The Annual Board Report: Is Your 2025 Plan Ready?

Threat Intelligence

The Annual Board Report: Is Your 2025 Plan Ready?

We are halfway through the year. For the Qualified Individual, this is the time to start gathering data for the mandatory Annual Report to the Board. If you wait until December, you will not have time to fix the gaps you find.

What the Law Requires

16 CFR 314.4(i) is explicit. Your Qualified Individual must “report in writing, regularly and at least annually, to your board of directors or equivalent governing body.” If no board exists, the report goes to a senior officer responsible for the information security program.

The report must include:

1. The overall status of the information security program and your compliance with Part 314.

2. Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the information security program.

This is not optional, and it is not a formality. The FTC specified the content because they want evidence of governance, not a rubber stamp.

The Small Business Exemption

There is one exception. Under 16 CFR 314.6, financial institutions that maintain customer information concerning fewer than 5,000 consumers are exempt from the annual board report requirement (along with exemptions from 314.4(b)(1), (d)(2), and (h)). If your dealership handles fewer than 5,000 customer records, the board report is not legally mandated. However, if you are anywhere near that threshold, document your consumer count methodology carefully. And even if exempt, producing an annual security summary for ownership is still a best practice that demonstrates governance maturity.

The Mid-Year Audit: Why It Matters Now

The FTC does not just want to see a report; they want to see progress. If your end-of-year report says “we found 50 problems and fixed zero of them,” you are handing the FTC a roadmap for your own enforcement action. Use the next six months to turn findings into fixes.

Take a hard look at your program today:

1. Risk Assessment Currency: Has your network changed since January? Did you add a new cloud service, change CRM providers, or open a new location? If so, your risk assessment is out of date. The annual report and the annual risk assessment are directly linked; the report should reflect the current risk landscape, not the one from last January.

2. Training Progress: What percentage of your staff has completed their 2025 security awareness training? If it is under 90%, you have work to do. Track completion rates by department and role.

3. Vulnerability Remediation: Have you remediated the High and Critical issues found in your Q1 and Q2 scans? Track mean-time-to-remediate (MTTR) as a KPI. Critical findings should be remediated within 15 days; High within 30.

4. Incident Review: Have there been any security events, even minor ones? Phishing attempts that got through filters, unauthorized access attempts, lost devices? These must be documented and included in the board report.

What Triggers a Report Between Annual Cycles

The rule says “regularly and at least annually.” Material changes to your information security program can trigger the need for an interim report to the board. Examples include: a significant security incident, a major vendor change (like migrating DMS providers), discovery of a critical vulnerability, regulatory changes, or the departure of key security personnel. Do not wait for December if something material happens in July.

What FTC Auditors Look For

An FTC auditor reviewing your board report will evaluate:

  • Specificity: Does the report cite actual findings, metrics, and evidence? Or is it generic boilerplate that could apply to any business?
  • Action Items: Are there documented recommendations from the QI, and has the board acknowledged or acted on them?
  • Board Engagement: Is there evidence the board actually reviewed the report? Meeting minutes, sign-off sheets, or documented questions from board members all demonstrate governance.
  • Continuity: Does this year’s report reference last year’s findings and show progress? A board report that exists in isolation, with no connection to prior assessments, suggests a checkbox exercise.

The Rubber Stamp vs. Real Governance

A rubber-stamp report looks like this: “Our security program is in good standing. No material incidents occurred. We recommend continued investment in security.” That is three sentences of nothing.

A governance-quality report looks like this: “We completed our annual risk assessment in Q1, identifying 23 findings across four risk categories. As of this report, 18 have been remediated, 3 are in progress with target dates, and 2 have been accepted with documented risk acceptance rationale. Our phishing simulation click rate dropped from 28% in January to 9% in June. We onboarded two new vendors this year; both completed security assessments before contract execution.”

The difference is evidence, specificity, and demonstrated progress.

Key Performance Indicators for Your Mid-Year Review

Track these KPIs throughout the year so your annual report writes itself:

  • Vulnerability Remediation Rate: Percentage of Critical/High findings closed within SLA
  • Mean Time to Remediate (MTTR): Average days from discovery to fix, by severity
  • Phishing Simulation Click Rate: Monthly trend, broken down by department
  • Training Completion Rate: Percentage of staff current on security awareness training
  • Vendor Assessment Status: Number of critical/high vendors assessed on schedule
  • Incident Count and Response Time: Number of security events and average response time
  • MFA Coverage: Percentage of systems and users with MFA enabled

Presenting to a Non-Technical Board

Board members do not speak CVSS scores. Translate technical findings into business terms: financial exposure, operational disruption, and regulatory risk. Instead of “we have 12 critical vulnerabilities with CVSS scores above 9.0,” say “we have 12 security gaps that, if exploited, could result in a data breach affecting customer financial records, triggering mandatory FTC notification and potential enforcement action.”

Use simple risk categories: what could shut down operations, what could expose customer data, what could trigger regulatory penalties. The board needs to understand impact and required investment, not technical details.

What Happens If You Cannot Produce the Report

If the FTC requests your annual board report during an audit and you cannot produce it, you have a documented compliance failure. There is no workaround. The absence of the report is, by itself, a violation of 16 CFR 314.4(i). It also signals to auditors that your governance structure is weak, which invites deeper scrutiny of every other element of your program.

Start gathering your data now. Six months of preparation beats six days of panic.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
Detection Engineering: A Practical Guide
Next article
Double Extortion Ransomware: The Healthcare Threat Landscape

Related articles