Incidents & Breach Summary
The board needs an accurate, unvarnished account of every security incident in the reporting period. Under-reporting or softening incident language erodes board trust and can create regulatory exposure.
Total incident count for the period, broken down by severity (Critical / High / Medium / Low) and by incident type (ransomware, phishing, data breach, insider, DDoS, etc.)
Any CERT-In reportable incidents (6-hour rule): confirmation of timely reporting, notification reference number, and current status
Any regulator-notifiable data breaches (DPDP Act / SEBI / RBI / IRDAI): notification status, timeline, and board-approved communication
Material incidents: brief narrative of what happened, root cause, impact (financial, operational, reputational), and remediation status
Near-miss incidents: significant events that were detected and contained before material impact, with lessons-learned summary
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR): current period vs. prior period trend
Third-party / supply chain incidents: incidents originating from or impacting critical vendors, and vendor response status
Board Liability Risk
Board members have personal liability exposure if material cyber incidents are not reported to them in a timely and accurate manner. Never sanitise incident descriptions for board consumption — report facts, impact, and status clearly.
Vulnerability Posture
Vulnerability posture gives the board a real-time view of the organisation's attack surface. Trend data is more meaningful than point-in-time snapshots.
Total open vulnerabilities by severity: Critical, High, Medium, Low — with trend vs. prior quarter
Critical and High vulnerabilities: count exceeding SLA remediation deadline, age of oldest unpatched Critical finding
VAPT / penetration test status: date of last assessment, next scheduled assessment, current open findings count by severity
Patch management coverage: percentage of endpoints patched within SLA, percentage with unsupported/EOL software
External attack surface: internet-facing assets with known vulnerabilities, exposure via cloud misconfigurations
Third-party vulnerability exposure: critical vendor assessment status, any vendor-originated vulnerabilities affecting the organisation
Remediation capacity: current bandwidth vs. incoming vulnerability volume — is the team falling behind or catching up?
Regulatory Status
Boards have direct accountability for regulatory compliance. The cyber risk report must give a clear current-state view of all active regulatory obligations.
| Regulator | Key Obligation | Status | Next Deadline |
|---|---|---|---|
| CERT-In | 6-hour incident reporting, log retention 180 days | Include current status | Ongoing |
| DPDP Act 2023 | Data breach notification, consent management, DPA contracts | Include current status | Rules pending |
| IRDAI (if insurer) | IS Audit board submission, VAPT, ICF self-assessment | Include current status | Jun 29 |
| RBI (if bank/NBFC) | IT outsourcing, cyber incident reporting, IS audit | Include current status | Per RBI calendar |
| SEBI (if applicable) | CSCRF compliance, SOC reporting, cyber audit | Include current status | Per SEBI calendar |
All active regulatory mandates listed with compliance status: Compliant / Partially Compliant / Non-Compliant / In Progress
Any regulatory findings, show-cause notices, or audit observations from the past 12 months: current status and response timeline
Upcoming regulatory deadlines in the next 90 days: specific action required, owner, and readiness assessment
Regulatory changes that will affect the organisation in the next 6 months: impact assessment and preparation status
Board attestations or resolutions required by regulators: pending items needing board action in this meeting
Risk Appetite Gap
The risk appetite gap section answers the board's most important question: Is our current cyber risk exposure within the boundaries the board has set?
Current board-approved cyber risk appetite statement referenced — if older than 12 months, flag for board review and reaffirmation
Current risk exposure (ALE 90th percentile from CRQ model) compared against risk appetite threshold for each major risk category
Scenarios exceeding risk appetite threshold clearly flagged in RED with proposed treatment and decision required from board
Scenarios within risk appetite confirmed as managed and monitored — not dismissed
Change in risk appetite gap vs. prior period: are we improving or deteriorating?
Cyber insurance coverage gap: difference between maximum scenario loss and insurance coverage limit, in financial terms
Residual risk after controls: explicit statement of risks the organisation is accepting and the basis for that acceptance
Budget Update
Cyber security budget is a board-level decision. The report must give the board enough information to evaluate whether current investment levels are appropriate relative to risk exposure.
Current period cyber security spend vs. approved budget: on track, overspent, or underspent — with explanation for variances
Spend breakdown by category: people, technology, services (VAPT, audits, consultancy), compliance, insurance
Budget adequacy assessment: is current spend sufficient to maintain controls at the level assumed in the CRQ model?
Unbudgeted spend requests: any items requiring board approval for additional investment, with risk-based justification
Cyber insurance premium vs. coverage trend: is the organisation getting appropriate value from its insurance programme?
Return on Security Investment (ROSI): where quantifiable, estimated ALE reduction per rupee of control investment
Next period budget request (if applicable): proposed allocation with risk-prioritised justification
Recommended Board Actions
Every board report should conclude with a clearly numbered list of decisions or actions required from the board. Ambiguous recommendations lead to deferred decisions and unmanaged risk.
Each recommended action is numbered, specific, and owned: "The board is requested to approve..." not "It is suggested that..."
Risk appetite review: if current exposure exceeds threshold, explicit board decision required (accept, treat, or revise appetite)
Regulatory attestations: any board resolutions or sign-offs required for regulatory compliance clearly listed with deadline
Budget approvals: unbudgeted items requiring board sanction listed with business case summary
Policy ratifications: any updated cyber security policies requiring board sign-off presented for approval
Next report date and format confirmed: frequency, distribution list, and any format changes for future reports agreed
RiskSage AI Capability
RiskSage AI by CreativeCyber automates board cyber risk report generation — pulling live data from incident logs, vulnerability scanners, regulatory calendars, and CRQ models to produce a board-ready report with one click.
Open RiskSage AI →
Open RiskSage AI →