They do a lot of different things.
In fact, they propose to us the kinds of things they need to do locally to meet security requirements, and then we fund them on that basis. That can vary, as you can imagine, between institutions, depending on where they're at or how far along they are in their own security measures.