The Board must ensure that the cyber security risk policy and procedures are robust and can comprehensively assist the licensee's cyber security requirements. In the case of branches, it is recommended that there is a formal sign-off of a localised version of such policy.