How to Report Cybersecurity to the Board: Risk Metrics, Engagement, & Best Practices

Clear, engaging, and risk-focused cybersecurity reporting is more important than ever for banks and credit unions. In this panel, Taylor Wells hosts Lucas Hathaway (CRO @ Rivial Security) and Randy Lindbergh (CEO @ Rivial Security) for a lively, actionable discussion on effectively reporting cybersecurity to the board. They share insights on which metrics matter, why you should move beyond “high/medium/low” risk, how to keep reports digestible for non-technical board members, tips for auditor compliance, and practical ways to build board engagement. Whether you’re revamping your board reports or just want to ensure you’re communicating effectively, you’ll walk away with real strategies and plenty of examples. Timestamps: 00:00 – Intro, holiday vibes, and birthday surprise 02:04 – Panelist introductions & roles 03:49 – Why cybersecurity reporting to the board actually matters 06:03 – What and how much to report: Understand your audience 09:10 – Ideal board report length and frequency 11:03 – Balancing technical audit needs with board communication 13:00 – Guiding & training your board for better engagement 15:26 – Brevity vs. depth: One-pagers & risk narratives 17:32 – Top 3-5 cybersecurity metrics the board cares about most 22:44 – Real-world impacts: How reporting approaches change board relationships 24:14 – Consistency vs. variety: Should you have different report types? 26:43 – Aligning with FDIC, NCUA, and examiner requirements 28:34 – Why “high, medium, low” risk no longer cuts it 31:05 – How to express cyber risk in financial terms 36:33 – Overcoming cultural resistance to quantitative reporting 40:06 – Getting and coordinating the data you need 44:02 – Framing cybersecurity spend as ROI for the board 49:49 – Comparing your organization to peers—and why context matters 54:04 – Most common mistakes in board reports & dashboards 56:58 – Connect security controls to business impact 59:08 – Wrap up, meeting link, and goodbye Tags: cybersecurity, board reporting, risk management, credit unions, banks, financial institutions, board of directors, executive communication, cybersecurity metrics, risk quantification, regulatory compliance, FDIC, NCUA, Rivial Security, cybersecurity best practices, CISO, risk reporting, cyber risk, information security, board engagement, executive dashboard