Artificial Intelligence and Cybersecurity Regulation: Preparing for Impending Changes

On October 30, 2023, the White House issued an Executive Order addressing the impacts of AI evolution on cybersecurity, signaling an urgent need for regulatory action. As the landscape of artificial intelligence (AI) continues to expand, so too does the necessity for robust cybersecurity regulation. The Cybersecurity and Infrastructure Security Agency (CISA) has proposed new reporting requirements following cyberattacks, mandating entities to report cyber incidents within 72 hours and ransom payments within 24 hours. This move is indicative of the increasing regulatory attention AI and cybersecurity are garnering.

The Rising Focus on Cybersecurity Regulation

The Department of Homeland Security (DHS), which oversees CISA, emphasized in a May report the need to develop additional strategies and allocate more resources to combat cybersecurity and AI threats. This proactive stance underscores the importance of close collaboration between industries and the government to ensure the security and fairness of AI applications.

Staying Informed: A Critical Strategy

To navigate the evolving regulatory landscape, companies must stay informed about regulatory changes. As Yasmin Karimli, CIO at SST Partners and former VP of cybersecurity transformation at T-Mobile, highlights, government websites are a crucial resource. “It is imperative that enterprises remain informed about the timeline for proposed regulations and prepare adequately for compliance,” Karimli noted during a recent conversation.

Understanding the regulatory process enables enterprises to engage effectively, providing comments and feedback during the rule-making period. Having a robust plan in place ensures timely compliance with new requirements, minimizing disruptions to operations while upholding necessary security standards.

Sources of Cyber Threat Intelligence

Staying informed also involves leveraging various sources of cyber threat intelligence. According to a survey by SANS, a leading cybersecurity research and training organization, the most widely used sources among survey participants included:

Vendor threat feeds (80%)
Published intelligence reports (80%)
Community or industry groups (79%)
External sources such as media reports and news (85%)

Karimli stresses the need for companies to remain in step with industry and trade groups: “By actively engaging with these organizations, we can collectively assess the impact of emerging regulations on our enterprise and collaborate on formulating appropriate responses.”

Aligning Business Units for Effective Compliance

For companies like Coca-Cola HBC, emerging AI threats and opportunities necessitate closer alignment between cybersecurity and other business units. Coca-Cola HBC’s chief digital and technology officer, Mourad Ajarti, emphasized in a December interview with Just Drinks the importance of responsible AI practices that engage multiple business functions.

“We already use what’s called cyber regulation, privacy regulation — for us to have a safety net of what we do with AI, by applying to AI what we apply to any other digital tools that we create,” Ajarti explained. Engaging a multi-functional team, including technical, commercial, finance, supply chain, legal, cybersecurity, and data privacy officers, ensures a holistic approach to responsible AI before regulations come into effect.

The Need for Vigilance in Cybersecurity

While executives recognize the importance of data privacy and cybersecurity, there is always room for improvement in vigilance. According to PwC’s 2023 Annual Corporate Directors Survey, cybersecurity ranked second (49%) in terms of risks posing oversight challenges to a company’s board. Most boards have devoted more time to cybersecurity in meetings, with additional up-skilling and third-party input aiding these efforts.

However, only 19% of survey participants reported adding a new board member with cybersecurity experience in the previous 12 months. CrowdStrike’s 2024 Global Threat Report warns that the “good-enough” approach to cybersecurity is no longer sufficient for modern threats. Companies must adopt a more rigorous and proactive stance to protect against increasingly sophisticated cyber threats.

Proactive Steps for Companies

Develop a Comprehensive Cybersecurity Plan

Companies must develop and maintain a comprehensive cybersecurity plan that includes regular updates and reviews. This plan should address potential vulnerabilities, incident response protocols, and employee training programs.

Invest in Advanced Security Technologies

Investing in advanced security technologies, such as AI-driven threat detection systems, can significantly enhance a company’s cybersecurity posture. These technologies can provide real-time analysis and response to potential threats, reducing the risk of cyberattacks.

Foster a Culture of Cybersecurity Awareness

Creating a culture of cybersecurity awareness within the organization is crucial. Regular training and awareness programs can help employees understand the importance of cybersecurity and how they can contribute to protecting the company’s assets.

Collaborate with Industry Peers and Government Agencies

Collaboration with industry peers and government agencies can provide valuable insights and resources. Engaging in industry groups and participating in government-led initiatives can help companies stay ahead of emerging threats and regulatory changes.

Preparing for the Future

As AI and cybersecurity regulation continue to evolve, companies must take proactive steps to ensure compliance and protect their assets. Staying informed about regulatory changes, aligning business units, fostering a culture of cybersecurity awareness, and investing in advanced technologies are critical strategies for navigating this complex landscape. Close collaboration between industries and the government will be essential to ensuring the security and fairness of AI applications in the future.