This article was originally published in August 2023 on Medium. 

Create a trusted environment and strict access controls — Because the risk of a data leak lands primarily at the application layer, security professionals recommend building a custom front end to replace the ChatGPT interface to provide an added layer of protection. Limit access to the data to only those who need to see it.

Compliance with regulatory standards and industry-specific guidelines for product security is an indispensable part of cybersecurity. In an age where malicious AI poses a significant threat, how do organizations ensure their product security strategies are not just effective, but also fully compliant? As a part of this series, I had the pleasure of interviewing Jennifer Wilson.

Jennifer Wilson is the SVP, National Cyber Practice Lead at Newfront. Jennifer brings with her over 26 years of experience in the industry, primarily in specialty coverage, claims, and risk management.

As the National Cyber Lead at Newfront, Jennifer directs the marketing, placement and claims management of Cyber Risk and Technology E&O insurance. She works with clients to identify and understand their cyber risk exposure, while recommending ways to best mitigate these risks and negotiate broadest terms available in the cyber insurance marketplace.

Jennifer’s team focuses on all aspects of cyber risk, including policy form negotiation, pre-loss services, vendor selection, coverage review and advocacy, litigation management, education and training, predictive modeling, and contractual risk transfer.

Jennifer is regularly engaged with the cyber risk insurance community to address coverage available, overall market conditions and the impact to cyber risk insurance placements, including the rapidly evolving threat landscape.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Is there a particular story that inspired you to pursue a career in cyber? We’d love to hear it.

Mybackground is in complex claims management. This includes employment practices liability (EPL). Prior to the pandemic, we saw a significant increase in cyber claims, which required more hands on claims advocacy as well as client coverage, education, and training in this area. When the pandemic hit, and we were thrust into a remote work environment, I recognized that we were in a crisis scenario with respect to cyber claims. As a result, I offered to take on the management of cyber claims. This evolved into a similar demand for client education, training, and coverage, but on a much larger scale. The onslaught of claims to the industry was something that has never happened in the history of cyber. We all lived it, so there is no need to go into details. This role evolved into a management position overseeing the coverage negotiation and placement of the policies as well as cyber claims.

Can you share the most interesting story that happened to you since you began this fascinating career?

The evolution of cyber insurance is fascinating, especially following the pandemic. The leaders in the industry learned their specialty during a soft market, and after the pandemic and crisis in cyber, we had to learn a completely different way of providing insurance solutions in the cyber space. Overnight we all had to become well-versed in cyber security. It wasn’t enough to know the coverage terms, conditions, and market, we had to learn an entirely new discipline with network security, and we had to learn it immediately. In the blink of an eye, terms like MFA, EDR, and MDR became our daily vernacular, and we then had to bring our clients up to speed.

You are a successful leader. Which three character traits do you think were most instrumental to your success?

1. I have enjoyed a varied career within insurance and made strategic pivots along my journey. I learned how to identify a specific need at a company (wherever I was working) and offer a solution. A perfect example was with cyber. I saw the need for claims expertise and offered a solution that proved invaluable to our clients, which translated into value for the company. I’m not sure what you’d call the character trait — perhaps you could just classify it as a problem solver -but it is something that I’ve done my entire career, and it has offered me tremendous growth and opportunity.

2. I’ve never been afraid to challenge myself or to try something new. Every role that I’ve taken has been something new and something that I didn’t have prior experience in but had an interest in and was willing to learn and train up quickly. I guess you’d call that an ability to stretch, grow, and take a risk.

3. I am a reluctant leader. I work well autonomously and have not been interested in management. However, due to the high demand in cyber, it was necessary that I hire and manage a team to support the effort. What I have learned in the process is that I genuinely enjoy leading a team, and I’m very good at hiring well. I have an exceptional team here at Newfront. While we are all very different, I’ve discovered that we all share common traits — we take pride in our work; we strive to be the best that we can be; we are collaborative, we want to see our teammates succeed, and we all excel in client service. Some are introverts, some extroverts, some methodical, others impulsive, but we share some key traits that make us work like magic together.

Are you working on any exciting new projects now?

I need to take this question to a higher level. Newfront is working on some very exciting projects that will revolutionize the industry. Newfront’s focus on AI and machine learning is turning an industry that has been mired in paper for decades and turning on its head. I’m so proud to be a part of an organization that is focused on digitizing the insurance experience.

How do you think that will help people?

Newfront is going to streamline the insurance process to provide our clients with a much more efficient, accessible, and exciting insurance experience. When was the last time you heard someone describe insurance as exciting?

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. How does the emergence of malicious AI threats impact compliance requirements for organizations? Are there specific regulations or standards that address the unique challenges posed by AI-related security threats?

