City Responds to Office of Auditor General Cyber Security Follow Up Audit

HAMILTON, ON – The City of Hamilton acknowledges the Auditor General’s findings and remains committed to advancing its cyber resilience roadmap. We are incorporating the observations outlined in the Office of the Auditor General’s (OAG) Cyber Security Follow Up Audit, Phase 1: Pre-Breach Analysis Report, AUD21004 (c), presented earlier today at the Audit, Finance and Administration Committee. 

Key Improvements

The City has made a number of structural, technical, and govern changes to strengthen its resilience and address the gaps highlighted by the Auditor General:

Leadership and Accountability

• Realigned the Information Technology (IT) Department to report directly to a newly created Chief Information Officer (CIO).
• Recruited the City’s first Chief Information Security Officer (CISO) to provide dedicated leadership on safeguarding information and systems.

Technology and Infrastructure

• Introduced enhanced security protocols, such as multi-factor authentication, to strengthen cybersecurity resilience and protect systems from future threats.
• Strengthened backup systems.
• Enhanced system monitoring and controls, including introducing third-party managed security services.

Governance and Oversight

• Updated policies and refined oversight structures.
• Enhanced incident response protocols - enabling faster decision-making and more coordinated action against threats.
• Implemented cybersecurity into system design and project oversight.

Training and Awareness

• Expanded mandatory staff training.
• Launched awareness campaigns to promote a culture of vigilance, security, and preparedness across the organization.

Ongoing Priorities and Cyber Risk Management

• Continuing to strengthen risk management practices so that both existing and emerging threats are identified and mitigated earlier.

“At the heart of city services is trust. We know the February 2024 incident tested that trust, and we are determined to rebuild it by taking accountability, learning from the Auditor General’s findings, and investing in stronger protections,” said Marnie Cluckie, City Manager. “We recognize that progress on the 2021 recommendations was limited, and that reality has driven us to accelerate change. As cyber threats grow more common and complex, we are committed to vigilance and ensuring our digital services remain secure, reliable, and accessible.”

The City remains committed to continuous improvement in its cyber resiliency, recognizing the complexity of today’s digital environment and constantly evolving nature of cyber threats. 

"The Auditor General’s findings underscore gaps in governance, staffing, and technical readiness that existed prior to the February 2024 cybersecurity incident. They also highlight the need for lasting structural change," said Cyrus Tehrani, Chief Information Officer (Interim). "My focus is on turning these lessons into sustained progress, including strengthening our governance, investing in our people, modernizing our infrastructure, and embedding cybersecurity into every aspect of our operations.”