Overview
When a significant security incident hits, the board needs to know quickly, clearly, and with the right level of detail. This memo template gives CISOs a structured format for notifying the board of directors about material cyber incidents, ongoing breaches, or emerging risks that could affect the organization. The template balances urgency with clarity, providing enough technical context without overwhelming non-technical board members.
Memo Structure
- Subject line and incident classification (Critical/High/Medium)
- Executive summary: what happened, when, and current status
- Scope of impact: systems, data, customers, and operations affected
- Response actions taken and team mobilized
- Regulatory and legal implications
- Business continuity and customer impact assessment
- Recommended board actions and resource requests
- Next steps and follow-up communication schedule
Notification Triggers
| Trigger | Board notification timeline | Detail level |
|---|---|---|
| Active data breach with customer PII | Within 24 hours | Full memo with impact assessment |
| Ransomware impacting production systems | Within 24 hours | Full memo with recovery timeline |
| Regulatory investigation or enforcement action | Within 48 hours | Full memo with legal counsel input |
| Critical vulnerability affecting core infrastructure | Within 72 hours | Briefing memo with remediation plan |
| Third-party breach affecting shared data | Within 72 hours | Briefing memo with vendor response status |
| Material cyber insurance claim | Within 48 hours | Full memo with financial impact |
Writing for a Non-Technical Audience
Board members care about business impact, not packet captures. Lead with what the organization stands to lose: revenue, customer trust, regulatory penalties, and competitive position. Use analogies that connect to business concepts they already understand. Instead of saying "an attacker exploited CVE-2024-1234 to achieve remote code execution," say "an attacker used a known software weakness to gain access to our internal systems." Provide enough technical detail to demonstrate competence but avoid jargon that obscures the message.
Legal Considerations
Have outside counsel review the memo before distribution when possible. Use attorney-client privilege headers if appropriate. Be precise about what is confirmed versus what is still under investigation. Avoid speculation about who the attacker might be or the total data impact until forensics are complete. Document that the memo is being shared in the context of governance oversight. Keep distribution limited to board members and named advisors.
Follow-Up Communication Plan
The initial memo is just the beginning. Establish a regular cadence of updates: daily for active critical incidents, twice weekly during investigation phase, and weekly during remediation. Each update should reference the original memo and provide progress against the action items listed. Schedule a formal board presentation within 30 days of incident closure to cover the full post-mortem, corrective actions, and any investment requests tied to improving defenses.
Frequently Asked Questions
How quickly should the board be notified of a cyber incident?
For material incidents involving data breaches, ransomware, or regulatory implications, notify within 24 hours. SEC rules require disclosure of material cybersecurity incidents within four business days on Form 8-K, making timely board awareness essential.
What is considered a "material" cyber incident for board notification?
An incident is material if it could reasonably affect the company's financial condition, operations, or reputation. This includes breaches involving customer PII, operational disruptions, regulatory exposure, potential litigation, or incidents likely to attract media attention.
Should the CISO present to the board directly?
Yes, for significant incidents. The CISO should present the facts, and the CRO or General Counsel should address business and legal implications. Having the CISO present directly demonstrates accountability and technical command.
What if the investigation is still ongoing when the board needs to be informed?
Be transparent about what is confirmed and what remains under investigation. Use phrases like "based on our analysis to date" and "subject to further investigation." Set the expectation for when more complete information will be available.
How do we handle board notification when the breach involves insider activity?
Involve HR and legal counsel before distributing the memo. Limit details about the suspected individual to what is necessary for the board to understand the scope. Ensure the investigation plan addresses evidence preservation and due process.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.