Licensees must have an annual third-party audit of their IT infrastructures and core systems including penetration testing undertaken by a reputable third party cyber security consultants. The third-party audit report including the recommendations and areas of concerns must be submitted to the CBB. The third-party audit report must also include the areas of concerns identified by the licensee during the IT System audit as set out under CRA-5.8.5 and the measures taken by the licensee to mitigate those concerns.