EY - Cybersecurity: three lines of defense

EY Financial Services webcast

Cybersecurity: three lines of defense

Cyber regulation and risk management for financial institutions

  • Share

Watch On-Demand

The digital world is rapidly changing with expanding opportunities for innovation. Unfortunately, because of complex and unintended consequences from interconnectivity, issues are starting to emerge.

Organizations have no choice but to operate in this evolving environment, so inevitably there is a growing focus within governments, regulators and the media on what is going wrong where cyberspace meets the physical world.

With continued and growing cyber threats to financial institutions, regulators have reached the conclusion that to properly address cybersecurity, firms need to view it as an enterprise-wide risk management challenge, and not simply an IT issue.

Join us for a discussion on cybersecurity and learn about developments in its regulation and risk management, including:

  • Enterprise-wide cyber risk management
  • Three lines of defense approach to cybersecurity
  • Embedding cyber risk into a firm's risk management and risk appetite framework
  • Building cybersecurity into vendor management, stress testing, strategic planning and other management processes


EY - John Doherty

John Doherty


John Doherty is a partner in Ernst & Young LLP’s Information Technology Advisory practice with more than 25 years of experience in the financial services industry managing information technology (IT) matters for international companies. He has extensive experience in IT risk management, information security, privacy, regulatory compliance, IT governance, technology operations, and project management. John is also the EY Global leader of IT Risk Management.

John leverages advanced skills in business, accounting, and technology to bring valuable experience to approaching information security, compliance, and other technology projects from a business perspective. He has managed and overseen various Global and US Bank Holding Companies, global systemically important banks (G-SIB), and global systemically important insurers (GSII) initiatives. He executed many regulatory and risk management engagements for broker dealers, investment banks, and banks and their subsidiary companies and has been involved in assisting clients in their regulatory and industry compliance and control issues.

EY - Jaime Kahan

Jaime Kahan


Jaime Kahan is a Principal at Ernst & Young LLP, where she leads the Wealth and Asset Management Information Technology Risk and Control practice. She has been with the firm for more than 15 years, advising major clients in the following sectors: asset management, private equity, hedge fund, investment manager, banking and capital markets, and broker–dealer.

Jaime is a member of the Information System Audits and Control Association, a Certified Information System Auditor, a Certified Information Security Manager, and she is also certified in Risk and Information System Controls (CRISC). Jaime leads EY training classes related to cybersecurity, information technology general controls, audit methodology, and service organization controls reporting. In addition, she frequently speaks about cybersecurity at industry conferences and has published several pieces of thought leadership.

Jaime graduated with honors from Binghamton University with a degree in Management Information Systems and Marketing. She earned an MBA in Finance from New York University.

EY - Chris Kipphut

Chris Kipphut


Chris Kipphut is a Principal in Ernst & Young LLP’s Cyber Security practice, responsible for leading Banking and Capital Markets for the Americas. He has more than 15 years’ experience in delivery of professional assurance and advisory services across public and private sectors, including significant international experience, including 8+ years based in London responsible for the management and operation of the Cyber Security practice of the EY member firm in the UK. Chris qualified as a Certified Information Systems Auditor (CISA) in 2004 and a Certified Information Systems Security Professional (CISSP) in 2005.

EY - Mark Watson

Mark Watson


Mark Watson is an Executive Director in the Ernst & Young LLP Financial Services advisory practice. His main area of focus is risk governance, including corporate governance, risk culture, risk accountability and risk oversight. He has over 20 years of experience in financial services, working globally on banking and insurance. Since joining the firm, Mark has focused on working with the EY Global Regulatory Network in engaging regulators on cybersecurity and emerging trends, notably in risk, compliance and insurance regulation. He also lead the EY Global Risk Governance 2020 initiative,  including developing integrated approaches to risk governance; an approach to realigning the three-line-of-defense model with new regulatory thinking and addressing nonfinancial risks (e.g., conduct, operational risk); future of internal audit. Mark was also part of the Ernst & Young LLP leadership team for integrated cyber risk management offering, with a strong focus on board, second-line (risk and compliance) and third-line roles/approaches in cyber risks.

Mark is a board member of the Concord Education Fund and Institute of Nonprofit Management and Leadership.


EY - Tom Campanile

Tom Campanile


Tom Campanile is a Partner in the Financial Services Office of Ernst & Young LLP. He has more than 20 years of experience in providing a broad range of business and risk advisory services to a number of clients in the banking and capital markets, insurance and asset management sectors. Tom has extensive knowledge of front-office, compliance, operational and enterprise risk management leading practices in banking, as well as deep experience in applying these practices to banking, insurance and capital markets products and processes.