The URL can be used to link to this page

2021-03-31 Finance Committee Agenda Packet - Open SessionCity of Saint John Finance Committee - Open Session AGENDA Wednesday, March 31, 2021 4:30 pm Meeting Conducted by Electronic Participation 1. Call to Order Pages 1.1. Approval of Minutes - February 18, 2021 1 - 4 1.2. Strategic Plan Update 5 - 17 1.3. Performance Management 18-27 1.4. Cyberattack — Restoration Costs and Projected Recovery Estimate 28 - 35 1.5. Preliminary 2020 Operating Results 36 - 51 Finance Committee Meeting Open Session February 18, 2021 MINUTES —OPEN SESSION FINANCE COMMITTEE MEETING FEBRUARY 18, 2020 AT 5:30 PM MEETING CONDUCTED BY ELECTRONIC PARTICIPATION Present: Mayor D. Darling Councillor D. Merrithew Councillor G. Norton Councillor D. Reardon Councillor G. Sullivan Absent: Councillor S. Casey Also Present: City ManagerJ. Collin Commissioner of Finance and Treasurer K. Fudge Director Growth and Community Planning P. Ouellette Commissioner Transportation & Environment M. Hugenholtz Commissioner Saint John Water B. McGovern Deputy Commissioner Transportation & Environment J. Hussey Senior Financial Manager C. Lavigne Senior Financial Manager D. Arbour Senior Financial ManagerT. Fawcett Director of Strategic Affairs Ian Fogan Fire Chief K. Clifford Municipal Engineer M. Baker Administrative Officer R. Evans Energy Manager S. Yammine Administrative Assistant K. Tibbits 1. Meeting Called To Order Councillor Merrithew called the Finance Committee open session meeting to order. 1.1 Approval of Minutes — November 26, 2020 Moved by Councillor Reardon, seconded by Councillor Sullivan: RESOLVED that the minutes of November 26, 2020 be approved. MOTION CARRIED. 1.2 SNB Property Taxes (L. Dionne, L. Munn, M. Johnson and S. Melanson, Service New Brunswick, joined the meeting electronically) Mr. Fudge introduced the team from Service New Brunswick who provided a teach -in with respect to Service New Brunswick's various assessment policies and practices. Finance Committee Meeting Open Session February 18, 2021 Members of Service New Brunswick reviewed the submitted presentation "Property Assessment Services", including a discussion on SNB's roles and responsibilities, their mandate, and the differences between tax policy and tax assessment. It was noted that their work is driven by the Assessment Act and related policies. Moved by Councillor Reardon, seconded by Councillor Sullivan: RESOLVED that the submitted presentation from Service New Brunswick "Property Assessment Services", be received for information. MOTION CARRIED. (L. Dionne, L. Munn, M. Johnson and S. Melanson withdrew from the meeting) (Councillor Norton withdrew from the meeting) 1.3 Safe Restart Fundine Mr. Fudge stated that the COVID-19 pandemic has tested the resiliency of organizations, including the City, adding that financial risk remains and must be closely monitored. There have been impacts to parking revenues, recreation user fees, transit fares, water and sewer revenue losses and a reduction in the City's assessment base and property tax revenue in 2020 due to reduced assessments for the restaurant and hotel industry, airlines, and retail industry. Under the 3rd phase of the Safe Restart program, the City of Saint John received approximately $3.6M to be utilized to offset the impacts of COVID-19. Over the three phases Saint John has received a transfer of approximately $7.4M. It is recommended that funds be placed in an operating reserve to offset future revenue losses similar to what was seen in 2020. The recommendation aligns with the use of one-time funds in the Reserve Fund Policy, that is, not using one-time funds for on -going spending. Moved by Councillor Reardon, seconded by Councillor Sullivan: RESOLVED that as recommended by the City Manager in the submitted report "Safe Restart Funding Program", the Finance Committee recommends that Common Council approve the transfer of $3,668,373.08 Safe Restart Funding to the General Fund Operating Reserve to be utilized to offset potential future revenue losses due to COVID-19. MOTION CARRIED 1.4 Property Assessment Ga Mr. Fudge, referring to the elimination of the property assessment gap ("P-Gap"), noted that in 2013 the provincial government capped 102,000 properties across the province from reflecting true market value. The provincial government recently amended the Assessment Act to eliminate this exemption. Given that municipalities have already received their tax base for 2021, the province is providing a grant for the value of this exemption. The City of Saint John will receive approximately $1M of additional revenue. This revenue is reoccurring and pursuant to the City's polices, the funding should be included in