Risk Management

The Securities and Exchange Commission has officially reached the implementation dates for its historic cyber incident reporting requirements.

The rules, which require companies to report material cyber incidents within four business days of determination, are leading to significant changes in how companies prepare for and implement cyber risk strategies at the highest levels of publicly traded companies that operate in the U.S. 

Firms have been actively reviewing their incident response programs to determine whether they are getting the right information to make an informed decision on materiality, said Joe Nocera, lead partner of cyber, risk and regulatory marketing at PwC. “So they’re looking at that definition of materiality, which is reasonably vague by the SEC, and they’re saying, how do we apply that to our organization?"

One of the key goals of the SEC is to make sure companies are better prepared to mitigate material breaches, ransomware or nation-state espionage attacks.  

Despite a number of regulatory enhancements at the federal and state levels after attacks against SolarWinds and Colonial Pipeline, the U.S. has experienced a resurgence in ransomware and other malicious activity, fueled in part by nation-state activity linked to Russia, China and more recently Iran. 

“The continued geopolitical tension around the world provides a perfect storm for bad actors and nation state attacks and the government is using all its regulatory policy might to enforce cyber compliance,” said Lisa Donnan, a partner at Option3, a private equity fund that specializes in cybersecurity.   

Investigations related to some of the nation’s biggest attacks and breaches in recent years show a pattern where corporate executives were unaware or missed glaring security risks that could have prevented some of these attacks from taking place. 

Morgan Stanley was ordered to pay $35 million to settle SEC allegations it failed to protect the personally identifiable information of 15 million people. 

The Department of Transportation found that Colonial Pipeline committed multiple control room violations after an investigation linked to the 2021 ransomware attack, and recommended up to $1 million in civil penalties. 

In other investigations, top executives deliberately misled investors about software vulnerabilities, mitigation strategies or other measures that could have been taken to prevent an attack.  

In the SEC civil suit against SolarWinds and CISO Tim Brown, the agency alleges that internal presentations and emails were circulated during the two years between the IPO and the December 2020 Sunburst attack that discussed weaknesses in its Orion software platform and concerns about remote access security. 

Meanwhile, the company was making public statements to investors touting the security of its platform and hid those internal discussions from the public. 

How to respond

Companies are reassessing their existing incident response plans, including synchronizing those plans to work alongside the new disclosure requirements, according to Jerome Tomas, chair of Baker McKenzie's SEC and Financial Institution Enforcement Group.

That work includes conducting tabletop exercises with legal and information security teams, Tomas said. 

“Public companies are very familiar with the factors that go into a materiality determination,” Tomas said. “That said, companies are sharpening their focus on determining how, for example, previous quantitative materiality metrics can be applied and used for cyber incidents.”

The information used to determine a material impact during a data security incident is often fluid at the beginning. These can range from a few different elements, including:

• The amount of impacted data
• The number of impacted customers
• Business disruption costs
• Ransom payments
• The type of PII at issue

As part of developing a more robust incident response plan, companies should develop a relationship with their local FBI office, according to Chris Stangl, a managing director at the cybersecurity and investigations practice at Berkeley Research Group and a former FBI agent. 

“In times of crisis, it’s never a good idea for first contact to be made while in the deep throws of a response,” Stangl said via email. 

The FBI can provide expert advice to companies after an incident and help determine at a fairly early stage whether an incident is substantial, he said. 

The FBI earlier this month disclosed the process for a company to request a SEC reporting delay, which is usually based on national security grounds and must be run through the senior levels at the Department of Justice. 

Mitigation strategies

A key focus of the new SEC rules is to require companies to disclose some of the key elements of their risk mitigation strategy. 

The idea is to inform investors whether the company had a plan in place to reduce the overall risk of an attack and make sure the company had the ability to respond to a cyber breach or malicious intrusion. 

Brian Walker, CEO and founder of the CAP Group, said one of the biggest concerns companies are grappling with is how to balance out the disclosures to satisfy the regulatory requirements, but not release so many details as to place the company at risk of government action or investor actions.

“I think they’re more concerned about how much detail is sufficient for the SEC and for shareholders to feel comfortable that things are under control,” Walker said. “But not so much detail that any incident in the future might make them go awry of what they said they were doing, and open the door for litigation, or fines from the SEC.”

