I think a lot would depend on the regulations, but as the committee will be well aware, there are a number of different expected outcomes associated with the legislation relating to identifying, managing, preventing, detecting and limiting damage associated with cyber-attacks. We're already quite active in a lot of those areas, and we have a lot of levers through our supervisory work to be able to try to encourage financial institutions to respond to those different expectations.
I think the difference here is that if this legislation were to be introduced and regulations were to be introduced, rather than having us rely on our supervisory oversight as a lever to try to encourage good practices, it would be the case that there are different expectations that would have the force of law, which would then be subject to regulatory enforcement.
In terms of the specifics around those different levers, I suspect others would be better placed to speak to them than I.