the operating budget. The recommendation is that the grant be transferred into a tax rate reduction reserve to support the goals of the long- term financial plan and used to reduce the City's tax rate in 2022. Mr. Collin stated that one of the goals under the long-term financial plan, is a tax rate reduction. The strategic plan is currently under development — this plan will determine if the end goal is lowering the tax rate and/or the development of other goals as well. The strategic plan may drive modifications to the long-term financial plan. Moved by Councillor Sullivan, seconded by Mayor Darling: Finance Committee Meeting Open Session February 18, 2021 RESOLVED that as recommended by the City Manager in the submitted report "Property Gap Assessment (P-Gap)" , the Finance Committee recommends that Common Council approves the allocation of $1,000,000 to the Tax Rate Reduction Reserve and that this amount be used to reduce the City of Saint John tax rate in the year 2022 by 1.5 cents to $1.77 as part of the 2022 General Operating Budget. MOTION CARRIED. 1.5 2022 Budget Guidance for Police and Transit Commissions Referring to the submitted letters to the Police and Transit Commissions, Mr. Fudge noted that the expectation is that the City's funding for 2022 budgets will be limited to increases in wages and benefit envelopes subject to the Wage Escalation policy, a freeze on goods and services budgets, and the establishment of a shared service charge for shared services such as Human Resources and Communications. Moved by Councillor Sullivan, seconded by Councillor Reardon: RESOLVED that the letters "2022 Budget Guidance for Police and Transit Commissions" be received for information. MOTION CARRIED. 1.6 Capital Budget Adjustment Mr. McGovern commented on the general and utility fund revised 2021 capital programs. The primary reasons for the revisions to the capital program are re -allocations of funding associated with the revised bi-lateral funding program, and the addition of projects to advance one of the city's catalytic projects, the Fundy Quay development. Moved by Mayor Darling, seconded by Councillor Sullivan: RESOLVED that as recommended by the City Manager in the submitted report "Utility and General Fund — Revised 2021 Capital Programs", the Finance Committee recommends endorsement to Common Council of the following revised 2021 Capital Budgets as follows: The revised 2021 Water and Sewerage Utility Fund Capital Budget in the amount of $12,086,000 (gross) with contributions from other sources of $5,840,000 yielding a net capital budget in the amount of $6,246,000 to be funded by pay as you go (net) as set in Appendix A; The revised 2021 General Fund Capital Budget in the amount of $44,960,683 (gross) with contributions from other sources of $29,093,083, yielding a new Capital budget in the amount of $15,867,600 to be funded by debt issue (net) as set in Appendix B; and, The revised 2021 Water and Sewerage Utility Fund Capital Budget be presented to Council at its next meeting for consideration and approval. MOTION CARRIED. 1.7 Government of Canada Healthy Communities Initiative Mr. Fogan stated that the Federal Government has announced a $31M Healthy Communities Initiative fund for projects between $51K and $250K in value towards the creation of safe and vibrant public spaces, improved mobility options and creation of digital solutions. The deadline to apply is March 9th. Given the short turn -around time, staff is working to identify projects and coordinate applications, and are seeking authorization to apply for funding of up to 100%. If the funding request is approved, staff will return with a business case and possible changes to the capital budget. Moved by Councillor Reardon, seconded by Councillor Sullivan: Finance Committee Meeting Open Session February 18, 2021 RESOLVED that as recommended by the City Manager in the submitted report "Government of Canada Healthy Communities Initiative", the Finance Committee directs staff to apply to the Canada's Healthy Communities Initiative. MOTION CARRIED. Adjournment Moved by Councillor Reardon, seconded by Councillor Sullivan: RESOLVED that the Finance Committee meeting be adjourned. MOTION CARRIED. The Finance Committee open session meeting held on February 18, 2021 was adjourned at 7:00 p.m. i� I� � z � � o U_ a--� E a- j E O U n� W U C: I � I ca c— O O c� O a--) +-+ ca 4-- r-i 0 N U U L ra s T a- J O U • � 0 cam O 4-1 +J — O E O > c6 O 4J > i U -0 > Q � > = -0 = aJ O 0 O >- _ o -0o 4- () o v CL N � •� � � 4� 4-, =3 � O •o > •� O 4-1 L L u a--' cn hA cn 4A CAA Li- 0-0 +� c6 ca c6 c6 cn wN-0 � 4c: — V — — =3 U D N U cn U O ON E v O v U 0 O a--+ � >�. •U U c6 = cA -0 4 + -_ +-+ E 0 • • • T. O� O 4-, U •� C�0 C: +-J c6 � 4-Ju � U a- J =3 cn O c6 N t�A � ro 0 O `- ru z °-0O cn C — � c6 Vi U cn > O C: Q-_O % • - 4-, � U E O_0 =3 .N Q) E N� E c� E U 3 E -1 le E O � O N O •— n U � � U U � N � � 3 a ca O O � s s U ca i 3 O O 4— Q ca E O s 0 CL -z CLO a1 N r. 1 V) i1 V V I . X 4-, 1 O O Ln N E 4A Q� 6 E •=3 — V) t�A �0 V V f C. Ln fu i1 cn Q) •U O • cn a- J •V ra O -0 O �C6 a- J V U •O Q 4-J L 11 T C: o 1` T '� V 7 O •• U O v ♦..