Mr. David McGill:

The reason we went for a sectoral approach, from a regulatory point of view, is that each of the regulators knows its sector and knows how mature its sector is in terms of systems. Some will be better than others. The risk management measures are set out as one of the articles or heads. What will happen is that an entity will be assessed for its compliance with those measures. The competent authorities can either send in their own staff or require that a third-party independent security assessor be brought in by the entity to assess for compliance. It could be something as simple as a requirement to have three fire walls. If an entity does not have three fire walls, it is not meeting that.

Those measures are not set in the legislation. Rather, they are set out as part of the risk management measures that will be implemented as part of the guidelines. Potentially, after a security audit has taken place, if the regulators are not happy with what is going out, they can set out measures to say that the entity needs to increase its cybersecurity measures and issue it with a notice to that effect. The entity will be given a certain amount of time to implement the measures. If it does not comply within that time, it then becomes an offence. A lot of discretion is afforded to the competent authority.