A licensee must ensure that all critical systems are able to recover from a cyber security breach within the licensee's defined recovery time objective in order to provide important services or some level of minimum services for a temporary period of time.