The Board of conventional bank licensees must ensure that the licensee has a robust cyber security risk management policy to comprehensively manage the licensee’s cyber security risk and vulnerabilities. The Board must approve the policy and establish clear ownership, decision-making and management accountability for risks associated with cyber-attacks and related risk management and recovery processes. Cyber security must be an item for discussion at Board or Board sub-committee meetings.