Update: City of SSM and Police Service Point Fingers Over Lack of Cyber Insurance in 2021
The devastating consequences of cyberattacks are hitting home lately.
Although these incidents certainly aren’t something to celebrate, they’ve had the positive spin-off of some good local journalism.
This is an updated version of a slightly older story about the cyberattack that hit the Sault Ste. Marie Police Service in the summer of 2021. My research revealed another interesting angle that’s worth considering among recent events: some institutions may not have insurance policies that specifically cover digital risks, as was the case with the Sault Police in 2021.
I have a number of stories that are nearing completion, so you can expect a slightly faster pace in the next couple months (including two podcast episodes).
New details have emerged about the cyberattack on the Sault Ste. Marie Police Service (SSMPS) in August of 2021. A freedom of information request was submitted to the SSMPS in December of 2021, asking for the name of the company helping to rebuild digital infrastructure and the public expenditure incurred thus far.
The SSMPS denied the request, invoking several sections of the Municipal Freedom of Information and Protection of Privacy Act. It argued that release of the information could endanger the life and safety of law enforcement, interfere with a law enforcement matter, and reveal personal information, among other things.
The SSMPS subsequently offered to release partial information, including the public expenditure incurred but not the name of the company. The company had declined third-party consent to release its identity to the public. An appeal was then filed with the Information and Privacy Commissioner of Ontario seeking a review of the SSMPS decision.
Over nine months later, and as a result of mediation facilitated by the Information and Privacy Commissioner, the SSMPS relented and granted release of the requested information in full. In a letter from September 30, 2022, the SSMPS indicated that they had contracted Aegisys Cloud Solutions of Sudbury to assist with their disaster recovery after the cyberattack.
Between August and December of 2021, the company completed work totalling $38,097.37. According to the SSMPS, no work was completed by Aegisys after December of 2021.
An email and phone call to Aegisys seeking details about their desire for anonymity went unanswered.
In the same letter from September, the SSMPS wrote: “Exercises of discretion and decisions were arrived at after careful consideration and review of all relevant facts, with each set of circumstances being considered separately. The response by the institution to the requestor has been arrived at in good faith and after much careful consideration without prejudice.”
Other records received through access to information requests reveal that the SSMPS has been previously alerted to limitations in its information technology systems.
In 2017, a major accounting firm – KPMG – was contracted to offer a strategic plan for the SSMPS following an in-depth analysis. The report included several recommendations related to cybersecurity and digital infrastructure.
In a subsection of the executive summary titled ‘strategic IT investment,’ the first recommendation reads:
Implement a cloud computing solution for software applications that allow for the storage of data on the cloud. The cloud computing would provide increased disaster recovery capabilities, reduce maintenance requirements for the SSMPS IT technicians and increased data access and mobility for cloud based applications such as ‘Track My Crime.’
This specific recommendation is listed as ‘medium term,’ which entails a suggested implementation period between two and three years. In the section of the report that includes ‘findings and observations’ specifically related to strategic IT investment, KPMG noted: “There is limited IT disaster recovery capabilities for the SSMPS.”
Another of KPMG’s ‘findings and observations’ was redacted in the version of the report released by the SSMPS. The SSMPS refused to reconsider the redaction.
Another freedom of information request revealed that the SSMPS didn’t have cyber insurance when the cyberattack occurred. In response to this public disclosure, both the City of Sault Ste. Marie and SSMPS are pointing fingers at each other.
A freedom of information request for a copy of the insurance policy was first submitted to the SSMPS, who then transferred it to the City. According to the Manager of Information Services, Adrienne Harris, the SSMPS did not have “custody or control of the records” and therefore transferred the request in accordance with applicable legislation.
The City responded to the transferred request on October 25, saying that the requested record “does not exist in their files.” City Solicitor, Jeffrey King, explained that “City IT is separate and apart from SSMPS IT.”
When asked to confirm the non-existence of a cyber insurance policy in 2021 at the SSMPS, Harris responded: “Although not our record, I believe you have your confirmation.”
According to Harris, “the City… did not purchase cyber insurance in 2021 for the SSMPS.” Reiterating the fact that the two institutions are separate, King noted that “both the City and SSMPS are at liberty to shop independently for this type of coverage” and that cyber insurance is “additional coverage to a general insurance policy.”
The Manager of Corporate Communications, Planning, and Research, Lincoln Louttit, confirmed that the SSMPS currently has cyber insurance.
Asked specifically about KPMG’s previous recommendations related to information technology and cybersecurity, Louttit responded: “Some of the report was dated and/or did not meet industry standards.” He also said that the SSMPS “proactively mitigate[s] cyber concerns with various applications that are established in the policing industry.”
Explained in the ‘project overview’ section of the report, KPMG was asked to “conduct an objective evaluation of the [SSMPS] in terms of organizational effectiveness and efficiency and to map out a strategy for transformational change in the delivery of police services.”
Accordingly, KPMG compared the SSMPS to other police services and communities in Ontario to assess alignment with best practices, including a detailed analysis of Peterborough, Chatham-Kent, and Waterloo.
Louttit reiterated his previous comment in response to a question about specific KPMG recommendations that may have lacked merit.
Although both the SSMPS and Ontario Ministry of the Attorney General were previously tight lipped about the potential for data erasure to affect the Crown’s prosecution of criminal cases, the high-profile conclusion of a recent case suggests that may be the case.
Dr. Mark Jenkins was arrested in August of 2021, following an early morning ordeal that included evidence of intoxication, a police pursuit, and a serious collision. Details of Jenkins’s eventual plea deal were first reported by Doug Millroy at Sault This Week and Sault Online.
In a subsequent story from Kenneth Armstrong at SooToday, it was revealed that the Crown’s case against Jenkins was potentially limited by missing evidence, including photos of the collision scene and radio communication recordings. The missing evidence was attributed to “a technology issue affecting the Sault Ste. Marie Police Service” by the Crown.
Repeating a similar response from March of last year, the Ontario Ministry of the Attorney General recently said “it would be inappropriate… to comment on this matter or any affected police systems.”
The Crown Attorney Office in Sault Ste. Marie similarly declined a request for comment.
When asked to confirm whether the “technology issue” affecting evidence in the Jenkins case was a direct result of the cyberattack on the SSMPS, Louttit encouraged the use of court records and the freedom of information process.