A clear reporting line to the Board must be established for cyber security risk incidents. A dedicated IT Security Officer must be appointed with responsibility for cyber and information security.