Thank you for the question.
I think this is the classic situation in which the banks don't have to disclose their own vulnerabilities, but they can, in aggregate form through an organization like the CBA, report all the various attacks that have occurred in a certain time period and where those attacks originated from. They'll say that they've had all of these malicious people from the outside or they've had malicious insiders. The Bank of Nova Scotia has been sued in a class action lawsuit because of the actions of a rogue employee. That was not audited properly by the bank in terms of accessing personal information.
We need to know that not just when it comes up and somebody sues, but in aggregate form so that we can develop policy accurately and so we can ask where the focus should be. Should we be investing in protecting our national infrastructure, and the banks are part of that? Should we be telling customers to keep their passwords safer and so on and so forth?
These are basic questions that we don't have answers to. If we got them in aggregate form about various industries, it would be very helpful. We don't have that right now.