Item - 2026.AU12.3

Tracking Status

  • This item will be considered by Audit Committee on May 1, 2026. It will be considered by City Council on May 20, 21 and 22, 2026, subject to the actions of the Audit Committee.
  • See also 2026.EP22.1

AU12.3 - Cybersecurity Audit of Exhibition Place - Phase Two: Overall Network Security and Cybersecurity Assessment of Select Critical Systems

Consideration Type:
ACTION
Wards:
All

Confidential Attachment - Involves the security of the property of the City of Toronto or one of its agencies and corporations.

Origin

(April 16, 2026) Report from the Board of Governors of Exhibition Place

Recommendations

The Board of Governors of Exhibition Place recommends that:

   

1. City Council authorize the public release of Confidential Attachment 1 to the report (March 25, 2026) from the Auditor General at the discretion of the Auditor General, after discussions with the appropriate Exhibition Place and City officials.

Summary

At its meeting on April 16, 2026, the Board of Governors of Exhibition Place considered Item EP22.1 and made recommendations to City Council.

 

Summary from the report (March 25, 2026) from the Auditor General:

 

The Auditor General included a cybersecurity audit of Exhibition Place, an agency of the City of Toronto, in her 2025 Work Plan. Exhibition Place is Canada’s largest convention centre and entertainment and sports venue, generating $595 million[1] in economic impact annually and $67.3 million in revenue in 2024.

 

Phase One of this cybersecurity audit was presented at Exhibition Place’s December 5, 2025, Board meeting. The Auditor General’s Phase One confidential report included results from testing physical security, user access management, and staff awareness of social engineering in relation to cybersecurity.

 

The Phase One public cover report is available at: Cybersecurity Audit of Exhibition Place – Phase One: Physical Security, User Access Management and Staff Training

 

Technology plays a vital role in all aspects of Exhibition Place's operations and services. This Phase Two report includes the results of our vulnerability assessment and penetration testing of the Exhibition Place’s network, systems, applications and devices, as well as cybersecurity incident logging and monitoring review.

 

This report includes five administrative recommendations. The confidential findings and recommendations are contained in Confidential Attachment 1 to this report. A separate, confidential and detailed technical report was provided to management with technical details to guide them in addressing the report findings and recommendations.

 

Management agrees with the recommendations contained in the Confidential Attachment 1, which also includes management's response.

 

[1] Budget TO 2026 Budget Notes Exhibition Place

Background Information

(April 16, 2026) Letter from the Board of Governors of Exhibition Place on EP22.1 - Cybersecurity Audit of Exhibition Place - Phase Two: Overall Network Security and Cybersecurity Assessment of Select Critical Systems
https://www.toronto.ca/legdocs/mmis/2026/au/bgrd/backgroundfile-286261.pdf
(March 25, 2026) Report from the Auditor General on Cybersecurity Audit of Exhibition Place - Phase Two: Overall Network Security and Cybersecurity Assessment of Select Critical Systems
https://www.toronto.ca/legdocs/mmis/2026/au/bgrd/backgroundfile-286262.pdf
Confidential Attachment 1 - Cybersecurity Audit of Exhibition Place - Phase Two: Overall Network Security and Cybersecurity Assessment of Select Critical Systems
Source: Toronto City Clerk at www.toronto.ca/council