As the committee is aware, we've had these discussions, and PIPEDA has a pending statutory security breach notification requirement, which will come into effect once the regulations are put out for comment and then ultimately implemented.
One of the comments that industry has made about those regulations is that it's incredibly important to keep them not prescriptive but to give some flexibility. But the statutory safeguarding requirement in PIPEDA is simple. In essence, it's a couple of lines. You need to have reasonable security safeguards. There is jurisprudence already that this means it doesn't have to be perfect, but what is reasonable? Reasonable is informed by its standards. There's a wealth of information security governance standards out there that especially entities in the financial services sector, insurance and financial services, will follow. Within those, it's a basic concept of information security governance.
Now, especially in the wake of the global ransomware attack, which was another wake-up call globally about this, it's a matter of vigilance with respect to the establishment of a continuous information security governance program. Within that, you not only have policies and procedures that you continually review, monitor, and independently test, you also have incident response and readiness plans that you implemented. If you treat it like a piece of paper and file it, it's not worth the paper it's written on. It's a living, breathing type of framework to address proactively information security concerns that not only threaten individual companies but are a systemic threat to the entire country.