For AI and cybersecurity compliance to work seamlessly together, collaboration is key.
Getty Images
Artificial intelligence (AI) and cybersecurity regulations are on the rise, and businesses can do more to prepare for the impending changes. On October 30, 2023, the White House issued an Executive Order on the Impact of Advances in AI on Cybersecurity, signaling the urgent need for regulatory action.
A current focus is on the Cybersecurity and Infrastructure Security Agency’s (CISA) proposed post-cyberattack reporting requirements that, if approved, would require organizations to report cyber incidents to CISA within 72 hours and ransom payments within 24 hours.
The Department of Homeland Security, which oversees CISA, said in a report released in May that it plans to develop additional strategies and devote more resources in the coming years to defend against cybersecurity and AI threats.
Close collaboration between industry and government is essential to the security and fairness of AI applications. Below we discuss what companies can do to prepare for upcoming regulations and how collaboration can impact those efforts.
Stay up to date
It’s beneficial for businesses to stay informed about regulatory changes. “Government websites are a key resource,” Yasmin Karimli, CIO at SST Partners and former vice president of cybersecurity transformation at T-Mobile, told me in a recent conversation. Karimli continued, “It’s essential that businesses stay informed about the timeline of proposed regulations to be well prepared for compliance.”
“Understanding the regulatory process will enable companies to effectively engage by providing comments and feedback during the rulemaking period. Having a robust plan in place will enable them to comply with new requirements in a timely manner and maintain required security standards while minimizing disruption to their operations,” Karimli added.
SANS, a leading cybersecurity research and training organization, highlighted the need to stay up to date in its Cyber Threat Intelligence (CTI) Survey released in May. The most widely used sources of information among survey participants were:
Vendor threat feeds (80%) Published intelligence reports (80%) Community or industry groups (79%) External sources such as media reports and news (85%)
Similarly, Karimli stressed the need for companies to align themselves with industry and trade associations: “By proactively engaging with these organizations, you can jointly assess the impact of new regulations on your company and work together to develop appropriate responses. This proactive approach will help you effectively navigate regulatory challenges and adapt your strategy to the evolving legal framework surrounding AI.”
Collaborative business divisions
For companies like Coca-Cola HBC, new threats and opportunities from AI are driving cybersecurity closer to other business functions. The bottler, which recently partnered with Microsoft, is looking to find the right balance between AI innovation and responsibility.
In a December interview with beverage industry news magazine Just Drinks, Murad Ajalti, chief digital and technology officer at Coca-Cola Holdings, noted the need for companies to pursue “responsible AI” practices that rely on multiple business functions.
“We already have what we call cyber regulation and privacy regulation in place, to ensure that what we apply to other digital tools that we create also applies to AI, so that we have a safety net for what we do with AI.”
Adjalti continued, “But at the same time, the way we approach AI, for example, is we have cross-functional teams — not just technical teams, but sales teams, finance teams, supply chain teams — and we have lawyers, cybersecurity people, data privacy people — looking at it from multiple angles to make sure we’re delivering what we call ‘responsible AI’ solutions before regulations come into place.”
The need for vigilance
Executives recognize the importance of data privacy and cybersecurity, but companies can do more to remain vigilant. According to PwC’s 2023 Annual Corporate Director Survey, cybersecurity ranks second (49%) in terms of risks that pose oversight challenges to corporate boards. Most boards are dedicating significant time to cybersecurity in meetings, with some pointing to additional upskilling and third-party input to assist with those efforts.
However, only 19% of survey participants said their company had added a new director with cybersecurity experience within the past 12 months, meaning, as CrowdStrike stated in its 2024 Global Threat Report, “a ‘good enough’ approach to cybersecurity is no longer sufficient for modern threats.”
Conclusion
Cybersecurity regulation will play an increasingly important role for businesses, and by staying proactive and informed, they will be best positioned to move forward.
