Example Cybersecurity Board Reporting

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides examples of foundational practices and metrics boards may leverage to determine the soundness of cyber-risk oversight during regularly scheduled cybersecurity briefings. It provides suggested cyber risk-related questions for board members to discuss with senior management.

Introduction

Cyber-risk oversight is a set of activities designed to ensure that realized risks are kept within tolerable levels and do not endanger the operational resilience of the corporation. The board’s role is to challenge management to identify the right balance between effort/expense and outcomes with the understanding that it is constantly moving and changing.

It’s important to remember that cyber risk cannot be managed to zero risk. High-performing boards understand this fact and strive to reduce the likelihood and severity of disruptive cyber events, rather than eliminate them entirely. Focusing on the “critical few” issues aligned with strategic business objectives improves clarity of analysis and aids decision-making.

Cyber-Risk Oversight Areas

Purpose and Cadence of Cyber-Risk Reports

Boards want a clear view of risk, readiness, and response. Report types can include

Key Focus Areas for Boards

Cyber-Risk Posture at a Glance

Heat-map of top five enterprise risks (likelihood vs. Impact) mapped to business objectives. If possible, quantify their business impact on these objectives and include scenarios.
  

Key Metrics (Quarter-on-Quarter Trend)

Industry standard metrics used to assess due care and due diligence in the effectiveness and management of cyber-risk controls. Boards should track these metrics and their trends over time to assess performance.

Significant Events Since Last Report

For each incident ≥ “Medium” severity or above a defined expected impact threshold:

• what happened (attack vector, timeline, affected systems)
• business impact (financial, operational, reputational, legal)
• containment and recovery status (completed/in progress)
• root cause and lessons learned (process or control gaps)
• regulatory filings (e.g., SEC 8-K, CIRCIA 72-hour, state breach laws)

Compliance and Assurance Snapshot

• status vs. compliance obligations (NIST CSF 2.0, ISO 27001, CMMC, HIPAA/PCI/etc.)
• audit findings, penetration test results, cyber insurance posture

Forward-Looking Plan and Investment Needs

• roadmap of priority initiatives for next two quarters (and associated metrics)
• budget requests are tied to quantified risk reduction

Industry Best Practices

• comparison of corporate cyber-risk controls to industry peers
• industry trends in cyber-risk management (e.g., introduction of new technical or procedural controls)

Emerging Threats

Introduction of emerging threats to the business, potential impact and risks, and proposed actions to address anticipated risks (with timelines and associated metrics)

Questions the Board Can Ask to Assess Their Cyber-Risk Board Reports

• Do the risk reports allow the board to comprehensively understand the sources (both internal and external) of cyber risk?
• Do the risk reports show if cyber risks are within established limits of organizational risk appetite and risk tolerance?
• Have the full implications (e.g., life safety, revenue, and reputation) of realized cyber risks been analyzed and quantified?
• Is the board being presented with timely, accurate, and relevant metrics and appraisals of cyber risk?
• Are we able to effectively interpret and assess management and third-party presentations on cyber risk, as well as their answers to our questions?
• Do we have adequate and diverse sources of technical expertise to present the board with sufficient knowledge to make informed decisions on this topic?

Questions Boards Can Ask Management About the Cybersecurity Program

• Are corporate strategy and cyber-risk management practices aligned? How are areas of potential misalignment identified and analyzed?
• Do you have access to the quantity and quality of resources necessary to manage cyber risk effectively?
• Are we keeping pace with the threat environment? How does this compare with our competitors?
• Do we have a program of independent third-party testing and evaluations of cyber control activities and functions?
• Which models/frameworks/standards of practices are informing our cyber-risk management practices? How were these selected?
• Have the potential sources and consequences of cyber incidents been examined, and specific business impacts determined?
• Are we striking an appropriate balance in our cyber practices to manage both conditions (e.g., defend) and consequences (e.g., recover)?
• Do we have justifiable and quantifiable confidence in the efficiency of cyber-risk management practices? If so, how was this determined?
• Do we have adequate visibility and authority to measure conformance with requirements in third-party relationships (e.g., public cloud service providers)?
• How are critical cybersecurity/cyber-risk management skills cultivated and kept contemporary?
• How does the introduction of emerging sophisticated technologies (e.g., agentic AI and quantum computing) alter our cyber risk roadmap and strategy?

Return: Toolkit For Action