On May 21 financial regulators in New York released new guidance to help businesses understand the cybersecurity measures they should implement when they find themselves in a "heightened threat environment.”
We’ll pause for moment here while everyone quietly mutters, “For pete’s sake, we’ve been working in a heightened threat environment since, like, 2011.”
That may be true, but it’s also true that all businesses now operate in an even more heightened threat environment. That puts lots of pressure on internal audit and risk management teams — but in a roundabout way, it gives you more opportunity, too. Your team sits at the crossroads of more offensive threats attacking your business; and more defensive capabilities your business needs to develop. You have expertise in cybersecurity, risk assessment, process management, disaster recovery, and now, increasingly, artificial intelligence. So if audit and risk management teams assemble the right human talent and IT capabilities, you can prove yourself an invaluable strategic asset to your business.
That’s the nifty theoretical idea, at least. Let’s talk about how you can seize the opportunity in practice.
The Message in the New York Guidance
We can begin with what that guidance from the New York regulators actually says. The New York Department of Financial Services (DFS) released two open letters. The first offered 20 different steps a company could take when it finds itself in that heightened threat environment, depending on the exact threat you face. The second talked about risks from frontier AI models, and while it wasn’t as detailed as the first letter, it did cite several steps from first letter as actions you could also use to manage threats from AI.
Legally the guidance only applies to businesses that offer financial services to residents of the state of New York. As a practical matter for audit and risk leaders, however — so what? The DFS guidance is so practical that anyone in any industry can put its advice to good use within your own operations.
For example, Letter No. 1 identifies three basic strategies that firms could take to protect themselves in a heightened threat environment:
- Reduce the attack surface
- Improve threat detection and readiness
- Improve your resilience and response to attacks
The 20 measures you could take are grouped under those broad categories, and they’re probably measures you’ve seen or heard before: confirming that your IT teams use secure software development practices, improving your monitoring of third-party code, or testing the reliability of data backups, and so forth.
Letter No. 2, on risks from frontier AI models, is shorter and less prescriptive, but more thought-provoking. Consider this jarring sentence: “The best preparation for frontier AI models is a robust cybersecurity program that includes timely and comprehensive vulnerability identification and remediation.”
That sentence is a warning that DFS sees frontier AI as a weapon others will use against you, at least as much (or perhaps even more) than AI is a tool your business can use to improve its operations.
This shouldn’t be news. We’ve all heard stories of Mythos (from Anthropic) and Daybreak (from OpenAI), both stupendously good at finding previously unknown vulnerabilities in corporate software systems. The fear is that soon enough, hackers will start using those systems (or comparably good frontier models) to pierce corporate IT systems far and wide.
That means companies have a window of opportunity right now to strengthen your cybersecurity controls, policies, and procedures, before frontier AI models leave us in a permanently heightened threat environment.
That’s how the two DFS letters tie together: you won’t be able to manage the AI-enhanced risks identified in Letter 2 unless you already have the strong capabilities listed in Letter 1.
Seizing the Opportunity
Internal audit leaders can’t simply print out these two letters and run to senior management declaring, “This is why we need more budget!” That frames the whole issue as a matter of regulatory compliance, and management teams generally prefer to allocate the least resources necessary to meet compliance obligations.
The real opportunity here is for internal audit teams to have deeper conversations about how you are uniquely positioned to help the company weather an increasingly difficult cybersecurity environment.
For example, go back to Letter No. 1 and its recommendation that IT teams use secure software development practices. Sure, that’s something that can be audited — but are look-back audits enough any longer? If a cybersecurity disaster happens at your business, does anyone really believe stakeholders will be satisfied with, “An audit reveals we were weak on software development for the last two years?”
Software development is a process that needs improvement and constant monitoring, not just an audit. So the company needs a risk assurance function that can (a) review software development practices from a security perspective; (b) talk with IT development leaders about practical ways to improve weaknesses; (c) design monitoring controls for ongoing oversight; and (d) report to the board or senior management about how much vulnerability the organization has from its software development practices.
Internal audit can do all that, if the team is properly structured and resourced. (As a bonus for publicly traded companies, more than a few of the steps listed in the DFS guidance are also important capabilities for SOX compliance, too.)
Ultimately, if you can provide this level of assurance — that your organization can withstand “heightened threat environments” and is prepared to do battle with AI-enhanced attacks — that brings real operational resilience to the business. That’s the argument to make for internal audit’s importance in the modern era.
About Matt Kelly
|
|
Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.
Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.
Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.
|
#SOXPro
#AI
#Cybersecurity
#ProcessImprovement
#InternalAudit
#SOX