Board Crisis Briefing Template

Your CEO just asked "brief the board in 2 hours." Use this slide deck template. Covers everything directors need to know, nothing they don't.

📑 8 Essential Slides ⏱️ 15-Min Presentation 💼 C-Suite Ready
💡
Crisis Communications Consultants Charge $15K-$50K for This

You're getting it for free. Customize the template in PowerPoint or Google Slides. Present with confidence.

Download the Complete Template

Available in PowerPoint (.pptx) and Google Slides formats

View Slide Templates Below Need Expert Help? Find Specialists

Presentation Guide: What the Board Needs

✓ Do This

  • • Lead with business impact, not technical details
  • • Provide clear timelines and next steps
  • • Quantify financial exposure (costs + fines)
  • • Acknowledge what you don't know yet
  • • Show accountability and action plan
  • • Keep slides text-light, visual-heavy

✗ Don't Do This

  • • Drown them in technical jargon
  • • Minimize the severity or defensive posture
  • • Speculate on root cause before investigation
  • • Blame individuals or third parties publicly
  • • Present without legal counsel review
  • • Read slides verbatim (know your material)

Presentation Flow (15 Minutes)

Slides 1-2: Executive Summary + Timeline (3 min)
Slides 3-4: Scope & Regulatory (4 min)
Slides 5-6: Financial & Remediation (4 min)
Slide 7: Next Steps (2 min)
Slide 8: Q&A (Reserve time)

Slide 1: Executive Summary

CONFIDENTIAL - BOARD BRIEFING

[Company Name] Security Incident

Board of Directors Briefing

Discovery Date
[Date]
Records Affected
[Number] individuals
Data Types
[PII/PHI/Financial]
Current Status
[Contained/Investigating]

One-Line Summary: [On DATE, we discovered unauthorized access to SYSTEM affecting NUMBER individuals. We immediately contained the incident and engaged external experts. This briefing covers scope, regulatory obligations, financial impact, and next steps.]

Presenter Notes: Open with impact, not technical details. Set the tone: serious but controlled. The one-liner should answer "what happened" in plain English.

Slide 2: Timeline of Events

Incident Timeline

[Date] - Breach Occurs (Estimated)

Attacker gains initial access via [vector]. Investigation ongoing to determine exact entry point.

[Date Time] - Discovery

[Security team/Third party/Customer] detected suspicious activity in [system].

[Date Time] - Containment

Affected systems isolated. Incident response team activated. External IR firm [Name] engaged.

[Date] - Investigation Begins

Forensic analysis initiated. Legal counsel notified. Cyber insurance carrier contacted.

[Date] - Board Notification

This briefing. Estimated scope determined. Notification strategy prepared.

Presenter Notes: Show decisive action at each stage. "Within X hours" language demonstrates speed. If timeline has gaps, acknowledge and explain investigation is ongoing.

Slide 3: Scope & Impact Assessment

What We Know (and Don't Know)

✓ Confirmed

  • Systems Affected: [Database/Email/Network]
  • Data Types: [Names, emails, addresses, SSN, etc.]
  • Individuals Affected: [Number or range]
  • Geographic Scope: [US only/EU/Global]
  • Attack Vector: [Ransomware/Phishing/Exploit]

? Under Investigation

  • Initial Access Method: Forensics ongoing
  • Dwell Time: Estimated [X] days, confirming
  • Data Exfiltration: Evidence of download, analyzing scope
  • Attacker Identity: Threat intelligence analysis underway
  • Additional Systems: Comprehensive scan in progress
Key Point for Directors

This is our current best assessment based on [X days] of investigation. We expect the scope to be refined as forensic analysis continues. We are updating this assessment every [24 hours] and will notify the board of material changes.

Slide 4: Regulatory Obligations & Timeline

Compliance Deadlines

Regulation Deadline Status Potential Penalty
GDPR (EU) [Date] (72 hours) In Progress €[X]M - €[Y]M
HIPAA (HHS) [Date] (60 days) On Track $[X]K - $[Y]M
State Laws (US) [Date] (varies) On Track $[X]K - $[Y]K
SEC (if material) 4 days from materiality determination Evaluating Reputational + litigation risk
Individual Notification

Customer notification drafted and under legal review. Will be sent by [Date] via [email/mail]. Offering [12 months] credit monitoring.

Media Notification

[Required/Not Required] under HIPAA. Media holding statement prepared. No proactive outreach unless legally required or breach becomes public.

