Over the past five years, the City of Toronto, like many other organizations, accelerated the use of online collaboration and meetings (e.g. using Webex, Teams), in particular due to the Covid-19 pandemic.[1] The use of online meeting platforms continues, owing to factors such as ease of use and hybrid work arrangements.
Hybrid meetings, a combination of in-person and online video conferencing, have become common, including for conducting legislative meetings.[2] This format will stay in use for the foreseeable future. While these meetings have benefits in terms of ease and efficiency, they also introduce cybersecurity and confidentiality risks. It is therefore important to review and further strengthen the practices and controls used in initiating and conducting these meetings, particularly for confidential (in-camera) meetings.
This report highlights the importance for the City to enhance and standardize cybersecurity guidance to City divisions, and to share those best practices with its agencies and corporations for consideration, to proactively prevent unauthorized access to confidential information discussed in these meetings.
Legislative meetings may be closed (in-camera) to the public for specific reasons as outlined in the City of Toronto Act, 2006.[3] The City Clerk has developed processes and staff training to secure the electronic portion of closed meetings of City Council, Committees, and local board meetings that are managed by the City Clerk. Similarly, some agencies and corporations have also developed processes for securing electronic meetings of their boards and committees.
We have noted that while the City has guidelines in place for securing online confidential meetings, these guidelines require further strengthening for cybersecurity considerations, and these need to be distributed across all City divisions, agencies, and corporations for awareness. We have provided examples in this report of observations made by our staff that suggest the need for further strengthening the guidelines.
This report recommends revising the guidelines to be used for online confidential meetings and disseminating them to City divisions, and its agencies and corporations. The critical controls required in initiating and conducting online confidential meetings can also be included in the Chief Information Security Officer (CISO)’s mandatory cybersecurity training.
While the recommended guidance to maintain the security of online confidential meetings in this report relates to meetings of City Council, its committees, and the boards and committees of the City’s agencies and corporations, the CISO can also encourage use of these best practices in the City’s internal working meetings where confidential matters are discussed.
The work performed in relation to this report does not constitute an audit conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). However, we believe we have performed sufficient work and gathered sufficient appropriate evidence to provide for a reasonable basis to support our observations and recommendations.
This public report contains two recommendations to further strengthen and improve controls in initiating and conducting online confidential meetings.
[1] In July 2020, in response to the Covid-19 pandemic, the Provincial government amended the meeting rules of the City of Toronto Act, 2006 to allow for electronic participation. In 2023, City Council and most local boards made electronic participation permanent.
[2] Legislative meetings include those held by City Council, Committees and the boards and committees of the City’s agencies and corporations
[3] https://www.ontario.ca/laws/statute/06c11 (refer to Section 190)