective because it's on Microsoft Azure, or it's on AWS, right? Well, OK, they've ensured that their own backend infrastructure is secure but if you've got some, you know, third party provider that sits on top of Azure or AWS, which is very often how a lot of these solution providers are delivering their services these days, you don't have anything showing that they've done their due diligence and made sure that your data that you're entrusting them with is secure. So, you know, vetting these providers properly and I mean, you know, there's a number of certifications out there you can use. You can, you know, ask them if they've got a SOC 2 Type 2 certification, for example. There's several ways of doing this right, to audit. But yeah, at the end of the day, that supplier you are entrusting with your information and the only entity that's really responsible for ensuring that information protected is you. So, you need to ask the right questions. They need to have adequate certifications in place. And you know, we have these discussions with our business units on a regular basis, right? They want to quick, cheap and dirty solution. Well, it's those quick, cheap and dirty solutions that very often end up with your data publicly being disclosed. So yeah, you have to be diligent, have to be diligent on those.

Nicola Vizioli:

Thank you. The next question, I think I'm going to address it to Geneviève because I think this is something you experienced. But what advice would you give a company that's under investing in cybersecurity and that needs to beef up their security? What advice would you give to a business that doesn’t invest enough in cybersecurity?

Geneviève Bertrand:

The first key, the first means of defence is your employees. Invest in training and the sensitization of your employees. I think it was Peter who talked about it previously, we’re never safe from an employee clicking on a link, and “be phished,” I don’t know what the term is in French. So first, invest in your employees. Second, have the conversation with the factory units to determine what is their greatest risk, where they would be hurt, and establish a multi-step program with the means available. Unfortunately, cybersecurity is treated like all other business problems, you have to eat the elephant one bite at a time.

Nicola Vizioli:

Thank you Geneviève. Stuart, one question for you, with your involvement with the government is. What should be the actions our governments execute to try to curb these threats? Should the government have an active role in it?

Stuart McDonald:

I mean, the government is active, and we do have a lot of briefings with the government in regards to emerging threats, and we also have separate ones within the industry itself and sharing of threats and attacks that are going on there. So, they are actively at the table. I think it was interesting if you looked at the report that came out last week from the government around the potential for escalation around critical infrastructure, but it was actually last week flagged as low. And then you saw on the weekend it wasn't very low at all. So, I do think that the velocity of those is happening a lot faster than we anticipate. You know, I was speaking to the [INAUDIBLE] of the government, the Treasury for the Government of Canada, Catherine Luelo, who actually used to be over at Air Canada before. He was informing me that the IT budget for the government is $8 billion dollars. So, and a lot of that interestingly, some of their future focuses on sovereign identity and things like that in ways of sort of protecting identity for all Canadian citizens and permanent residents. So, there's some long-term things the government is focusing on, but definitely, in the short-term, they're very much actively working with us at the table.

Nicola Vizioli:

Ok, thank you for that. And Peter, one last question for you. You mentioned earlier in the conversation that some of your clients that are buying your products are asking more and more questions around cybersecurity. Are they also asking how resilient you would be with your supply chain in the event of a cyber incident? And what steps can a company in the advanced manufacturing industry take to make sure that they're resilient from a supply chain perspective?

Peter Elliot:

Yeah. I think well, even beyond automotive, you know, this whole supply chain topic is really at the forefront in general, right? But yeah, I know that several of our OEMs are looking at, you know, for the first time really, how to map that supply chain out, right? I mean, they know who supplies them directly, a company like Magna, who is an automotive tier one. They historically they've been less concerned about, you know, the Tier two, the Tier three, the Tier four suppliers. And if anything has changed that, it's this chip shortage which has been plaguing automotive, you know, since the pandemic came in. You know, if you think about a supply chain, so you know, we supply one of the automakers when it comes to chips, Magna have, I don't know, I'm just throwing out numbers, 10, 15 different chip suppliers that we deal with. But at the end of the day, at the bottom of the supply chain, it's the same three or four factories that are producing those chips, right? So, this is one of these things that the OEMs are now hypersensitive to. I know they're mapping it out. And of course, their cyber is a component there too, right? Because again, I mean, a pandemic is one thing, still a fire at one of those facilities, or a cyber incident at one of those facilities, it doesn't really matter, at the end of the day, any of those incidents can cause a ripple effect through the supply chain. And I know there's going to be a lot of work in this area. As I said, we correspond quite a bit with our supplier risk group. And I know this is coming, that the automakers are really looking to map that out to the nth degree, right down to where that chip comes from. So, a lot of focus in this area, you know, whether companies are managing this well now or they're going to be forced to by the companies that they supply.

Nicola Vizioli:

One last question before some closing arguments. Basically, Geneviève, one of the questions we received is how do you compensate for the lack of talent on the market?

Geneviève Bertrand:

That’s an excellent question. We really considered the entirety of works we perform and the concept of tailoring, and we keep the cybersecurity expertise for the requisite teams. Everything that is coordination, translation, integration, we give to people who also have a certain talent, but not the precise cybersecurity talent. We even looked inside our sys. admins, network people, and we said we’re really going to find specific cyber expertise and we’re going to ask those people to do exclusively that, and they would be supported by people who have other skills. That’s the best answer I can give at this time.

Nicola Vizioli:

Thank you, it’s very appreciated. We're going to end it here, there's three minutes left and I wanted to take a moment to sincerely thank our three panellists, Geneviève, Stuart and Peter. Thank you very much for carving out time for this event. Your insight as leaders across Canada is very valuable, and I'm sure everybody in the audience learned something. Unfortunately, these virtual conferences don't allow me to interact much with the audience. So, we do have a bunch of questions and I'll try to get back to everyone in a written fashion. Hopefully, I could do so. But if there's anything, please feel free to reach out to either Zahid or myself. More than happy to jump on a call. Just a quick reminder some housekeeping stuff for the audience. You should see a link at the bottom. At least I'm told so, it takes a few seconds to complete would be very much appreciated. It gives us an opportunity to improve the overall experience. And on this, once again, I'd like to thank our panelists and hope to see you all very soon.

Geneviève Bertrand:

Thank you for the opportunity.

Stuart McDonald:

Thank you for having me.

Nicola Vizioli:

Bye, everyone.