Cyber Risk Executive Charter

The [CUSTOMIZE: Board of Directors / CEO] hereby appoints [CUSTOMIZE: Name] as the [CUSTOMIZE: CISO / Head of Cyber Risk] with executive accountability for [ORGANIZATION]'s cyber risk management program, effective [CUSTOMIZE: date].

The [CUSTOMIZE: CISO] reports directly to [CUSTOMIZE: CEO / CRO / CIO] with a dotted reporting line to the [CUSTOMIZE: Board Risk Committee / Board Audit Committee] for matters of cyber risk governance.

The [CUSTOMIZE: CISO] has the authority to establish cyber risk policies, standards, and procedures; define security requirements for technology initiatives; escalate material risks to executive leadership and the Board; and recommend resource allocation for cyber risk management.

Develop, maintain, and execute the Cyber Risk Strategy in alignment with the enterprise business and technology strategies

Establish, maintain, and govern the Cyber Risk Framework including all component policies, standards, roles, and processes

Maintain awareness of current and emerging cyber threats relevant to [ORGANIZATION] and ensure the framework addresses the evolving threat landscape

Provide regular reporting to the [CUSTOMIZE: Executive Committee] and [CUSTOMIZE: Board Risk Committee] on cyber risk posture, program performance, and significant incidents

Ensure [ORGANIZATION] maintains compliance with all applicable cybersecurity laws, regulations, and contractual obligations

Lead the organization's cyber incident response capability and serve as the executive point of contact for significant cyber events

Drive cyber risk awareness and education at the executive and Board level, including regular briefings, scenario exercises, and training

The [CUSTOMIZE: CISO] shall provide formal briefings to the [CUSTOMIZE: Board Risk Committee] at least [CUSTOMIZE: quarterly], covering: current risk posture and trending, significant incidents and near-misses, regulatory developments, program performance, and emerging threats.

The [CUSTOMIZE: CISO] shall facilitate at least [CUSTOMIZE: one annual] cyber risk tabletop exercise or simulation with executive and/or Board participation.

The [CUSTOMIZE: CISO] shall have direct access to the [CUSTOMIZE: Board Chair / Risk Committee Chair] for escalation of material cyber risk matters that require immediate Board attention.

The [CUSTOMIZE: CISO] shall provide ad hoc briefings as needed following significant cyber incidents, regulatory changes, or emerging threat developments.

The [CUSTOMIZE: CISO] has budgetary authority over the cyber risk program budget of [CUSTOMIZE: $X,XXX,XXX] for [CUSTOMIZE: current fiscal year].

The [CUSTOMIZE: CISO] may request additional resources through the established budget process when risk assessments identify unacceptable gaps in capability.

The [CUSTOMIZE: CISO] has the authority to engage external resources (consultants, managed service providers, incident response firms) within the approved budget and procurement policies.

The [CUSTOMIZE: CISO] may invoke emergency spending authority up to [CUSTOMIZE: $XX,XXX] for incident response activities, with subsequent approval from [CUSTOMIZE: CFO/CEO] within [CUSTOMIZE: 5 business days].

This charter shall be reviewed at least [CUSTOMIZE: annually] by the [CUSTOMIZE: Board Risk Committee / CEO] and updated as needed to reflect changes in organizational structure, regulatory requirements, or risk management needs.

The performance of the [CUSTOMIZE: CISO] against this charter shall be evaluated annually as part of the executive performance review process.

This charter is approved by [CUSTOMIZE: Board of Directors / CEO] on [CUSTOMIZE: date].