A new regulation requires changes to your security policies. How would you approach this at Bain & Company?