My recommendation would be to align with the United States.
As I mentioned earlier, even the Canadian Centre for Cyber Security has mentioned that an incident affecting critical infrastructure in the United States would affect Canada. Much of our critical infrastructure—whether it be energy, rail, transport or, in some cases, telecommunications—crosses borders. We need to align with them. That would be mine: a 72-hour reporting requirement.
The other thing is aligning our definitions of what a cyber-incident is. Currently, the United States is undertaking a study through CISA to define “cyber-incident” and what is reportable. They have 52 different regimes of reporting in the United States. Imagine an entity dealing with a cybersecurity incident and being required to report to 10 or 15 different entities with different types of cyber-incidents.
If it's not aligned, this legislation will actually add to the problem, not resolve it.