There are two aspects to this. The first is the implementation of the bill and the regulatory framework. We all want the bill to be applied in the best way possible, of course. However, we find that some definitions leave room for interpretation. In cases where it's a major issue, we would prefer that the framework be much clearer so that people can comply with it more easily. Terms like “major incident” or “cybersecurity breach” are quite broad and generic. We find ourselves at an impasse. We think it's much simpler to clarify these terms now than to wait until the regulatory stage to establish definitions and end up in a bit of a mess when it comes to determining what to do. It's always better to clarify things right from the start.
The second aspect concerns government intervention. To be clear, we are committed to seeing the essence of the bill come to fruition, since cybersecurity breaches are a major issue. At IBM, we produce an annual report, and we've determined that the cost of a cybersecurity breach is $7 million per affected company, which increases to $12 million when the financial sector is involved. As a result, it's important to take action, and the government must show leadership in this regard. Its actions must also be well regulated, codified and predictable for the players in the system.