The Role of Risk Management

Risk managers have a key role to play in protecting companies from increasing cybersecurity and data risks introduced by AI. First, companies must conduct thorough risk assessments. “Begin by evaluating the potential risks associated with AI technologies within the organization,” said Rom Hendler, CEO and co-founder of cybersecurity firm Trustifi. “Identify the AI systems in use, the data they process, and the potential threat vectors. Assess the existing security measures and identify gaps that need to be addressed.”

Another important step is to implement robust data governance by developing comprehensive policies and procedures to ensure the secure collection, storage and processing of data. Companies should encrypt sensitive data, implement access controls and regularly audit data handling practices. They should also promote a culture of security awareness, emphasizing best practices for data handling, recognizing social engineering techniques and reporting potential vulnerabilities. Data minimization strategies are also critical to reduce the potential impact of breaches. The more data a company has, the more data that can be stolen, potentially resulting in bigger ransomware demands and fines from data regulators around the world.

Establishing an AI data governance framework may not be as difficult as it sounds. Many companies probably already have the governance and control infrastructure in place to address several key emerging AI risks—they just may not be aware of it. “Some key AI risks look very similar to already known cybersecurity risks and companies can calibrate their technical and organizational measures to account for variations on the theme,” said Brock Dahl, partner and head of U.S. fintech at law firm Freshfields.

He advised companies to build on current cybersecurity risk governance frameworks while continuing to ensure they remain flexible and adaptable. Organizations should question whether the use of new technology is integral to their assets and activities and if there are any features of this technology that present familiar governance challenges, or introduce new ones.

“In the age of rapid innovation, the key is not simply to keep pace with each new development, but to take a step back and ensure the organization’s risk management architecture is geared toward absorbing constant flux,” he said. “There will be surprises, but the goal of the risk management enterprise is to create a robust mitigation capability for when those surprises emerge, while also limiting surprise to the greatest degree possible.”

However, risk managers need to be aware of other risks that may be more unique to AI. For example, in inversion attacks, hackers try to determine personal information about a data subject by poring through the outputs of a machine learning model. In data poisoning cases, malicious actors input incorrect information to skew results. Even if the necessary controls look similar to existing governance measures, these risks will require specialized mitigation approaches. 

It is also critical to monitor the development of AI, data and cybersecurity regulation. Since the use of chatbots in business is still relatively new, current rules can be vague.

“We are seeing steps toward AI-specific legislation in various jurisdictions around the world,” said Sarah Pearce, partner at law firm Hunton Andrews Kurth. “By far the most advanced of these is the European Union’s AI Act, which is going through its final phases before coming into force. Certain aspects of the proposed legislation will undoubtedly require clarification in due course. The definition of AI itself, for example, will likely pose issues as to interpretation and, ultimately, in identifying which technologies are subject to the act’s requirements.”

Risk managers should make a dedicated effort to foster collaboration across the organization, engaging cybersecurity experts, AI specialists, and legal and compliance teams so there is a shared understanding of AI-related risks and appropriate safeguards. According to David L. Schwed, cybersecurity professor and practitioner-in-residence at Yeshiva University’s Katz School of Science and Health, risk managers should align themselves with cybersecurity professionals who understand these unique attack vectors to establish strong controls. “Controls that were good enough last week may not be good enough this week,” he said. “Given the advancement of AI-related and broader cyberrisks, the ‘rinse-and-repeat’ mindset will not work in this new world.”

Source :

https://www.rmmagazine.com/articles/article/2023/08/01/managing-data-security-risks-of-ai-technology