Slide 5: Financial Impact

Estimated Costs & Insurance Coverage

Direct Response Costs

IR Firm / Forensics $[XXX]K - $[XXX]K
Legal Counsel $[XXX]K - $[XXX]K
Customer Notification $[XXX]K
Credit Monitoring (12 mo) $[XXX]K
PR / Crisis Comms $[XX]K - $[XXX]K
Subtotal $[X]M - $[Y]M

Regulatory & Business Impact

Regulatory Fines (est.) $[XXX]K - $[X]M
Lost Business (churn) $[XXX]K - $[X]M
System Downtime $[XX]K
Litigation (potential) $[XXX]K - $[X]M
Brand/Reputation TBD
Subtotal $[X]M - $[Y]M
Total Estimated Cost Range
$[X]M - $[Y]M
Cyber Insurance Coverage
$[X]M limit / $[XX]K deductible
Estimated Net Cost to Company
$[XXX]K - $[X]M

Presenter Notes: These are preliminary estimates. Insurance may not cover regulatory fines or certain legal costs. Lost business is hardest to quantify but potentially largest impact.

Slide 6: Remediation Actions

What We've Done & What We're Doing

✓ Completed

  • Isolated affected systems to prevent spread
  • Engaged [IR Firm Name] for forensic investigation
  • Reset all admin and service account credentials
  • Notified cyber insurance carrier and legal counsel
  • Established 24/7 incident response war room
  • Preserved all logs and evidence for investigation

→ In Progress / Planned

  • Complete forensic root cause analysis (ETA: [Date])
  • Patch exploited vulnerability and deploy fixes
  • Send customer notifications by [Date]
  • Deploy enhanced monitoring and detection tools
  • Conduct third-party security assessment
  • Implement mandatory MFA for all systems

Slide 7: Next Steps & Timeline

What Happens Next

Next 48 Hours (Critical)
  • • Complete forensic scope assessment
  • • Finalize regulatory notifications (GDPR 72-hour deadline)
  • • Begin customer notification process
  • • Daily board updates via email
Week 1-2
  • • Customer support hotline operational
  • • Credit monitoring enrollment begins
  • • Complete root cause analysis and remediation
  • • Weekly board briefings
Month 1-3
  • • Regulatory filings completed
  • • Post-incident review and lessons learned
  • • Security improvements deployed
  • • Monitor for litigation
Month 3+
  • • Third-party security audit
  • • Update incident response plan
  • • Enhanced security posture verification
  • • Return to normal operations

Slide 8: Questions & Answers

Anticipated Board Questions & Prepared Responses

Q: How did this happen?

A: "Based on preliminary forensics, the attacker gained access via [attack vector]. The investigation is ongoing to determine if there were vulnerabilities in our defenses. We'll have a complete root cause analysis by [Date]."

Q: Could this have been prevented?

A: "We had [security measures] in place, but clearly they were insufficient against this attack. We're implementing [additional measures] to prevent recurrence. The post-incident review will identify specific failures and corrective actions."

Q: Is this a material event requiring SEC disclosure?

A: "We're evaluating materiality with legal counsel. If the incident meets the 4-day disclosure threshold, we'll file Form 8-K. Current assessment: [material/not material] based on [financial impact/business disruption/competitive harm]."

Q: What are we doing to prevent this from happening again?

A: "Short-term: [Specific technical fixes]. Long-term: [Strategic security investments, third-party audit, enhanced monitoring]. We're also reviewing our incident response capabilities and plan to conduct quarterly tabletop exercises."

Q: Should we disclose this publicly before we're required to?

A: "We've consulted with legal counsel and PR advisors. Current recommendation: [Comply with legal deadlines but no proactive disclosure / Proactive disclosure to control narrative]. Rationale: [Brief explanation]. Open to board guidance."

Q: How does this compare to industry breaches?

A: "Similar breaches in [industry] have cost $[X]M-$[Y]M on average. Our current estimate of $[Z]M is [within/below/above] industry norms. [Notable comparison if relevant]."

Presenter Notes: Know these answers cold. Don't speculate. If you don't know, say "we're investigating and will update you by [date]." Never say "no big deal."

Frequently Asked Questions

What should I tell the board about a data breach?

Tell the board: what happened, when you discovered it, how many people/systems are affected, what data was involved, regulatory implications, financial impact, actions taken, next steps, and timeline. Be factual, concise, and focus on business impact.

How soon should I brief the board after a breach?

Notify the board within 24-48 hours of discovery for material breaches. Provide initial facts immediately, then a detailed briefing within 72 hours. Board oversight is required for regulatory compliance and fiduciary duty.

What questions will the board ask about a breach?

Expect questions about: total cost, regulatory fines, insurance coverage, customer impact, litigation risk, how it happened, why defenses failed, prevention measures, and whether this is a material event requiring SEC disclosure.

Related Resources

📢
Crisis Communications
Pre-written notification templates
First 24 Hours
Immediate response checklist