The Securities and Exchange Commission (SEC) recently announced new rules on July 26, 2023, mandating that public companies report any significant cybersecurity incidents they experience. This landmark change aims to increase transparency for investors, necessitating a new level of scrutiny and consistency in the handling of cybersecurity incidents. With the growing prevalence of AI systems and their unique attack surfaces, these rules present both challenges and opportunities for public companies looking to adopt next generation AI.
The SEC’s New Rules: Focusing on Cybersecurity Risk Management
Under the added Regulation S-K Item 106, the SEC expects registrants to outline their methods for identifying, assessing, and managing cybersecurity threats. Companies are also required to explain how their board of directors oversees these risks and the expertise of management in handling them. This directive places a clear responsibility on businesses to develop robust cybersecurity strategies, particularly as they relate to AI systems.
Deciphering the Complexities and Opportunities of AI Systems
At Mantium, we appreciate the unique complexities AI systems introduce: technical vulnerabilities, reputational threats, and compliance risks. However, we’re also cognizant that with innovative solutions, these challenges can be overcome.
At Mantium, we understand the diverse risks that AI systems bring to the table: technical vulnerabilities, reputational hazards, and compliance risks. But we also know that these challenges are not insurmountable. In response, we have developed innovative solutions like Chirps, an open-source project that aids organizations in identifying sensitive information in vector databases. Chirps is especially useful for Retrieval Augmented Generation (RAG) systems, enabling enterprises to make their documentation available to AI systems for generating accurate and relevant responses.
As organizations grapple with the task of managing and safeguarding sensitive data, Mantium steps in as a trusted partner. Our state-of-the-art solution, engineered for next-generation AI RAG systems, enables granular control over data. This empowers your organization to assign permissions based on data types or individual entries, providing enhanced security and control. Coupled with comprehensive audit and logging features, this means not only secure usage of AI systems but also readiness for regulatory audits and disclosures. This strategic advantage allows for a more confident, transparent, and resilient posture in this new regulatory environment.
Navigating Potential Scenarios: PII and HIPAA Data
One scenario demonstrating the necessity for these safeguards involves personally identifiable information (PII) contained within vector databases. With many conventional systems, anyone with access to the chat interface could potentially query and retrieve this sensitive data, posing significant privacy and compliance risks. However, with Mantium’s solution, organizations can restrict access to such PII data, ensuring only authorized users can access it.
Another critical scenario concerns HIPAA (Health Insurance Portability and Accountability Act) data within an insurance company. It’s not uncommon for an underwriter to require access to a person’s medical information as part of the policy issuance process. In this case, only the underwriter actively working on the policy should have access to this information. By utilizing Mantium’s granular data control solution, insurance companies can manage access to sensitive health data, ensuring only authorized individuals have access and that their activity is closely monitored.
In both scenarios, our innovative approach ensures compliance with regulations, mitigates risk, and protects sensitive information, aligning with the SEC’s new directives on cybersecurity disclosures.
Understanding the AI Attack Surface
In light of the expanding cyber risk landscape, understanding potential vulnerabilities is crucial. NVIDIA’s AI Red Team has proposed a broad attack surface for AI systems, which outlines various potential vulnerabilities and tactics for mitigating them. Mantium leverages this and other insights to continuously refine our security strategies and protect our AI solutions.
Questions to Consider:
As your organization begins to adopt generative AI and puts next generation AI systems into production, it is prudent to consider the following:
- Enumeration/Reconnaissance: Can your organization identify enumeration or reconnaissance for Language Model (LLM) API endpoints? Understanding the traffic patterns and unusual activities at these points is essential in identifying and mitigating potential cyber threats.
- Data Protection: Do you have robust controls in place to protect sensitive data? Whether it’s PII, HIPAA data, or other classified information, data security should be at the forefront of your cybersecurity strategy, especially in AI-based systems.
- Compliance Audit: Can you provide evidence to your compliance auditors that your vulnerability detection programs cover next-generation AI systems? It’s essential not only to detect potential vulnerabilities but also to demonstrate that issues are correctly remediated.
- Responsibility: Who is responsible for information security as next-generation AI systems are integrated into the enterprise? It could be your security team, the data science team, or ML Ops. Clear delegation of roles and responsibilities ensures seamless collaboration and effective management of security risks.
These questions serve as a guidepost to help you navigate the increasingly complex landscape of AI and cybersecurity. As always, at Mantium, we are here to assist you with cutting-edge solutions to address these challenges and meet the requirements of the new SEC rules. Let us help you secure your AI systems and protect your valuable data.
Follow us
ABOUT THE AUTHOR
Subscribe to the Mantium Blog
SubscribeMost recent posts
Enjoy what you're reading?
Subscribe to our blog to keep up on the latest news, releases, thought leadership, and more.