Item - 2026.AU11.5

The Audit Committee recommends that:

1. City Council authorize the public release of Confidential Attachment 1 to the report (November 21, 2025) from the Auditor General at the discretion of the Auditor General, after discussions with the appropriate Exhibition Place and City officials.

At its meeting on December 5, 2025, the Board of Governors of Exhibition Place considered Item EP20.1 and made recommendations to City Council.

Summary from the report (November 21, 2025) from the Auditor General:

The Exhibition Place is an agency of the City of Toronto and managed by the Board of Governors of Exhibition Place. As Canada’s largest exhibition and convention centre, the Exhibition Place is used for conventions, conferences, trade shows, entertainment and sporting events, public celebrations, festivals, and cultural attractions, generating over $594.5 million per year in economic impact.

Technology plays a vital role in all aspects of the Exhibition Place's operations and services. Given the size of the operations, and the services that Exhibition Place provides, the Auditor General included a cybersecurity audit of the Exhibition Place in her 2025 Work Plan.

This audit is conducted in two phases. Phase One of this audit focused on:

- Physical security at selected facilities,
- User access management, and
- Social engineering and staff awareness.

Phase Two, which is in progress, will include an overall assessment of Exhibition Place's networks, systems, and application security and will be reported to the Board in April 2026.

This report includes five administrative recommendations. The confidential findings and recommendations are contained in Confidential Attachment 1 to this report. A separate confidential detailed technical report has been provided to management with technical details to guide them in addressing the report findings and recommendations.

Management agrees with the recommendations contained in the Confidential Attachment 1, which also includes management's response.