+ • • txA 4-, U •r. N CL v a-J i ._ _O L Q 4 f � S �--' C6 CAA C6 U •� U ' > G� UO C6 -0 (1) _0 U Q 4-' 0 cn E •p O •� E Q 0 U ,Ln U O w �7 > �7 m c m - CL +A G� CL W Io 4--1 C Ape �J c OF W eA Qi .iL U r E' O 4 N O N U � U 4-J • — C6 E .� O O U t�A +-1 fa 4-1 C6 � i o E E E � — U E=3 S-- O •— � 0 cn O 4-1 O 4— i w cn O .- i E p c6 4-J E O ca O x 4A > 0- U O U V O o �J =3 • - E O E C: CT V / OU N O U 0 O O > v _ Q O X o fa O s U = C- cr o .� ._ c� +� a, o�==== E E N E c: o U > O Q-r- s V � E � p w 0 O � � +� � O s -C J -0> U a- Ca N L. E O v � 3 O X-C U O O a - c6 "u w O Q ;in aJ 0-- � E > .N > V mLM .S c� O 4-j c6 p U v O ra a"' Q O U Q n a--' i C6 M aA 0 .> 4- a-+ �--+ E •� Ln _O (D 4-j Ln v ro c O L Q O a A El N U ate•+ L E C6 L N Q O a--+ _0 i c6 E V 4-j C: C O c6 > EL E o a--+ O Q U Q) •— N � � N — � � C6 C6 U > O N � N i C1A c 3 N M cn 5. M x o �NM U O E O v p 4) OL e �i1'S 4 — ` � 0 >` G G C vp y 7 r_ W CL c rL M m in iS i i71 U a -q '3 Co • QE[] }E V � cr L_ Q G M Cl C C > m 17 {+! m q1 a Q 9L CL C +n r E 4 E i _ C pE w T Or L� G TjTo cn LO C E C J m # I�R O G3 a' � ai ai q5j [[i to C C p Co 7 E 2 0 39 _ _ E G F C3" i7 to iG V / O O 4-1 V S O - C6 O N ' _0 aj G f� U N S-- Ln c > Q) 0 E C� (n _0 — � QJ •U 0 >� N >' 0 U v > QJbn •� v O QJ � \LJ i--j 4- GJ -04- C� ro N QJ ro — Ln •/1� •� W •> bn N ��/•� > a)±~ • Q) U •> ^>1 •> ^ 1 QJ hL/� b4 O O O 3: +1 -0 ULn N Q� Ln I N Q I �--� N V) U i O O Q Q.� Ln }' cn E (� O s > o 0 Q - + i �m b bm' �a O O 0 +-' • - `ra `) O x x N O M O x x N m N O x x N 00 N O x x N r- N O x x N N O x x N Ln N O x x x N N O x x x N rn N O x x x x N N N O x x x N O N U 4-1 4J O N E O O N C d C 7 N u O > 4, Lp O O 4, t N N O O > aido C aj w do N LJ > C � C _ w ai aiC N� p U � > 7 7 7 " 4, i U N d E O U N 'i Q w l0 y 4 C C 4J Q 7 c L > a•' U U E O O O O di O L O O U U U U cr- U ai U 4- Y an U 0 o do L N C co L U O L 7 Ln on -1 -0 N NO U U( > -`: -0O CIOt iJ N LD 4- n E j •N C N O 'L N O dA Q a N O 00 O O ai a 0 a ro O l7 V / a-+ 4-J C- U — C6 4-' O C- S-- O � ra � O C- O O c6 cn Q cn O E 4-1 •— 4-1 — U =3 — a--+ Q cn 0- � O E 0 Q O .� U cn C6 O > t�A Ln U _0 4-1 . - c6 O • _ C6 U U a1 E m C6 C6 > i--' 1..� L t�A a--1 C6 a--+ 4-1 E 0 4-1 Ln N O N rl cn U i Ca G tan v 4-J E 0 U N U fB LL IV-, Z co i O V.I E O L^ W �J E O V 4-j E O U U � dJ � f� U O U O O � � O O � ._ Q +� O_ N O 4-j Q C Ov O U C E N N O O V 42- _E O N �-0 W 4-'cu (� �i '> a� 3 � +� GJ � a u U .� LU M. /V) L O �/� tw a) Vi /-1 �1 4"J c • V) V) V) � L > . O +.J (1) U L Off— i 6 VV) L U N tJ .� �.— M U V) V) O " V) V) O m m }J .N O " fB W ?� O a--J -0 aJ a-+ a-J a--J t]J M a--JOU O NQ-dcn N O� �CNaJ.,NE V) N �— E�V) GJ -1, � U a--J Ln N.OM�oaj caa��0, a V) MM�•cOE -.;,- m Q Q aJ Q a) fV O _0 OJ U U V) V)U a--+ Vmv) E ��U—�� M��0 0 m�Oa�aj0 �vicn� E —C) E � E ca V) V) Cn4OEN �U_aJUU .cv) �0 two M"•-M �' QOO(1) ° S4- C4 OD a � ��a a to 0 A� E U m E �!i aJ s O v4�i ° vi s c �, C W o� '_ C UO O '+� >- L N O ca O E aj -- ao s ° ° E 41 = c N +� W4- >- = ° a) = > a 4-•+ U p d`�A N w a 4-o m c O w i O a1 Q a) � a 1 � . nn • It's � ' ' n, go. c O a.o c m c O "' > � s co s a- o — � '0, o .N -0 aj a V u o a, m v 4-1 m ° cn aLo +- CL - � - - O C) \ § _0 ma G E o// 4-1� f E /%%m 52 y\ ai i\ \ % %� � 4- = 2 / E m � u o / o2 U'EG\ / m? 0— m o �._ E ± e o = 1 m �.g % E o / § \ u 2 2 2 I E / / ° ) u ® © o E 04.1 ? %/ m 2ƒ E E 2\ E E o 7 2\ � �Gn ° 0 . � � i O f U O O Q Q Lf) O Q N Lf) Ln ro ca � � t c6 O cn O U M cn cUn N �O a--+ E U Ln C6 O O Q m • � cn 'j O a-- O N O 4 U E Ui m O N m � c6 m U U N cn •� a--+ •� > t N N O +j O -J c6 `'— O U cn a-j cn . a--' vi �' C: In i N O c U > +., O O O — Q U ro -0' 4A O N N Ln cn •— :3 U " �: w C: L U 0 C6 -0 bn C6 LL ate--+ U Q U CO Q cn 4-j i Ln W r W > O O �' > Ln Ln 4-J Ul W � v O c6 � O +-j Ln O m N 4— U 4-1 m N •� U Q :3 E O E E C: O 0 O O m > O Ul > C6 L - O > . >` M O �O i U >O Q O 4A 4-J O cn � N -C Q •� � C6 a--+ Ul O N ateJ Ca Ln v aA N c6 • — Q Lna) m +-' E tn E O � —_ •� U N L7 0 cUa N Z OD T _ M E (U i u U m a cn m N GJ tao OC o a � +1 -� N 4.1 E a) U N L a 4J O 4-'ro CE O u O U (D 0 Q 0 - a--' Ln E N bA O_ a--+ O � 4J N 4J N 4J m 0 O u CO N C 0) O p a- C6 N m LO O O bo ate.