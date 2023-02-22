Five of six recommendations to tackle a "high-risk" municipal cybersecurity issue are now about a year overdue, as the city's auditor general lamented alarming delays from city officials.

Auditor general Nathalie Gougeon has made 438 recommendations on a range of issues to city management since 2018. She told council's audit committee on Monday that about one in four are now past due. She singled out delays on cybersecurity recommendations as especially troubling.

They stem from an investigation presented to councillors in June 2022, which took place behind closed doors with no media access, as is usual for security-related discussions.

"These recommendations are intended to address cybersecurity risks pertaining to a city-owned asset, which were identified in our investigation as high risk and high priority," Gougeon said.

"We have seen little to no progress."

She did not explain which city-owned asset she was referring to, and referred questions to another closed-door session on Monday where she was expected to present results of a new cybersecurity audit.

City staff pushed again to move faster

Alta Vista Coun. Marty Carr said she was "rather alarmed" to hear so many of the auditor general's recommendations are past due.

Gougeon agreed the delays are "most definitely" alarming.

"The longer overdue they are, the more concerned we get," she explained.

This isn't the first time a city auditor has pushed staff to move faster on cybersecurity threats. In 2019, then-auditor general Ken Hughes said he was still waiting for action on 2015 audits that found "low maturity" on cybersecurity risks.

That followed a hacking attack that displayed the name of a police officer and a dancing banana on the city's website in 2014.

On Monday, Gougeon also spoke to her audit of the city's convoy response, saying three recommendations from that report are now past due. She said her office is working with city management on the issue.

The city's chief financial officer, Cyril Rogers, told CBC that cybersecurity issues are always considered to be high risk. He said the city is always moving to keep up with ever-changing threats.

Speaking broadly about all of Gougeon's outstanding recommendations, Rogers told councillors some work was held up by the pandemic while other recommendations are linked to long-term plans city staff continue to work on.

"The pandemic is not an excuse, but it clearly delayed some of our approach," he said.

"We do take it seriously that they're outstanding."