Another key concern for the SEC was board oversight over cyber risk. For many years, companies have failed to maintain regular contact between the security operations teams and board of directors. 

Capital One was forced to pay $80 million in penalties and enter a consent order with the Office of the Comptroller of the Currency after a 2019 breach led to 106 million customer accounts being compromised. 

The Federal Reserve issued a cease and desist order with the bank and required the board of directors to submit a plan on how it would improve risk management and internal controls. 

A study from BitSight and Google released last week shows that companies are still falling short in some of fundamental risk indicators. 

Companies underperformed in six out of 16 minimum viable secure product controls, the report found. Among the worst-performing controls, companies were particularly weak in dependency patching, vulnerability prevention and time to fix vulnerabilities. 

Despite the concerns about oversight, the SEC dialed back its original proposal to have companies disclose specific information about cyber expertise on the board. 

There were concerns that requiring companies to recruit cybersecurity experts to their boards would potentially force them to divert resources that could be spent on other cybersecurity investments or other board priorities, according to Erik Gerding, the SEC's director of the Division of Corporate Finance.

“Instead, the final rule focuses on disclosures regarding management’s role in assessing and managing material risks from cybersecurity threats,” Gerding said in comments released Thursday before the enforcement dates went into effect.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly has increasingly called out C-suite executives and corporate boards about their lack of ownership over managing cyber risk, warning that corporate leaders could no longer continue to pass off that responsibility to CISOs alone. 

Public companies have taken steps to increase the amount of security expertise on their boards in recent months. 

Earlier this month, Marriott Vacations Worldwide named Mary Galligan to join its board of directors effective Jan. 1. Galligan was managing director of Deloitte’s Cyber & Strategic Risk practice for more than a decade and also previously served as a special agent with the FBI. 

Meanwhile Wex, a global commerce platform, earlier this month elected Aimee Caldwell, former EVP and CISO at UnitedHealth Group, to its board of directors.

When the National Institute of Standards and Technology released the Cybersecurity Framework in 2014, the cybersecurity industry and threat landscape confronted by organizations was quite different.

What a difference a decade makes.

NIST released version 2.0 of the CSF, updating voluntary guidance for businesses of all sizes across sectors to reduce cyber risk. The overhaul, which got underway last year, plays catch-up to the current state of affairs.

The updated guide and resources places a new emphasis on the supply chain, a common attack vector, and governance, complementing efforts such as the new Securities and Exchange Commission’s rule requiring companies to report cybersecurity risk management, strategy and governance in annual filings.

“The CSF has always been intended to be used from the server room to the boardroom, and as server rooms are now no longer on-prem, the boardroom becomes even more important,” Cherilyn Pascoe, director of NIST’s National Cybersecurity Center of Excellence, said at an event Aspen Digital hosted to discuss CSF 2.0.

While the initial CSF was built around five core functions — identity, protect, detect, respond and recover — version 2.0 adds govern because organizations need to incorporate cyber risk management throughout their corporate governance structure. The functions are organized to provide a full view of the cybersecurity risk management lifecycle.

Governance represents a big change and something NIST and stakeholders across industry weren’t ready to incorporate 10 years ago, NIST Director Laurie Locascio said at the Aspen Digital event.

The govern function, which is designed to help organizations measure the outcomes of the other five functions, addresses organizational context, policy, oversight, and supply chain risk management.

The new function advocates for structured risk management strategies and a clear delineation of responsibilities, according to Callie Guenther, senior manager of cyber threat research at Critical Start. The emphasis on the supply chain reflects a growing recognition of the interconnected nature of cybersecurity risks.

NIST paired its CSF 2.0 release with a collection of resources to make the guidance easier for businesses to use and put into practice across their operations. This includes new implementation examples, a reference mapping tool that links the framework to other cybersecurity recommendations, and quick-start guides for specific audiences and user types.

While the initial release served a long run, the evolution of malicious activity and technological change requires NIST to continue updating guidance. These amendments are coming along in tandem with efforts elsewhere.

The White House’s national cybersecurity strategy and the Cybersecurity and Infrastructure Security Agency’s cybersecurity performance goals complement NIST’s CSF 2.0 while regulators and sector-risk management agencies address risk management for their respective industries.

“Compliance and regulatory controls are significant for organizations in 2024, with frameworks like CSF 2.0 as a core foundation easily overlayed with other frameworks specific to other controls and verticals,” Ken Dunham, cyber threat director at Qualys, said via email.