The emergence of AI has presented ample opportunities for organizations to lead with efficiency, accuracy, and digital advancement. However, to your point, there is also a downside to AI as it has also brought those same benefits to threat actors, which increases an organization’s exposure to cyber risk. There are a number of standards that have addressed the risk of AI in the past, including the National AI Initiative Act of 2020, The National Security Commission on Artificial Intelligence recommendations, and the Plan for Federal Engagement in Developing Technical Standards and Related Tools.Recently, the National Institute of Standards and Technology (NIST) has taken a front seat in introducing AI cybersecurity compliance practices. In January 2023, NIST presented the Artificial Intelligence Risk Management Framework (AI RMF 1.0), which is intended to be a working document with recommended cybersecurity standards and practices for organizations to follow. The framework will be reviewed and updated by experts in the industry and adapted as AI technology evolves, with the expectation of a formal compliance document by 2028.

Can you provide an example of a compliance framework or approach that organizations can adopt to effectively address security concerns arising from malicious AI? How does this framework help organizations mitigate risks and stay compliant?

NIST warns that AI risks should not be addressed as isolated but rather should be considered along with cybersecurity and privacy risks which will yield a much broader and more efficient approach to security. Additionally, it is critical to combine both network security tools with employee cyber hygiene best practices.Starting with the framework guidelines of Identify, Protect, Detect, Respond & Recover is the first step toward effective security, followed by the AI RMF Core of Govern, Map, Measure, Manage.

In the context of compliance and regulatory requirements, what are the key considerations for organizations when deploying AI systems? How can organizations ensure that their AI deployments align with relevant compliance standards and guidelines?

As this technology grows, it is important for organizations to adapt to the ever changing risk. The tools that are relevant today will be outdated in a year.

Are there any specific compliance challenges that organizations commonly face when dealing with malicious AI threats? How can these challenges be overcome, and what steps can organizations take to enhance their compliance efforts in this area?

Similar to the question above, one of the key factors that organizations face is keeping up with the evolution of AI. Security tools are on a fast track that shifts as quickly as AI technologies do. What works to help protect from AI attacks today will be quite different a year from now. This is why the NIST AI RMF is considered a working document. It is expected to change and adapt as the technologies evolve.

Collaboration between compliance teams and cybersecurity professionals is crucial in ensuring effective security measures against malicious AI. How can organizations foster collaboration between these two teams to address AI-related threats while maintaining compliance with relevant regulations?

The SEC has been contemplating requiring cybersecurity credentials for board members of publicly traded companies. This is an attempt to make sure that decision makers are well versed in cyber security, but I think this requirement falls short of the intent. What the compliance teams and cybersecurity professionals need is collaboration between the executive team and the board. Prior to the pandemic, cybersecurity professionals were given minimal budgets to protect the companies’ assets. Following the pandemic and insurance requirements of baseline cyber security, executives were forced to invest in much more comprehensive security tools in order to obtain insurance. This brought cyber security to the top of the conversation for the first time. Moving forward, CISO’s must be given the support and budget to invest in the necessary tools to effectively protect the organization. This should include the recommendations outlined in the AI RMF 1.0.

Ok, thank you. Here is the main question of our interview. What are your “5 Things We Must Do To Protect From AI-Powered Cyberattacks” and why?

1. Create a trusted environment and strict access controls — Because the risk of a data leak lands primarily at the application layer, security professionals recommend building a custom front end to replace the ChatGPT interface to provide an added layer of protection. Limit access to the data to only those who need to see it.

2. Train employees well and often — Human error will always remain one of the most common sources of attack. As AI emerges, it is critical to empower employees with the tools to identify and avoid AI attacks as much as possible. Training should be continuously updated to reflect new compliance regulations, threats, and emerging technology trends.

3. Isolate data in a sandbox — The sandbox is the gateway for the consumption of LLM services. Add filters to the sandbox to safeguard data.

4. Use AI to help defend against AI attacks. Combining AI with human analysis can help identify risks and the tools to combat them. Reinforcement learning with human feedback (RLHF) tunes the model based learning along with the human rankings and input for the same prompt. Think of it as machine & human learning.

5. Design security systems around the models themselves — AI models can be used against themselves — A threat actor can instruct a model to deliver a false or negative response for nefarious purposes. For example, including instructions to “ignore all previous directions” in a prompt could bypass controls that developers have added to the system. CISO’s will need to design robust security systems to identify malicious injection of instructions.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

A big focus on AI is the consideration of the impact on society. Approaching AI from the perspective of improvement and advancement while also looking at how it could be used for harm is what will help us to stay ahead of the negative impact of AI. Being nimble and evolving your cyber security risk management procedures as the risk evolves is the best way to protect against attacks.

How can our readers further follow your work online?

Newfront.com

Thank you so much for the time you spent doing this interview. This was very inspirational, and we wish you continued success.

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.