+ (D N 1:3 L _0N - �_ Q U ate+ lB E N � 41 I (6 i V) L O N � Q L O 3 U VI + 41 � O L 41 Q N co cn 4J U N OL Q O 0 O 4.1 � + J cn N O Q E O V i= R. IW M N O N �J m W ^-,' E^ W E ' W bn N N O E N r-I Ln E N U C: In a--+ U Ca cn U N � � — f6 E O O o ajLn c6 c/) Ul i 0 C6 Q Ul C6 Ul O G N > N > N �O L.L U U .i0O U O Cn Cn V O co co 4�-+ ate-+ C6 _ O ate-+ 0 J c6 U U � w O O 0— 0— 0— Q 4 : CL _O N _O N _O N _O N O _O N 4-' N N N N N N p O DC Q • • • • N • • • �P,"Ah IT �4 JW-1i I FINANCE COMMITTEE REPORT Report Date March 24, 2021 Meeting Date March 31, 2021 Service Area Strategic Services Chairman Councillor Merrithew and Members of Finance Committee SUBJECT: Cyberattack — Restoration Costs and Projected Recovery Estimate OPEN OR CLOSED SESSION This matter is to be discussed in Finance Committee Open Session. AUTHORIZATION Primary Author Commissioner/Dept. Head City Manager Stephanie Rackley-Roach Kevin Fudge John Collin RECOMMENDATION The City Manager recommends the Finance Committee: a) Acknowledge Information Technology rin infrastructure and services procured for response and rebuild of the IT network due to the cyberattack is authorized under the emergency clauses in the Saint John Procurement Act; and b) Receive and file this report. EXECUTIVE SUMMARY On November 13, 2020, the City of Saint John experienced a cyberattack. The scope of the attack was wide -reaching with significant damage caused to the City's IT infrastructure. The need to shut down the network and preserve the compromised environment for forensic investigation impacted business continuity with no ability to reuse the existing information technology equipment. Therefore, consulting and hardware requirements for event management and recovery were acquired under the emergency provisions in the City's Procurement Policy and other related legislation. The main consulting vendors were engaged through External Counsel approved by the City's Insurer. All major components for the network rebuild were purchased under the emergency provisions. The total projected cost for consulting services, network hardware, licenses and support, vendor and hardware for application restorations, and other costs related to the recovery effort is $2,950,409 plus HST. While the new network is almost complete, there is considerable work remaining for the restoration of all the applications used to deliver efficient public service. Some costs are estimated and will be finalized as more work is completed. The City has both a property and cyber insurance policy. It is estimated by staff that at least 85% of the recovery costs will be submitted to the Insurer under these two policies. iia:3 -2- The amount recoverable will be determined by the Insurer upon receipt of the City's claim. The City is still within the timeframe to finalize the claim and will monitor requirements closely to ensure timelines are met to recover costs. Costs not covered by insurance will be covered by the operating budget or the appropriate reserve fund. Renewal and enhancements of information technology requirements are funded out of the IT reserve, with projects planned and presented within the capital budget annually. PREVIOUS RESOLUTION N/A STRATEGIC ALIGNMENT Providing an update on the financial and service impacts of the cyberattack recovery efforts supports Common Council's priority of being fiscally responsible. It ensures accountability and transparency to the taxpayers. REPORT On November 13, 2020, the City of Saint John experienced a significant ransomware cyberattack. While City staff supported by a third -party vendor worked diligently to shut down the network immediately to mitigate risk, the City's network infrastructure and information systems sustained significant damage. Significant emergency investments were required to recover from the cyberattack. The City has cyber insurance through AIG for these types of malicious attacks. The City was advised by the Insurer to retain External Counsel. Through External Counsel, Blake, Cassels & Graydon LLP (Blakes) and later Norton Rose Fulbright (Norton Rose) several third -party consultants were engaged to support the City in containment, forensic, and recovery efforts. In the interest of time under the emergency provisions in the Procurement Act, these engagements were approved through the Insurer and signed -off by the City Manager. Formal engagements through External Counsel included the following, with initial cost estimates outlined in Table 1. Agreements with Blakes/Norton Rose for external counsel and Redbrick Communications for public relations support were also executed. The statements of work outlined for these engagements did not include a total estimate. However, as services were required, the estimated costs are outlined in the financial section of the report. Table 1: Consultants engaged and