Every organization has the responsibility to cover and adhere to multiple forms of compliance and frameworks, Dunham said.

Sponsored content

By Hyperproof

Do you feel confident that you’ve allocated an appropriate amount of resources towards your security program? Do you know which information assets and systems are most vulnerable? And have you calculated the potential financial costs you’d incur if key systems were to go down? 

In our modern, highly volatile cyber risk environment, these are critical questions for every organization to answer. Getting the answers will require your organization to become proficient in conducting an IT risk assessment. 

How to conduct an IT risk assessment 

Following these steps will help you conduct a basic information security risk assessment and give you the tools you need to begin building a consistent process for identifying key business risks: 

1. Identify and classify your information assets 

The first step in an IT risk assessment is to make sure that you have a comprehensive list of your informational assets. Departments will have varying perspectives on what the most important assets are, which means you should solicit input from more than one source. For example, the most important information asset for your sales lead might be your company’s CRM, but IT might view servers as a higher priority. Once you have identified all of your information assets and key departmental stakeholders, classify them by sensitivity level and strategic importance.  

2. Identify your risks 

The next step is to identify risks to your company’s security, which is a challenging task considering the ever-evolving risk landscape. Consider all types of risks when compiling your list, like human error (i.e. accidentally deleting information or clicking on a malware link), natural disasters, and power failures. Depending on the quality of your hardware and your information systems, you might also need to account for the risk of system failure. After you’ve completed this step, you should have a thorough list of the threats to your assets. 

3. Identify vulnerabilities 

Now that you’ve identified your threats, pinpoint your vulnerabilities. The difference between a risk and a vulnerability might seem subtle, so let’s define it here: a vulnerability is a weakness in your system or processes that might lead to a breach of information security. For example, if your company stores unencrypted customer credit card data, you have a significant vulnerability. You can find vulnerabilities through audits, penetration testing, security analyses, automated vulnerability scanning tools, or NIST’s vulnerability database. 

4. Analyze internal controls 

Next, you need to implement controls to minimize or eliminate the vulnerabilities and threats. This could be either control to eliminate the vulnerability itself or control to address threats that can’t be totally eliminated. Controls can be technical, such as computer software, encryption, or tools for detecting hackers or other intrusions, or non-technical, such as security policies or physical controls. Controls can also be broken down into preventive or detective controls, meaning that they either prevent incidents or detect when an incident is occurring and alert you.  

5. Determine the likelihood of an incident 

Next, categorize how likely each of the vulnerabilities you found might actually be exploited. Many organizations use the categories of high, medium, and low to indicate how likely a risk is to occur. If you handle a large volume of personal health information, have automated systems for encrypting and anonymizing it, and regularly test and check the effectiveness of those systems, the likelihood of an incident could be considered low. You will need to use your knowledge of the vulnerabilities and the implementation of the controls (which we’ll discuss later) within your organization to make this determination. 

6. Assess the impact of a threat 

This step is known as impact analysis, and it should be completed for each vulnerability and threat you have identified, no matter the likelihood of one happening. Your impact analysis should include three things: 

1. The mission of the system, including the processes implemented by the system

2. The criticality of the system is determined by its value and the value of the data to the organization 

3. The sensitivity of the system and its data 

Depending on the three factors above, you can determine whether a threat would have a high, medium, or low impact on your organization. Taken together with how likely an incident is to occur, this impact analysis will help you to prioritize these risks in the next step. 

7. Prioritize the risks to your information security 

Prioritizing your security risks will help you determine which ones warrant immediate action, where you should invest your time and resources, and which risks you can address at a later time. A simple risk matrix helps you plot every threat and vulnerability you’ve identified to prioritize them. Risks that are both likely to happen and would have severe consequences would be mapped as a high priority, while risks that are unlikely to happen and would have marginal consequences would be mapped as the lowest priority, with everything else falling somewhere in between.  

8. Design controls 

Once you’ve established priorities for all risks you’ve found and detailed, make a plan for mitigating the most pressing risks. To determine what controls you need to develop to mitigate or eliminate the risks effectively, involve those responsible for executing controls. Senior management and IT should be heavily involved to ensure that the controls will address risks and align with your organization’s overall risk treatment plan and operational goals. Develop a plan to implement all new controls, including the resources you would need to train pertinent employees. 

