A licensee's CISO, as referred to in Paragraph CRA-5.8.3(d), is responsible for overseeing and implementing the licensee's cyber security program and enforcing its cyber security policy. The CISO must report to an independent risk management function or the licensee must incorporate the responsibilities of cyber security risk into the risk management function.