Insurance licensees must establish clear ownership and management accountability for the risks associated with cyber-attacks. They must establish the related risk management processes commensurate with their size, nature of activities and risk profiles. Cyber security measures must be made part of the licensee's IT security policy.