As a PBS FRONTLINE documentary on artificial intelligence (AI) recounts, the technology started capturing widespread attention when AI systems began trouncing human competitors in complex games like Go. This year, says Santa Fe Group Senior Advisor Charlie Miller, AI will command more regulatory attention thanks to its growing business usage and, in some case, its unintended biases.
“Regulators also increasingly view the Internet of Things (IoT) as a vulnerability,” notes Miller, who expects AI, IoT, 5th generation wireless technology (5G) and advanced technologies to attract more regulatory attention in the coming months. That development figures prominently among key trends Miller is monitoring this year, including:
- Regulators advance on emerging technologies: Advanced technologies offer tremendous benefits. They also pose risks — within organizations and among their third parties — that go undetected. In a companion article to the FRONTLINE documentary, an MIT researcher stresses that “one of the major issues with algorithmic bias is you may not know it’s happening.” As more enterprise launch 5G capabilities, more data will travel over public and enterprise networks; 5G also will accelerate the attachment of even more sensors and devices to networks. Both of those developments will increase security and privacy risks.
- IoT sparks more attacks, more rules and the need for better risk management: Miller expects to see more ransomware attacks that infiltrate organizations via IoT devices and sensors this year. That will in turn cause regulators to weigh new guidance and rules similar to the IoT rules California brought online in 2019 and the IoT guidance incorporated into NIST standards last spring. “There is still a lack of IoT risk ownership and accountability within in many organizations,” adds Miller, pointing to the ongoing third party IoT risk research Shared Assessments conducts with the Ponemon institute. (The 2020 version of the study will be available later this spring.)
- The maturation of cyber insurance: More companies will evaluate and invest in cyber insurance, Miller reports. This trend is driven by the growing volume and impact of cyber-attacks as well as by the insurance’s industry’s drive to enhance and advance cyber insurance policies and to develop related standards. Miller believes it is advantageous for third party risk managers “to learn more about what these policies do and do not cover.” Data security and privacy professionals also should be aware that insurers offering cyber policies are intensifying their scrutiny of customers’ information-security hygiene and upgrading their cyber-risk quantification approaches (which link to policy pricing). “They’re going to do a lot more digging when it comes to assessing a company’s cyber hygiene,” Miller says.
- Changes heating up in the insurance industry: Given its highly regulated nature, the policies it offers and the risks it assesses, the insurance industry is worth watching from a third party risk management perspective. Miller monitors the industry, and he expects insurers to enhance their focus on location risks, concentration risks and pandemic exposure throughout global supply chains. He also expects regulators to take a closer look at insurer’s autonomous behavior-monitoring programs, such as those used to tailor policies and reduce insurance premiums.
- Continuous monitoring continues to expand: A broader form of autonomous oversight — continuous monitoring — figures as a crucial component of a thriving third party risk management capability. Miller encourages TPRM professionals to develop and deploy a consistent approach to continuous monitoring practices — a challenge that the Shared Assessments Program Continuous Monitoring Working Group is currently undertaking.
Continuous monitoring requires ongoing updates, in large part, because the amount of data that needs to be actively monitored and managed continues to increase dramatically thanks to the rapid adoption of IoT and other advanced technologies that expand cyber threats. The speed of that adoption poses a problem, Miller notes, because risk management practices are not keeping pace. “For example,” he adds, “our research shows that the governance structures around IoT are not improving quickly enough.”