9. Document the results 

The final step is to develop a report that documents all of the results of your assessment in a way that easily supports the recommended budget and policy changes. Risk assessment reports can be highly detailed and complex, or they can contain a simple outline of the risks and recommended controls. Ultimately, what your report looks like depends on who your audience is, how deep their understanding of information security is, and what you think will be the most helpful in showing potential risks. A risk assessment aims to document your organizational risks and create a plan to address those risks to avoid encountering a risk without preparation. Creating this report for senior management is crucial for communicating what they need to understand about information security risks.  

Final thoughts 

Assessing risks should be an ongoing process, not a one-time-only exercise. As your systems or your environment change, so will your information security risks. A GRC platform can help you automate many of the processes when conducting an IT risk assessment, like seeing how your risks change over time, identifying which risks and controls to address, and effectively communicating compliance objectives to your executives. 

Finding the right tools for your security system can be a real struggle, especially for smaller businesses. 

While there is a tendency for organizations to jump on the security technology bandwagon, onboarding the newest and hottest tools, it’s vital for security analysts to take a step back and evaluate what tools are garnering the most investment, and why they are so popular.

Managed detection and response systems — and anything dealing with identity management — are gaining more attention, thanks to what's happening in the threat landscape.

The tools address top security issues organizations face today: the expanding threat landscape, where attacks are growing more sophisticated and stealthy, and the rising number of identity-based attacks.

MDR’s role in the security system

Organizations, both large and small, want MDR services that will help reduce false positives and improve overall threat detection, investigation and response, according to research from Gartner. 

From 2023 through 2025, Gartner expects MDR’s growth to exceed $6 billion, almost doubling revenue in 2022. By 2025, most MDR services are expected to include a pre-breach cybersecurity validation assessments and security posture advisory, the study determined. 

More companies are turning to MDR because it provides customers with remotely delivered, human-led modern security functions for the purposes of reporting, rapid detection, analysis and investigation of threats, said Mitchell Schneider, senior principal analyst at Gartner, in an email interview. It can also aid remote mitigation to those threats.

“Finding threats is somewhat easier than it used to be; however, understanding if they will impact you, how you should deal with them, and being there with that knowledge at the right time is where MDR provides value,” Schneider said.

Across providers in the market today, the systems that stand out do two things, according to Schneider:

• They understand and coordinate the needs of the businesses they serve, drawing on business-driven, rather than security-driven, requirements. They also consume only relevant data from systems and keep costs low, translating the combination of requirements and data into effective risk understanding.
• They deliver actionable insights aligned with a customer’s capabilities. Outputs are delivered in a way that is technical for the resolvers/responders — and business-led for the board. The outcomes quantify and consider the risks for that business, helping them decide what to react to and how to do that in the least risky way.

Identity management needed to tackle credential compromise

The influx of devices forced organizations to rethink their approach to protecting identity, according to Mark McClain, CEO and founder of SailPoint at Navigate. Bring-your-own-device policies and other pandemic-induced changes have eroded security team control over the last decade.

Identities are the common thread between devices and the corporate network, both human and non-human, most with multiple credentials.

“So you have this explosion of identities on one side, and completely non-control over ownership [of] all the technologies they’re using, expanding the attack surface,” said McClain during a conversation at SailPoint Navigate 2023. 

This has forced leadership to initiate deeper conversations about how to address the security risks around identity and credential compromise. After rationalizing access entitlements, security teams must grapple with access monitoring across every potential entry point.

“It’s not just the front door you have to protect; you also have to recognize the damage they can do once they are inside,” said McClain. 

Identity management comes in various forms — access and privilege, to name two. Tools are needed for identity screening, verification and permission control.

Because credential compromise is so difficult to detect and because it has become one of the leading attack vectors, organizations are stepping up their adoption of identity and access management and privileged access management tools.

What does the future hold?

The future is all about AI. The technology has been used in cybersecurity for years, but it wasn’t until generative AI tools came on the market in November 2022 that it became the only technology anyone wanted to talk about.

NNow, cybersecurity vendors are looking for ways to integrate the technology into their products, so in the coming months and years, expect to see generative AI used for tasks such as adaptive threat detection, predictive analysis, or improving patching and updating processes.

