It has been a month since the Mythos moment hit the planet. Anthropic’s new AI model has got policy makers and regulators in each country to introspect and revisit cyber risk assessment and management. Each seems to be in a huddle with the institutions they regulate, stock-taking their assets and evaluating the preparedness needed to combat the emerging risks. What sets this AI model apart is its ability to find software vulnerabilities and either fix them (if deployed as a defender by an organisation) or exploit them (if deployed by a malicious hacker).
India’s central bank has apparently been seriously pursuing this, with many in the sector seeing it working towards guidelines. These could well be not just on AI but also the governance around AI. The expectation is that it could perhaps include elements of training and migration of people from existing systems to more sophisticated tech architectures.
M Nagaraju, Secretary, Department of Financial Services (DFS), Ministry of Finance, in his address to bankers on Thursday, May 7th, cautioned them against emerging cyber vulnerabilities and advocated governance led by senior management to cultivate a pervasive risk culture by equipping Chief Risk Officers (CROs) with the requisite independence and resources.
In the backdrop of these concerns, leading bankers in the country, not wanting to be named, point to worthy pointers from Singapore on ways to lend an edge to cyber defenders over the attackers. Speaking in Parliament, Tan Kiat How, Singapore’s Senior Minister of State for Digital Development and Information, underlines the seriousness of the challenges. He feels this is too serious an issue to be delegated to the IT teams alone. It does warrant board-level attention and involvement.
Given that the window between the discovery of a vulnerability and its exploitation by attackers is rapidly narrowing, it is crucial that organisations revisit their cybersecurity risk assessment and suitably update their systems.
On why amnesia about the assets on hand could cause serious harm in these times, he urges every organisation to be completely aware of its entire asset inventory. The reason being breaches typically begin at unmanaged assets. It could just be a forgotten internet-facing system or a third-party dependence that has been overlooked. His argument is the inability to defend what remains unnoticed.
Continuous monitoring is to be the new mantra, given the dwindling time gap between vulnerability disclosure and its exploitation. Also, focus on the governance of one's own use of AI by organisations could prove crucial since, many times, AI tools introduce new vulnerabilities, especially when connected to sensitive data or to critical systems.
While many bankers in India see merit in these measures, they also feel a concerted effort to raise awareness could go a long way to trigger organisations towards seeking, if not building, robust cyber defences.
