"Completely pays for itself in under five years." ...
One possible path would pair tougher cybersecurity requirements with a phase-in period.