4 minute read 16 Jul 2019
Ey lightbulbs

How to enhance cybersecurity risk oversight

In this replay of a Better Questions for Boards webcast, we discuss how board members can best set the tone for effective cybersecurity.

Ernst & Young LLP (EY) recently hosted its second annual national Cybersecurity Board Summit, bringing together board members representing a cross-section of industries, geographies and sizes for discussions on cybersecurity risk and oversight. This summit was the culmination of a series of six regional director dialogue dinners held on cybersecurity in recent months.

To help us explore some of the key takeaways from what we heard from more than 100 directors, we invited a panel of business leaders to discuss evolving leading practices, recent lessons learned and how boards can enhance cybersecurity risk oversight.

The panel, moderated by Steve Klemash, Americas Leader of the EY Center for Board Matters, included:

  • Larry Clinton: President and CEO, Internet Security Alliance
  • Kris Lovejoy: EY Global Cybersecurity Leader
  • Ellen Rinaldi: Board member, Main Line Health (retired Vanguard CSO and CISO)
  • Don Vieira: Partner, Skadden, Arps, Slate, Meagher & Flom LLP

Watch and listen to featured video clips below, or access the full replay here:

Better questions for boards webcast series

Watch and listen to an insightful discussion on enhancing board oversight of cybersecurity risk.

Access the replay

In the discussion, panel members emphasized that preparing for all scenarios before they occur and even before products are built can prepare boards and enterprises to prevent and respond to cyber threats.

Larry Clinton, the President and CEO of Internet Security Alliance, said that risk is best conceptualized as a quantity.

Boards should consider how much money could be lost and the likelihood that a cyber risk could be realized.

Boards and enterprises can’t just conceive of an approach to cybersecurity, they must drill on their response to multiple types of crises, said Ellen Rinaldi, Main Line Health board member.

Cybersecurity must be built into the beginning of every product rather than layered on afterward said EY’s Global Cybersecurity Leader, Kris Lovejoy, highlighting the concept of trust by design.

Finally, enterprises should build relationships with those who may be involved in a response, and prepare in a way that scales for their particular needs, said Don Vieira of Skadden, Arps, Slate, Meagher & Flom LLP.

What we heard from the audience

During the webcast, we also asked our audience polling questions. Here’s what they told us.

What we heard from the audience
What we heard from the audience

Key takeaways

  • Directors should set the tone that cybersecurity is a critical business issue; how much time and effort the board spends on cybersecurity signifies if it is a priority for the company.
  • Boards should ensure the cybersecurity risk management program (CRMP) is independently assessed by a third party and the third party should report back to the board.
  • Boards should confirm that the company’s new technology and business arrangements are designed with security in mind from the beginning by embracing a “Trust by Design” philosophy.
  • Boards need to understand the company’s value at risk in dollar terms.
  • Boards should be familiar with the company’s processes to identify, assess and manage third-party and supply chain risks.
  • No matter how secure a company is, a cybersecurity breach or incident is likely, so boards should have comprehensive knowledge of the company’s ability to respond and recover, which should include simulations and arranging protocols with third-party specialists before a crisis hits.
  • Boards should have a thorough understanding of the cybersecurity incident and breach escalation process and protocols within the organization including when the board should be notified.
  • Directors should stay attuned to evolving board and committee cybersecurity oversight practices and disclosures including asking management for a review of the company’s cybersecurity disclosures over the last two to three years with peer benchmarking.


Cybersecurity is a business-critical issue that must be appropriately assessed by a third party. Boards and management must comprehensively understand how to prepare for, respond to and recover from attacks.

About this article

By EY Americas

Multidisciplinary professional services organization