retained under External Counsel Consultant Role Statement of Work FireEye Mandiant Forensic Investigation $162,000 USD + Report TBD (Mandiant) + applicable tax Bulletproof Solutions Containment and Recovery $489,250 CAD + HST ULC (Bulletproof) CYPFER Ransomware Recovery & $10,250 + applicable tax Payment Facilitation We%7 -3- The scope of the cyberattack to the City's network, including both the City and Police domains, was wide reaching. It involved encryption to most Windows -based servers and many system endpoints (i.e., laptops and computers). Given the damage to the City's information technology infrastructure, recovery needed to start immediately to ensure continuity in the delivery of critical public services. The creation of a temporary network required the City to look at building with new hardware for several reasons: • Requirement to preserve the environment for the forensic investigation. • Requirement to preserve the environment for the criminal investigation. • Risk in restoring the City's compromised hardware with the potential that remnants of the malware may continue to reside in the compromised environment and lead to potential reinfection. With existing hardware not available for immediate rebuild of the network, the City worked through Bulletproof to procure the necessary components. This was based on understanding City and Police infrastructure requirements and designing a system that would meet these needs in the short term. The replacement of network hardware has been right -sized and is scalable for future growth if needed. The Enterprise Agreement approved by Common Council on April 6, 2020 for Microsoft Office 365 and the estimated percentage of recoverable data from the City's backup systems allowed for the immediate start of the restoration of the City's network. Costs associated with Bulletproof consulting fees and hardware purchases for the network and backup systems are outlined in the financial section of this report. This includes an estimate of the requirement to procure additional security for the City's network that will be incorporated into the City's Microsoft Enterprise Agreement in the second year of renewal April 1, 2021. As the City works to restore applications used to deliver services to the public, several additional costs have been projected. While it is critical to get these applications operational as soon as possible, the acquisition of goods and services required for restoration are no longer considered an emergency. For the most part, supply and service agreements have and will be used to ensure timely restoration. Procurement Policy and Agreements In order to restore critical public services and facilitate the network rebuild there have been several purchases made under specific provisions in several procurement policies and agreements. The cyberattack, for the purposes of procurement will be considered as one event and all costs associated with getting a new network in operation will be associated with this event. Under section 5.12 Special Circumstances (Emergency) Purchases, of the City of Saint John Procurement Policy, permits the City to follow a non-competitive bid process to remedy an urgent situation. According to section 5.12(e), the relevant details shall be included in a report submitted to Council at the earliest possible opportunity following the special circumstances. 091 -4- Section 153.1(e) of the General Procurement Act of New Brunswick also allows the direct purchase of "goods and services that are strictly necessary and, for reasons of urgency brought about by an event unforeseeable by the following entities, cannot be obtained in a timely manner through an open competitive bidding process." Similarly, Article 19.12(d) of the Comprehensive Economic and Trade Agreement of Canada (CETA) and Article 513(d) of the Canadian Free Trade Agreement (CFTA) allows for limited tendering "if strictly necessary, and for reasons of urgency brought about by events unforeseeable by the procuring entity, the goods and services could not be obtained in time using opening tendering." Limited tendering "means a procurement method whereby the procuring entity contacts a supplier or suppliers of its choice." Furthermore, Article 513.1(i) states that limited tendering is also allowed "if goods or consulting services regarding matters of a confidential or privileged nature are to be purchased and the disclosure of those matters through an open tendering process could reasonably be expected to compromise government confidentiality, result in the waiver of privilege, cause economic disruption, or otherwise be contrary to the public interest." In this case, releasing any information by way of public tender would