Emergent AI is at the top of Gartner’s Hype Cycle list for 2023 and beyond. How organizations adopt AI technologies for their cybersecurity systems in the future will depend on how it is adapted into current tools and how the security landscape evolves.

The Cybersecurity and Infrastructure Security Agency’s pre-ransomware notification initiative, which aims to reduce risk by alerting organizations of early-stage ransomware activity, resulted in more than 1,200 pre-ransomware notifications in 2023. 

The federal agency’s effort had a busy and productive first year in operation, including 294 alerts that were also shared with 27 partner countries, according to CISA’s 2023 year in review.

Notifications were sent to more than 100 K-12 school districts and colleges, respectively, and more than 150 U.S. healthcare organizations. Other sectors that received alerts include organizations in emergency services, water and wastewater, transportation, energy, and state and local government.

The earlier an organization is aware of potential ransomware activity, the more likely it is to stop or limit the impact of an attack. 

CISA’s Joint Cyber Defense Collaborative gathers tips from cybersecurity researchers, infrastructure providers and threat intelligence firms to notify victims of early-stage ransomware activity. 

Federal cyber authorities alerted 60 entities across multiple critical infrastructure sectors of potential pre-ransomware intrusions during the first quarter of 2023 and significantly ramped up notification activity throughout the remainder of the year. 

The agency's work with ransomware doesn't stop at alerts. CISA helped a Fortune 500 company hit with a $60 million ransomware attack in February establish a CISO position, and identify areas to improve its IT infrastructure and security controls.

The agency said it also helped a mass transit operator prevent a $350 million ransomware attack on critical transportation infrastructure.

CISA highlighted multiple accomplishments in its look-back on 2023, including more than 1,700 notifications sent to organizations as part of its ransomware vulnerability warning program. Its vulnerability scanning effort covered nearly 7,000 critical infrastructure organizations.

The ransomware vulnerability warning pilot, which warns critical infrastructure operators of exposure to vulnerabilities that can be exploited by threat actors, started in late January 2023 and ultimately resulted in 782 notifications by the end of the year, according to CISA.

Organizations already struggle to keep employees from risky behaviors that can result in a data breach. Now, generative AI presents a whole new threat – employees who accidentally input sensitive corporate or consumer data into ChatGPT. 

As more organizations adopt generative AI into the workplace, 15% of employees regularly post data into the tool, according to research from LayerX released last year. Of those that share information in ChatGPT, 6% admit they’ve shared sensitive data. 

Now security teams have a new worry: how to keep employees from inputting personally identifiable information and proprietary corporate information into generative AI tools. 

Sharing personal data puts the organization at risk of violating any number of data compliance laws. For organizations that want to add generative AI to their tool box, they need to build security protocols designed to prevent data leaks of sensitive information.

Putting guardrails in place

The truth about AI, particularly generative AI, is that while it does present risk for companies, it also offers a lot of benefits. It’s up to the organization to recognize how the good part of AI can turn into a risk. 

There’s a need to put guardrails in place that allow organizations to do business safely while embracing AI, said Max Shier, VP and CISO with Optiv.

“Everybody is trying to find that balance between enablement and risk mitigation, especially as it relates to privacy laws and protecting company confidential information,” said Shier.

Generative AI used within any organization needs policies and controls designed to protect data. 

The best case scenario is that a company does not onboard ChatGPT and similar tools unless the company already has a mature security program with data loss prevention tools in place and AI-specific user awareness training, Shier said. 

CISOs and CIOs will need to balance the need to restrict sensitive data from generative AI tools with the need for businesses to use these tools to improve processes and increase productivity. 

They have to do this all while staying compliant with the alphabet soup of rules and regulations.

The “easy” answer is to ensure that sensitive data is not finding its way into LLMs – and that doesn’t mean just training data, said John Allen, VP of cyber risk and compliance at Darktrace, in an email interview. 

“Many offerings from popular LLMs specifically state that any data you provide via prompts and/or feedback will be used to tune and improve their models," said Allen. "However, enforcing this limitation on sensitive data is easier said than done.”

Protecting data

There are two areas of emphasis when looking at ensuring data privacy in generative AI use, according to Craig Jones, VP of security operations at Ontinue, in an email interview.

Compliance maintenance: 

Organizations need to rigorously assess and control how LLMs handle data, ensuring alignment with General Data Protection Regulation, the federal law restricting release of medical information, and the California Consumer Privacy Act. 

