A licensee, based on the assessment of cyber security risk exposure and with an objective to mitigate cyber security risk, must evaluate and consider the option of availing cyber risk insurance. The evaluation process to determine suitability of cyber risk insurance as a risk mitigant must be undertaken on a yearly basis and be documented by the licensee.