not be in the best interest of the City or the public given the unlawful nature of the event at hand. Insurance The City has two separate insurance policies that give rise to coverage for events such as the cyberattack: property policy and cyber policy. Cyber Policy The City's cyber policy is with AIG, one of the world's leading insurance companies for cyber insurance. There are five (5) sub -limits, two (2) are for third -party liability coverage (protection from liability from damages to others) and three (3) are first -party sub -limits (coverage for our own expenses and damages). There is one deductible ($50,000) that applies to an occurrence regardless of which sub -limits are used, and there is one overall limit ($2,000,000) that applies as well. The two (2) third party sub -limits are for Security and Privacy Liability and Regulatory Action Liability. The three (3) relevant first party sections are: • Cyber Extortion — Monies paid by an Insured, with the Insurer's consent to end a security or privacy threat that would otherwise cause harm to an Insured and the cost to investigate such a threat. • Event Management — Reasonable and necessary expenses incurred within one year of a security or privacy event to conduct investigations (including forensic), crisis management, notification and education services, insurer services, and/or data restoration. • Network interruption — Cost from the time of interruption until the 120th day after the interruption that would not have been incurred but for the interruption. 31 -5- Property Policy Within the City's property policy with AIG there is coverage for damage to our computer systems. This includes replacement of hardware and the cost to restore the data with a limit of $6 Million. The deductible is $1,000. No exclusions apply. The policies have separate coverages; however, the Cyber policy can "stack" upon the property policy. In this case, the property coverage would respond first to the property damage (hardware) and data recovery. The cyber policy would cover any excess over this property policy, also bringing in those other coverages such as the cost of extortion, event management, and service interruption. The determination as to what the Insurer deems as recoverable will not be confirmed or finalized until the City submits the final claim. The City is still within the timeframe to submit the Proof of Loss and will monitor requirements to ensure timelines are met to recover costs. SERVICE AND FINANCIAL OUTCOMES Since the cyberattack on November 13, 2020, the City with the support third party vendors has made tremendous progress. The most significant work was the rebuild of the network and backup requirements. Bulletproof led the design and build with support of the City's IT team. With the urgency to implement a secure network, Bulletproof leveraged supply agreements from several municipalities and governments to procure the components required. Procurement of these requirements were done under emergency and necessary clauses outlined in the City's Procurement Policy, General Procurement Act of New Brunswick, Comprehensive Economic and Trade Agreement of Canada (CETA), and the Canadian Free Trade Agreement (CFTA). Actual and projected consulting and material costs related to Bulletproof are outlined in Tables 2 and 3. Costs are presented without tax. Table 2: Bulletproof Solutions ULC consultine costs Bulletproof Solutions Original Actual Cost Estimated Total Funding to be ULC Consulting SOW as of Feb 28 Remaining Projected submitted Recovery Activities $444,250 $629,273 $257,133 $886,406 Insurance Forensic Investigation $45,000 $72,000 $0 $72,000 Insurance Activities Projected Total $489,250 $701,273 $257,133 $958,406 0 (P,"Ah �� 1 f` JIDI-1i I Table 3: Bulletproof Solutions ULC material costs Bulletproof Solutions ULC Actual Costs Projected Total Funding to be Hardware, Licenses, Support as of Feb 28 Costs Costs Submitted Network Hardware Equipment $325,516 $0 $325,516 Insurance Server Storage Hardware $148,206 $0 $148,206 Insurance Equipment Backup Hardware Equipment $323,282 $0 $323,282 Insurance Support / License - Network $87,532 $0 $87,532 OperatingReserve Support / License - Server / $2,938 $0 $2,938 Operating Storage Reserve Support / License - Backup $228,725 $0 $228,725 Operating Reserve Additional Fire Walls / Switches 0 $69,199 $69,199 IT Reserve Totals $1,116,199 $69,199 $1,185,398 Mandiant with support from Bulletproof completed a forensic investigation of the City's compromised network in February 2021. Costs related to Mandiant include both consulting and technology fees related to remote access to the compromised network. The necessary technology was implemented by Bulletproof. The