Board briefing · Q[X] [YYYY]

[YOUR COMPANY] Cyber Risk Briefing

15 minutes. Three things to know. Three decisions for the board.

Presenter: [CISO Name], Chief Information Security Officer

Audience: Board of Directors / Audit Committee / Executive Team

Period covered: [QUARTER]

The whole briefing in one slide

Three things to know. Three decisions to make.

Know

Threat landscape: [one sentence summary, e.g., "AI-powered phishing now bypasses our previous training"]
Our posture: [one sentence, e.g., "Strong on prevention, gap in third-party risk visibility"]
The big change this quarter: [one sentence]

Decide

Investment ask: [$X for Y, expected outcome Z]
Risk acceptance: [what we're choosing to accept, why]
Policy approval: [what changes board should ratify]

Context · 1 minute

The cyber threat landscape today

What changed since last quarter that the board should know about.

AI-powered attacks

Phishing emails are fluent, personalized, and arrive at machine speed. The Hong Kong $25M deepfake wire fraud is the new normal pattern.

Identity-first breaches

Most major 2024–2025 incidents started with a valid login (Snowflake customers, MGM, MOVEit). Attackers log in; they don't break in.

Third-party / supply chain

Change Healthcare, MOVEit, XZ Utils: vendor compromises now produce industry-wide outages and regulatory headaches.

The defining shift: less "sophisticated zero-day," more "stolen identity meets unpatched vendor."

Our position · 1 minute

[YOUR COMPANY]'s cyber risk posture today

Area	Status	One-line explanation
Identity & access	[Strong / OK / Gap]	[e.g., "MFA on 98% of accounts; passkeys rolling out Q[X]"]
Endpoint & cloud	[Strong / OK / Gap]	[e.g., "Modern EDR deployed; cloud posture has known drift"]
Third-party risk	[Strong / OK / Gap]	[e.g., "Top 20 vendors assessed; long tail unmapped"]
Data & AI	[Strong / OK / Gap]	[e.g., "AI policy live; shadow AI signal increasing"]
Incident response	[Strong / OK / Gap]	[e.g., "IR plan tested last [MONTH]; tabletop scheduled"]
Awareness & culture	[Strong / OK / Gap]	[e.g., "Phish report rate [X]%, click rate [Y]% — improving"]

Big risk #1 · 90 seconds

AI risk and governance

The board's exposure: regulatory (state AI laws, EU AI Act), data leakage (employees pasting customer data into public AI), and product risk (AI features we ship to customers).

What we've done

Adopted an AI Acceptable Use Policy ([DATE])
Approved [TOOL] as the only AI tool cleared for sensitive data
Trained [N]% of workforce on safe AI use
[Other concrete actions]

What still concerns me

Shadow AI: [N] unsanctioned tools detected in egress logs this quarter
Customer-facing AI features create new attack surface (prompt injection)
Vendor AI features turning on by default expand our data reach
[Other concerns]

Big risk #2 · 90 seconds

Material cyber risk & disclosure

For public companies: SEC's 4-day disclosure rule (Item 1.05) requires reporting material cyber incidents within 4 business days of materiality determination. For private companies: contracts, insurance, and state laws increasingly require similar timelines.

Our readiness

Materiality assessment framework defined ([DATE])
Cross-functional response team (IT/Legal/Comms/Finance) chartered
Last tabletop: [DATE]; next: [DATE]
Legal counsel pre-engaged on disclosure procedures

Where the board comes in

Board oversight of cyber risk is now explicit SEC requirement (Item 106)
Personal exposure: D&O policies may not cover board negligence on cyber
Decision needed: how often does the board want substantive cyber briefings? Recommend: quarterly + emergency

Big risk #3 · 90 seconds

Third-party and supply-chain risk

Our most likely path to a major incident isn't a direct attack — it's a vendor we trusted that gets breached and takes us down with them.

The exposure

[N] vendors with access to sensitive data. Top [N] cover [P]% of risk by concentration. The long tail is our blind spot.

Recent reference cases

Change Healthcare — broke US prescription processing for weeks. Snowflake customers — credential-stuffing campaign hit 165+ orgs. MOVEit — hit 2,700+ organizations.

What we're doing

Top-tier vendor reviews on annual cadence. Critical vendor list maintained. Contractual security minimums updated [DATE]. SBOMs requested from top vendors.

Wins · 1 minute

What's working — the wins this quarter

[X]%

Phishing report rate

Up from [Y]% last quarter. Faster reports = smaller incidents.

[X]

Mean time to detect

[X] hours, down from [Y]. Below industry median of [Z].

$0

Material incidents

No material cyber events this quarter. Multiple near-misses contained.

[1-sentence narrative about the quarter — what changed, what improved, what investment paid off.]

Investments · 1 minute

Where the cyber budget is going

Investment area	This year	Why
Identity (passkeys, IdP)	[$X]	Highest ROI control; eliminates phishing payload
Cloud posture / CSPM	[$X]	Catch misconfigurations before they expose data
Awareness program	[$X]	Modern, AI-aware, role-based — [N] employees
Third-party risk tooling	[$X]	Continuous vendor monitoring; replaces manual assessments
IR readiness / tabletops	[$X]	Practiced response is the difference between hours and weeks
[Other]	[$X]	[Reason]

Most cyber budget waste comes from buying tools without addressing the root cause: identity, third-party, and human factors. We're investing where the incidents actually start.

Insurance & D&O · 1 minute

Cyber insurance and board exposure

Our cyber insurance

Limit: [$X]M / [$Y]M (aggregate)
Retention: [$X]K
Renewal: [DATE]
Coverage gaps the board should know about: [list]

D&O exposure note

Cyber events are increasingly the subject of derivative lawsuits naming directors personally. Recent examples: SolarWinds CISO (SEC charges), Uber (CISO conviction), and a growing list of state AG actions.

What protects the board: documented cyber oversight, reasonable cybersecurity investment, and demonstrable board engagement. This quarterly briefing is part of that record.

Asks · 2 minutes

Decisions we're asking the board to make today

1. Investment

Ask: [Approve $X for Y]

Why: [One sentence]

Outcome if approved: [Measurable result]

Outcome if not: [What risk persists]

2. Risk acceptance

Ask: [Accept residual risk on X]

Why: [Cost of mitigation vs. risk]

What we'll do: [Compensating control]

Re-evaluate when: [Trigger]

3. Policy / governance

Ask: [Approve the updated [POLICY]]

Why: [Reason — regulatory, contractual, risk-driven]

Owner: [Who'll operate this]

Effective: [Date]

Honesty · 1 minute

What's keeping me up at night

Boards sometimes mistake my optimism for confidence. Here's what I genuinely worry about — so you know I'm being straight with you.

[Concern 1] — [why; what we're doing about it]
[Concern 2] — [why; what we're doing about it]
[Concern 3] — [why; what we're doing about it]

If we get hit by a major incident in the next 12 months, my best guess is it starts here. That's why we're investing where we are.

Q & A · 3 minutes

Questions

Common questions I'm ready to go deeper on:

Strategic

How does our posture compare to peers in [INDUSTRY]?
What would a "well-run" cyber program look like for a company our size?
If we had to cut [N]% of cyber budget, where would I cut and what would I protect?

Operational

What happens if [biggest fear scenario]?
Show me how we'd handle a ransomware event tomorrow
What's our position on paying ransoms?
Where does AI-related risk land on our risk register?

Full Q&A prep covering 24 anticipated board questions is in the kit, in 04-Q-And-A-Prep.md.