This involves employing strong encryption, consent mechanisms and data anonymization techniques, alongside regular audits and updates to data handling practices.

Securing sensitive data: 

Ensuring the security of sensitive data involves employing a multilayered security approach, including encryption at rest and in transit, strict access controls and continuous monitoring for anomalies. 

In case of a breach, rapid response and remediation measures need to be in place, along with clear communication to affected stakeholders following the legal and regulatory requirements. 

The lessons learned from such incidents should be integrated into improving the data security framework to better address future scenarios.

Safeguards ahead

Generative AI and other security tools are adding subscription levels with enhanced privacy protections or are building out APIs that will restrict sensitive data from leaving the company’s system. The data is not used to develop other AI models.

“In fact, many vendors will also enter into data processing agreements and business associate agreements in order to meet specific compliance requirements for handling sensitive data,” said Allen.

In addition to the generative AI usage policies designed to protect sensitive data, AI companies are also stepping up to better protect sensitive data, adding security controls like encryption and obtaining security certifications such as SOC2. 

But this is still a new territory, and security teams are trying to learn what happens when sensitive data finds its way into a model, how to find that data and how to delete it — especially for PII under strict data compliance regulations. 

“The use of generative AI tools is ultimately still in its infancy and there are still many questions that need to be addressed to help ensure data privacy is respected and organizations can remain compliant,” said Allen. 

National Cyber Director Harry Coker reiterated prior warnings that hackers linked to the People’s Republic of China are actively working to gain access to critical infrastructure in the U.S. to potentially launch malicious attacks. 

Coker, in his first major speech in Washington since he was confirmed in December, said the state-linked threat actors aimed to disrupt — or possibly destroy — the ability to provide critical services as a distraction linked to military activity. 

“In the early stages of an armed conflict, they want to disrupt our military’s ability to mobilize, and to impact the systems that allow us to thrive in our increasingly digital world,” Coker said at the Information Technology Industry Council’s Intersect Tech Policy Summit. “Their intentions drive home a point so many of us have known for years: In cyberspace, the private sector and the American people themselves are on the front lines.”

Coker was one of four cybersecurity and law enforcement officials who testified about the threat before the House Select Committee on the Chinese Communist Party.

Earlier this week, the FBI and the Cybersecurity and Infrastructure Security Agency, said the state-linked actor Volt Typhoon and other China-affiliated actors have penetrated key critical infrastructure sectors in preparation for disruptive attacks. 

Coker emphasized that the majority of critical infrastructure in the U.S. is owned by the private sector. The U.S. needs collaborative work from the industry to make sure these systems are protected from malicious threats, he said.

“There are plenty of actions we can and will take to address counter-normative behavior,” Coker said. 

Coker told the industry attendees at the summit the administration will need to collaborate with them to counter the threat. 

The Office of the NCD is working on several key initiatives that are part of the Biden administration’s national cybersecurity strategy: 

• Officials are consulting with academic and legal experts to explore a variety of tactics to hold manufacturers accountable when they rush insecure products to market. Officials will be reaching out to industry for additional feedback.
• The office is reaching out to interagency partners in an effort to harmonize a number of wide ranging cyber rules and regulations so companies are not overwhelmed by compliance burdens.
• The administration is working to build a more diverse and robust cybersecurity workforce, as the industry still has about a half million vacant job opportunities and there is a desperate need to attract qualified workers. 

Coker also highlighted an upcoming white paper on efforts to develop the use of memory-safe languages and improve software measurability. 

Memory safety has become a major focus, as many issues related to critical vulnerabilities are due to the use of unsafe coding. 

Exploitation of the CitrixBleed vulnerability in late 2023 was linked to the use of unsafe programming languages.

More than half of organizations encounter security issues with AI-generated code sometimes or frequently, according to Snyk’s survey of more than 500 technology professionals in late 2023. 

Developers are interested in productivity gains from AI coding assistants, but businesses could run into problems if the growing use goes unchecked. Nearly 9 in 10 developers are concerned about the broader security implications of using AI coding tools, according to the data. 

More than three-quarters of developers bypass established protocols to use code completion tools despite potential risks, according to the report. To compound the security problem, around half of organizations haven’t updated software security practices to adapt to the growing use of AI-powered coding tools. 