investigation involved a review of all the logs from the Bulletproof security operations center generated from the City's SIEM (Security Information and Event Management) solution. Actual costs are noted in Table 4. Table 4: FireEye Mandiant goods and services costs Original Actual Costs Projected Tota I Funding to be FireEye Mandiant SOW as of Feb 28 Cost projected Submitted Costs Incident response $100,000 $139,200 $0 $139,200 Insurance activities Incident remediation $40,000 $0 $0 $0 Insurance planning and support Reporting TBD $24,000 $0 $24,000 Insurance Endpoint Incident $9,000 $9,000 $0 $9,000 Insurance Response Technology Network Incident $12,000 $0 $0 $0 N/A Response Technology Other $1,000 $0 $0 $0 N/A Totals USD $162,000 $172,200 $0 $172,200 Estimated CAD $210,600 $223,860 $0 $223,860 W Remaining consulting and material costs related to network recovery and event management are outlined in Table 5. Table 5: ConsultinR/Vendor Roods and services costs Consultant / Actual Costs Projected TotalFunding to be Vendor Service as of Feb 28 Cost Projected Submitted Costs Anisoft Backup Recovery $16,278 $16,277 Insurance Ivan's Audio and Council Chamber $1,806 $1,806 Insurance Visual Support Blakes / Norton External Counsel $24,000 $24,000 Insurance Rose Ransomware CYPFER Recovery / Cyber $10,250 $10,250 Insurance Advisory Services Total Projected $28,334 $24,000 $52,334 With the backup in place, the City's IT Team is moving on to application restores. Several financial and public safety applications have already been restored. Microsoft Office 365 has been implemented providing users with email, administrative applications, and collaboration tools. Applications have been prioritized for restoration based on service impact, vendor availability, and the City's IT Team resource capacity. Estimates for the recovery are being developed as application restoration facilitators work through a seven - step process that includes defining requirements, designing, and planning steps. Estimated vendor and hardware costs related to application restores is $458,290 plus HST. Agreements and equipment purchases will be brought forward to Common Council for approval as required by the City's Procurement Policy. Table 6 outlines miscellaneous costs related to support the recovery and ensure business continuity in the delivery of public services. Table 6: Incident response actual and oroiected costs Incident Response Costs Actual Costs Projected Total Funding to be as of Feb 28 Cost Projected Submitted Costs Business Continuity - Service $6,543 $6,543 Insurance Interruption Service Interruption — HVAC $7,691 $7,691 Insurance 120 days Communications $171 $171 Insurance Forensics $94 $94 Insurance Recovery $3,743 $3,743 Insurance Response $10,681 $10,681 Insurance City Overtime - Recovery $33,198 $10,000 $43,198 Insurance Total Costs $62,121 $10,000 $72,121 Overall actual and total projected costs are presented in Table 7. While a significant portion of the network rebuild has been completed, significant costs remain for the application restores. The estimate provided for application restores should consider a contingency of plus or minus twenty percent (+/- 20%). -8- Of the total projected costs in the amount of $2.95 Million, the City's response team estimates that at least 85% ($2.5 Million) of total costs should be recoverable through the City's two insurance policies. Actual costs incurred and whether they will be covered under the cyber policy cannot be confirmed until the insurer provides their written position following the City's submission of Proof of Loss. The remaining costs that could range between $400,000 and $500,000 will either be absorbed into IT operating budget or applicable reserves. Renewal and enhancements of information technology requirements are funded out of the IT reserve, with projects planned and presented within the capital budget annually. Table 7: Overall projected recovery and event management costs related to the cyberattack. Response Component Actuals Projected Total Projected Bulletproof Consulting $701,273 $257,133 $958,406 Bulletproof Hardware/Licenses/Support $1,116,199 $69,199 $1,185,398 FireEye Mandiant $223,860 $0 $223,860 Anisoft $16,277 $0 $16,277 Ivan's Audio and Visual $1,806 $0 $1,806 Blakes / Norton Rose $0 $24,000 $24,000 CYPFER $10,250 $0 $10,250 Vendor Support Application Restores 0 $458,291 $458,291 Incident Response Costs $62,121 $10,000 $72,121 Projected Totals $2,131,786 $818,623 $2,950,409 A final cost component of the City's network rebuild is Microsoft licensing for security. The Enterprise Agreement approved by Common Council did not include security costs for moving to Office 365 as the initial plan was to