A licensee must develop and implement preventive measures to minimise the licensee's exposure to cyber security risk.