Key Findings

• Vendor & Licensing Gaps: Yellow ratings in every business line revealed the need for a formal vendor cybersecurity evaluation framework and greater transparency into third-party software lifecycles.

• Legacy System Risk: Despite modern infrastructure, legacy dependencies in some internal applications risked impeding future agility.

• Technical Debt Accumulation: Identified the lack of a unified technical debt registry or funding plan as a major barrier to architectural simplification.

• Emerging Threats: RBC’s defenses were robust but at risk of lagging behind evolving global threat vectors and supply chain attacks.

⚠️ Top Strategic Risks Identified

1. Cybersecurity threat evolution outpacing current defense stack

2. Regulatory fragmentation across jurisdictions (Canada, EU, US)

3. Cloud vendor lock-in due to reliance on specific hyperscalers

4. M&A IT integration complexity

5. Data governance gaps impacting AI/ML integrity

💡 Key Recommendations

1. Enhance Threat Intelligence Integration using SIEM and SOAR tooling

2. Accelerate Technical Debt Reduction via a task force and dedicated funding

3. Implement Advanced Data Quality Controls for AI model reliability

4. Strengthen Third-Party Risk Management with standardized cybersecurity scoring

5. Conduct Operational Resilience Drills simulating multi-system failures

📈 Outcomes

• Delivered a risk reduction roadmap, estimated to reduce exposure by ~41%

• Influenced RBC’s Digital Resilience Strategy and 2026 Cloud Optimization Plan

• Led to follow-on engagements around vendor risk scoring and zero-trust implementation

• Provided actionable insights that were presented to board-level stakeholders

🧩 Tools, Standards & Methodologies Used

• NIST 800-30, MITRE ATT&CK, OSFI Tech Risk Guidelines

• Tenable/Nessus for vulnerability management

• ELK Stack for log analysis

• Custom-built audit heatmaps and risk scoring matrices

• Integration with RBC’s DevOps pipelines for live data