implement a hybrid system of a hosted and on -premise solution over the three-year life of the agreement. Security is currently being purchased through Bulletproof and will transition to Microsoft with the year one reconciliation of licensing needs in April of 2021. Security costs are based on a per user basis. The estimated cost of security is $195,000 plus HST. As with all licenses related to users, these costs are charged back to the respective service areas as an operating cost. These funds are not included in the 2021 budget; however, they will be incorporated into future operating budgets. The installation of Microsoft security features is an industry best practice and significantly improves the City's cyber security risk profile. INPUT FROM OTHER SERVICE AREAS AND STAKEHOLDERS This report was prepared in collaboration with the City's Finance Team, Supply Chain Management Team, Risk Management Team, and the Information Technology Team. ATTACHMENTS None W i� I� z cn � � N O fV M U uJ�.J cC6 G nL.- ate., W a_+ E O E O O u v N u O ra N LL E Q) L O L- ^0 W O aN-+ = Uro cn C: cn 4-J U N E C— Ln U • Ln ate-+ u a� Q cn c6 0 � � I — =3 �U U -0 ateJ . L ( ° ca — �_ a� N N O to cam..) � I � O Q) r6 -!�e U O U = c6 a) + +� O 0 � +� N O cn ro Q Q) U =3 p S-- >- M UU U J J v G cr V) O F O6 D U Q Ol O N a--+ a, az D m O N O N ca D U Q O N O N rl m rl N M (,D (,D m 00 (,D O Ln ' .zz: (7 00 00 O I� 00 (,D I� N I� m Lr kL N N rl rl M (,D Lr) It Ln Ln m � m (,D O M (,D 00 N N m Lr) r Ol �t N rl rl O Lr) 00 O Lr) rl m N It N r-i m � (,D � 00 N rl N rl (,D 00 I_f) lD N m rl N O rl I� kL N N N rl rl v a- C a, D a, -0 > c N X � L_L Ln a, Q _ 4 � o v U cn LO o- iL O cn m rn O rl Ol Ln It N 00 O 00 m Ln 00 Ln N m 00 I� N O rl m O m � O Ln N It m 00 O rl Lr kL (7 O O N rl N Lr) O m N (,D I� Lr) Lr) � (7 r- (�6 l9zi 00 m T-i T-i 00 m m 0 0 0 Ln m � (,D O O O N O Ln 0 0 N m Ln Ln Ln O N O (,D N Ln O N O lD Ln N m It rl rl rl 00 O m O O It � � m T-i O 00 (,D � M m O rl N Lr N m O N N It m O O 00 m T-i Ln � O rl kL kL m N N rn m T-i T-i a, a, a, 4-J � a, O a, u +� O v a, c cI C- m aD O Z5 �v � m °,o� C v � U o?� 7 OD � 4- ca O U U c >. ca O N m O ca Ln U i� Q U o- It N 00 O 00 m Ln 00 Ln N rn N U 4- a, 0 ►5 .l Ln O N N suoll A c� Ln =5 N U Q � N O � O Q r-I Q to Q U n � Q N O Q 06 Q � Q c� cV Z3 M Ln O Ln rl rl i./'F Mom,' ►�f V -i-j m O N O N L O N O N 00 Q0 Zt l0 l0 l0 rl -1 -1 suoll A m En N l� t/} N O 00 l0 Zt a-- N t1A 00 O N O N N d O N O N N u N O N N O ta +- N C U (U N a N S nx ra V z i � M a 4/} N c O O N O O O d1 t/? SUOIll!A N c N Ln O (D N O }, > m a V) -Ln U ftftm* O Ln c qj)-. O O U }' -I iJ} Ln r-I U � co Q r -I t/} r- M CC O O OLn C CD CD CD -Ln -(n -(n .Ln t/)- qLn. qLn. V)- At in N tLO c6 06 N f6 Ln v t1A 00 O N O N a u O N Y' E N W m c� U Q O N O N Q� m N G Ln . j Ln O co t1A C1A 0 O i 0 N CD co u Q U Ln F r- Ln U G Ln M N E N Q E O N cB V) Ln m Ln M `� N rl rl suoll A N Ln c-I Ln O +1 N tw 7 00 O 'IT N f6 4- v Q O N O N N N Y U C6 _ C6 L.L O N -0 N 0 N N O u co `� } +, N U N N i cB O C: O u N N N N I- Lr) cV N 00 I� Ln •— I, Ln N C6 d d- ;I- d suoll A f6 u Q O N O N a-J � M U N Z3 j2L C>6 LO N LL N (V Co i/) • 00 Ln r- Ln Q0 Ln L L Ln Lr) Ln Ln Lr) suoll A v wo m O 'IT N t1') L U O +� co U m Ln O Q E L O U � N .E a U f� (/) a--+ (/) O U 0 p a--+ X 4- a--+ X W V W � N OU . �} �} 't N O Ln Ln Ln suoll A 00 Q0 N u Q rn O N v to m O � O N u Q O N O N w m O O -V)- 4— O Q Q0 V) 0 i--1 U O Q U O 0 LaL, C: w SZ- =3 +� O U cn cu •ro � U � co O c6 Q ro > O N c6 m (10 c6 ui 00E N '4 d' N N � r-I I c6 O � 0— w U cri Q) U cn •� ru a- L U DC . m O 00 O to I- n u1 o0 H I- o0 u1 m 1:11 O 1:11 00 00 al Ln :i, u1 O M1:11 00 M O M 1:11 H O H C) I- N O O H u1 H I- 00 O M u1 00 M O M O al al r4 lD r- c-I F u1 al u1 r- N lD O No to � O � al 00 u1 al � H , u1 00 � � 00 M in I - al u1 00 O H c-I 1:11 al 00 00 I- lD Ln :i, O N M u1 N N 01:11 rl 0 ONO 006 � c-I Q cc coo O O H O O O H al O O O cc coo O O O O O O O al O cc cc coo O O O O O O O al O cc O 00 O O 00 lD 00 N M O N L lD N lD lD bb O u1 O u1 3 H Ln � 00 H N H 00 O 00 00 in N Ln Ln al al N to 1:11 H al 00 O to r� 1:11 1:11 m N oo Ln N Ln N H rr 00 v 00 M Cn N W c O �n L L.L O �. ai i 4J C1A U CL N C 4J 01 of E O O Q ai > O v�i L Q U 01 U CL L. LJ 4J >' L N LL 41 vI U co iF dA Q C vI W 0 > Q 4J .L a--+ L L O m Q +- O C O U Z O vI Q W fB 4J N of +' , Q 4J L W W W M 4J U LLI W N = H d ('OJ Q O C - M� O U taA Nf H J y � L O O O 4J Z O U Z Z Q O N N N> W QJ .L W d U W d x O LL W 0 0 0 L C� W N 4J 'i 4J aj X H X v, H O J Z C C C m O -j Z fB J J J O S vICL NO C: ,UUU Xa�cnmLu O O O x L. W W d Vf re L C6 O O }' O N Z5 i N N CU ih a: cr- O u U 0 0 00 0 0 0 -V� -V� suollpA v u aj co V LL v c v x o LU LO LO 0 4� O C- C- V L .O � N Cf