Thought for the week: Five Eyes call to action for business leaders on AI

The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.

This article is part of an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.

Last week, the cybersecurity agencies of Five Eyes released a statement, "The AI shift in cyber risk: Why leaders must act now." For reference, Five Eyes is an intelligence network established post-World War II between Australia, Canada, New Zealand, the U.K. and U.S.

The Five Eyes statement is a call to action for business leaders on the cyber risk associated with frontier artificial intelligence models and urgency to "act swiftly to remain ahead." There are plenty of provisions worth a close read, particularly the call to action itself.

"While Al will help us improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats.

Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.

In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value. We urge leaders to:

Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage."

My expectation is that company information security teams are already engaged in enhancing security controls and the overall security program in response to AI cyber risks and opportunities. Business and legal/compliance leaders should also focus on the Five Eyes admonition that these issues require a "whole-of-organization" response. Several of the key elements that should be addressed from a legal, compliance and business perspective include the following:

Recognize the 'goal posts' for cyber legal standards are moving in light of AI

Many data and cyber legal requirements and standards are set on a sliding scale of reasonable, appropriate or similar standards. It's important to recognize the goal posts are moving as to what is sufficient for such standards in light of AI, both because the offensive threat is increasing and because the defensive tools are getting better. Companies will have a generalized legal duty to enhance their security policies, procedures, and controls, and should be prepared to re-balance offsets between business convenience and cybersecurity.

Green light requests for more resources on information security

When information security teams ask the chief financial officer and senior leaders asking for additional resources to accelerate patching, enhance real-time monitoring, strengthen identity and access controls, and the like, leaders should seriously consider those requests and greenlight them wherever reasonably possible.

We recently had a matter where the CISO had just implemented, a few months before the attack, additional data loss prevention controls with more blacklisted external sites, which directly blunted the threat actors' efforts to exfil company data. It is good lesson in the benefits of frequent revisiting of cyber controls.

Accelerate plans to sunset legacy systems and reduce attack surface, particularly in a post-acquisition context

The ability of threat actors using frontier AI models for vulnerability scanning, and to rapidly exploit any identified vulnerabilities, poses particular risk for legacy systems and surface areas that are unsupported. This can be particularly acute in a post-acquisition context, where threat actors know that a transaction has occurred. They can scan for vulnerabilities related to the target's assets and seek to exploit those vulnerabilities to access the target, as well as to have lateral movement into the acquiring entity. Accelerated timelines for integration can help with these risks.

Reassess third-party contracting and risk

Companies would do well to reevaluate standard customer terms, both on substantive standards and information notice obligations, as well as vendors and supply chain providers. On the latter, it will be useful to not only evaluate the contractual terms but also challenge the scope of vendor access and the security controls applied.

For example, a recent supply chain attack focused on an AI integration vendor. The threat actor gained access to the AI vendor's environment via a legacy, but still effective, password. From there, the threat actor leveraged the AI vendor's access rights to its customers' data held in a third-party CRM environment, and exfiltrated substantial amounts of the customers' data.

If you are one of the impacted AI vendor customers, how would you protect against this going forward? First, ask whether the AI vendor should even get access to all such CRM data. If needed, start thinking about enhanced monitoring and perhaps even scheduling AI vendor access to the environment, rather than leaving broader access rights in place. All of this will require a "whole of organization" approach, including involving the relevant business units in the reassessment and oversight.

Update incident response planning

Companies should reevaluate and update their incident response plans to prepare for a higher frequency and severity of incident responses that may come, including proactively thinking through how the rapidly expanding array of incident notification obligations may apply to their business, such as 24-hour breach reporting under the EU Cyber Resilience Act starting in September.

Address corporate governance and board oversight issues

Public companies should evaluate 10-K and other public reporting in light of these developments and their particular circumstances. Senior leadership should also evaluate how to incorporate these AI developments and the company's response, into board and/or subcommittee briefings to facilitate proper oversight. Given the high-profile nature of these developments externally, including substantial press coverage, these will be issues that are top of mind for board members and investors.

I wish I could say that the situation with cyber risk is getting better right now with AI, and in some ways, it is from a defensive standpoint. In at least the short term, however, my concern is that most organizations are going to have difficulty preparing for the sharp increase in risk as flagged by the Five Eyes in their statement.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.