Witness testimony for the Senate hearing is available online: https://www.energy.senate.gov/public/index.cfm/2020/8/full-committee-hearing-to-examine-federal-and-industry-efforts-to-improve-cybersecurity-for-the-energy-sector
It's a well known fact that compliance with NERC CIP standards does not equate to best practices for cybersecurity protections. Cybersecurity risks go well beyond reliability concerns, which guides NERC's efforts. Real risk management is a business practice that addresses factors that extend far beyond reliability concerns into real business risks, such as recovery costs and damage to reputation, which also need to be considered by BoD and Executive level management. The cost of an incursion can rise into millions of dollars and cause significant damage to reputation and goodwill, whereas a compliance fine may only cost in the thousands of dollars. A wise business person will seek to address the real risks that can impact an organization from a cybersecurity event and implement risk management controls as part of their business practices and continuity plans.