AI coding tools have had a rocky start down the path to widespread enterprise adoption. 

Just 1 in 4 organizations include AI as part of their software development lifecycle, according to a GitLab survey conducted in June 2023. A Google Cloud report in October characterized AI’s impact on software development as relatively minimal with respondents experiencing neutral or moderately negative effects on team and software delivery performance.  

Despite a relatively slow burn, enterprises have their sights set on AI to accelerate the development process, even as questions regarding the security and validity of generated code arise. 

Businesses across industries are exploring the technology’s potential from Papa Johns and General Motors to Vanguard and Bank of America. 

“We think there’s vast promise for AI and we’re deploying it in places, a lot of internal stuff,” Brian Moynihan, CEO at Bank of America, said during the company’s earnings call earlier this month. “There’s coders using it to continue to improve their effectiveness and learning it, but there’s still the care that has to be taken on data and usage and models and accountability.”

When it comes to AI, enterprise interest in specific use cases is often followed by an onset of targeted solutions. The focus on AI-powered coding tools is no different as vendors, such as OpenAI, SAP, Salesforce, Anthropic, Google and Meta, have beefed up their capabilities in response.

The increased regulation of data privacy and cybersecurity is only half the reason in-house legal should help ensure their organizations are serious about breaches; the other half is the expectation of business partners who increasingly won’t do business with companies that don’t have protections in place, Otterbourg Partner Erik Weinick says.  

“Companies are being forced by contractual provisions,” Weinick said. “If they are a small company but are doing business with a large company, as a condition of doing business with them they have to change what they’re doing from a privacy or security standpoint.” 

Small and mid-sized companies are starting to get that message, said Weinick, co-founder of his firm’s data privacy and cybersecurity practice group. Until recently, many companies thought that because they’re small or don’t typically hold sensitive information, they’re not a target of threat actors, and even if they are, there’s little they can do to prevent an incident given that large companies that invest heavily in security still get breached.  

“‘Look at all these big companies that spend tens or hundreds of millions of dollars a year on security and still get attacked,’” he said, sharing the thinking of some companies. “‘Why should I bother? I’ll just deal with it.’”

Weinick encouraged counsel that don’t have resources to add in-house technical and legal expertise to start with outside counsel to boost their privacy and security posture. The outside firm will bring to the company well-established relationships with insurance companies, technical specialists and law enforcement agencies. 

This network can apply lessons learned from incidents they’ve worked on to preventative efforts and, should an incident occur, a tightly scripted response that can lessen the impact. 

“There’s still a misconception out there that, depending on the type or size of the organization, it’s not going to happen to them or if it happens they’ll deal with it or be covered by their general insurance policy, so most of our calls are from people who are unprepared,” Weinick said. 

Outside counsel can also help ensure internal communications about privacy and security stay confidential in the event there’s an incident and plaintiffs' attorneys try to get those communications in discovery. 

“If all the information flow is going through that counsel in coordination with the general counsel, that increases the likelihood that a privilege may be maintained,” he said. “Some business folks think, as a matter of course, that if they copy the inside counsel on every piece of correspondence, it becomes magically privileged even though it’s an ordinary-course business communication. It has to be actually protectable information. It can’t be that just copying certain people makes it privileged.”

To improve the likelihood privilege attaches, communication about technical and finance matters related to privacy and security should be related to the general counsel or outside counsel providing legal advice. 

For example, if outside counsel recommends a security measure that the internal finance team hesitates to authorize because of cost, the back and forth about that is likely to be privileged if the in-house counsel weighs in on what to do from a legal standpoint.

“If the in-house counsel says to the board or whoever the ultimate decision-maker is … my ultimate recommendation is that it’s a necessary expense [based on what our outside counsel says], that should be protected,” he said. “What the in-house counsel has done there is collected information to inform legal advice they’re giving.”

What you don’t want is to have, outside of a privilege context, internal communication where the company decides, maybe for budget reasons, it doesn’t want to implement a costly security measure recommended by outside expertise. 

“You don’t want to have an email from, say, an outside technical expert that went to an inside technical expert that says you should do x, y and z, and that inside technical expert sends that to the budgeting office and they say it’s not worth it,” he said. “And then the attack winds up preying on the exact vulnerability. That just provides a road map to the plaintiffs’ attorney as to what you could have done but failed to do to prevent the attack.”