Dear Board Doc: How has cybersecurity oversight changed with the emergence of AI?

January 25, 2024

Q. Cybersecurity oversight is becoming increasingly complex with emerging threats - how can AI be used in cybersecurity controls, and how can cybersecurity controls limit AI risks?

Use of AI in Cybersecurity Controls: While the rapid evolution of AI poses new and complex threats, AI technology can also present a distinct advantage through its incorporation into cybersecurity protocols for threat detection, classification and incident response. AI has an unprecedented ability to analyze large amounts of data and can be used to help management detect emerging threats and implement preventive measures. Boards should inquire whether management has evaluated or updated cybersecurity controls to incorporate AI as a tool to enhance risk management. Management should be able to provide Boards with information on any IT budget adjustments or investments considered to enhance cybersecurity controls in light of evolving threats. Boards may also wish to inquire about any training measures fund management is considering with respect to the use of AI in cybersecurity controls.
Role of Cybersecurity in AI Risk Management: Whether or not it incorporates AI, cybersecurity controls should be evaluated to determine their adequacy in light of evolving AI threats, including social engineering, privacy implications, malicious code and denial of service attacks.AI also has the potential to optimize cyber attacks such as ransomware and phishing. Directors should inquire whether fund management has a process in place to audit their firm’s cybersecurity controls periodically. Firms should assess AI risks on an ongoing basis, review cybersecurity protocols in light of new threats, and update them as needed. If cybersecurity vendors are utilized, fund management should be able to provide information about their ability to assess and counter AI risks. As AI tools become less expensive and more prevalent, the risks of their pervasiveness are likely to increase, and fund management should include AI in the firm’s risk assessment. If firms are utilizing AI in their cybersecurity controls, these protocols should be reviewed on an ongoing basis to ensure that any AI-powered tool has not been the subject of an attack or data manipulation, and firms should invest in encryption and access control to protect from such attacks. To protect privacy, personal information should not be shared with an AI tool. In addition, fund management should also be able to discuss what their AI incident response plan would be.

The MFDF’s Board Doc is an occasional feature of the Daily News Feed that features questions from our readers. The answers and commentary provided in our responses do not constitute legal advice and should not be treated as such. Please consult with your independent counsel on questions of compliance with the securities laws and director fiduciary duties. If you would like the Board Doc to consider your questions, please e-mail BoardDoc@mfdf.org.