Board Reporting Pack

Monthly Report - 1/12/2026

Executive Summary
Overall Risk Posture: STABLE

Top 5 Risks

1
HIGHincreasing

Third-Party Vendor Data Breach Risk

In Progress - Enhanced monitoring implemented

2
HIGHstable

Ransomware Attack Surface

Controls in place, testing scheduled Q2

3
MEDIUMincreasing

Legacy System End-of-Life

Migration plan approved, funding pending

4
MEDIUMstable

Insider Threat - Privileged Access

PAM solution deployed, monitoring active

5
MEDIUMdecreasing

Regulatory Compliance Gaps

Remediation 75% complete, on track

Top 5 Actions

1
ON-TRACKhigh

Complete SOC 2 Type II Audit

Sarah Chen, CISODue: 2/15/2025
2
AT-RISKcritical

Deploy MFA for All Critical Systems

IT Security TeamDue: 1/31/2025
3
ON-TRACKhigh

Annual BCP Testing Exercise

OperationsDue: 3/1/2025
4
OVERDUEcritical

Vendor Risk Reassessment (Critical Tier)

Vendor Risk ManagerDue: 2/28/2025
5
COMPLETEmedium

Security Awareness Training Rollout

HR & SecurityDue: 1/20/2025

Key Highlights

  • Zero critical security incidents this period
  • Phishing simulation click rate decreased 15% (improvement)
  • 3 new critical vendors onboarded with full due diligence
  • Completed 12 of 15 planned audit remediation items
  • Board-approved cybersecurity budget increase for Q2
Key Risk Indicators & KPIs
Trending metrics and performance indicators
Risk Posture Score
72
Previous: 75 | Target: 80
Security Incidents
3
Previous period: 5 incidents
Phishing Click Rate
8.5%
Previous: 10% (Lower is better)
Vendor Reviews
85%
Target: 100% completion
Open Audit Findings
7
Previous: 12 findings
Decisions Requested
Items requiring board action or approval
HIGHFUNDING
2/1/2025

Budget Approval for EDR Platform Upgrade

Current endpoint protection reaching end-of-life. Upgrade required to maintain security posture and compliance.

Recommendation: Approve $125,000 for CrowdStrike Falcon Complete deployment

Financial Impact: $125,000

MEDIUMRISK ACCEPTANCE

Accept Residual Risk - Legacy Loan System

Legacy system cannot support modern authentication. Compensating controls in place (network segmentation, enhanced monitoring).

Recommendation: Accept residual risk for 12 months with quarterly reviews

MEDIUMPOLICY APPROVAL
2/15/2025

Updated Remote Work Security Policy

Policy revisions to address hybrid work environment and BYOD considerations.

Recommendation: Approve updated policy effective March 1, 2025

Progress Against Annual Plan
Status of key initiatives and milestones
Risk Assessment

Annual Enterprise Risk Assessment

IN PROGRESS
Target: 6/30/2025Completion: 35%

Risk identification complete, impact analysis in progress

BCP Testing

Tabletop Exercise - Core System Outage

IN PROGRESS
Target: 3/1/2025Completion: 60%

Scenario developed, participants confirmed

Training

Annual Security Awareness Training

AT RISK
Target: 1/31/2025Completion: 72%

28% of staff not yet completed, follow-up emails sent

Audit

Remediate Prior Year Audit Findings

IN PROGRESS
Target: 3/31/2025Completion: 80%

12 of 15 findings closed, 3 in final validation

Compliance

FFIEC CAT Self-Assessment

NOT STARTED
Target: 12/31/2025Completion: 0%

Scheduled to begin Q2