It urges a shift in approach to cyber exposure management