Cyber and tech in focus: strengthening audit committee oversight

Cyber threats are evolving fast - and so must oversight.

Join the EY Center for Board Matters on Wednesday, November 5, 2025, for another episode in our webcast series, Better Questions for Boards, designed to provide directors with insights and questions to consider as they engage with management on a variety of complex boardroom issues.

This webcast will unpack the latest developments in cybersecurity with insights from a CISO, a former CTO and chief AI officer, and an FBI official. The discussion will explore what audit committees need to know about emerging risks, AI and how audit committees can enhance cybersecurity oversight in today’s environment. Topics will include:

• Inside the threat landscape: Hear from an FBI cyber expert on top cyber priorities, emerging attack trends and what’s next.
• How companies are responding: Learn how seasoned cybersecurity and technology leaders are adapting to meet evolving threats and the rise of artificial intelligence - and what they say about how technology governance should evolve.

This CPE-eligible webcast will be 60 minutes. The discussion will be moderated by Patrick Niemann and Jennifer Lee from the EY Center for Board Matters. Panelists will include:

• Brian DePersiis, EY Americas Cybersecurity Strategy Leader, Ernst & Young LLP
• Brett Leatherman, Assistant Director for Cyber Operations, FBI
• Minerva Tantoco, EY Center for Executive Leadership Advisor in Residence and a former Chief Technology Officer and Chief AI Officer
• Adam Zoller, Chief Information Security Officer, CrowdStrike, and Board Director, AdventHealth

Key takeaways and actions to take

There has been a 37% increase in ransomware in 2025 compared with last year. Any internet-connected organization is a potential target and must secure its network perimeter. Here are some important steps management and the board can take to help prepare, mitigate and respond to a cybersecurity incident.

• Verify that the management team has preestablished contacts and relationships in the local FBI field office. Proactively engage with the FBI to gain access to threat intelligence — this can include obtaining security briefings from the FBI.
  
  
• Stay up to date on current cyber developments via www.ic3.gov and use this site to report compromises or contact your local FBI office to enable timely intelligence sharing and effective response. Create a formal incident response plan that includes FBI coordination and SEC reporting considerations. Establish a mutually created framework for restoring business operations while preserving evidence for an investigation.
  
  
• Strengthen foundational practices like data protection, identity and patch management, and vulnerability mitigation. Align controls with enterprise risks and foster collaboration between cyber and audit teams.
  
  
• Conduct regular tabletop exercises with communication plans for all stakeholders to build muscle memory around how to respond. These should be conducted at the tactical (monthly), executive (quarterly) and board (once or twice a year) levels. Use scenarios based on actual incidents within the organization and real threats to the organization. Clarify roles and review lessons learned.
  
  
• Monitor emerging tech trends and their convergence to anticipate threats. Adversaries using AI are reducing breakout time, rapidly reducing the time it takes for an adversary to start moving laterally across your network.
  
  
• Build strong cyber teams by collaborating with academia and identifying internal talent. Promote continuous learning and human-centric leadership to retain top performers.
  
  
• Align security budgets with organizational risk appetite and focus on outcome-driven investments. Balance innovation with risk management.
  
  
• Use governance frameworks and formalize third-party risk assessments. Understand the technical and operational risks posed by third parties. Include third-party considerations in response plans.
  
  
• Shift from reactive to proactive cybersecurity governance. Embed security across the business lifecycle and engage advisors to support board-level knowledge.
  
  
• Conduct independent maturity assessments to build trust and transparency between CISOs and boards.