To help financial firms understand and mitigate the risks posed by implementing generative AI, FS-ISAC has published step-by-step guidance titled More Opportunity, Less Risk: 8 Steps to Manage Financial Services Data with GenAI.
“GenAI presents enormous opportunities for financial firms to improve business operations, provide better customer service, and even improve their cybersecurity posture,” said Michael Silverman, Chief Strategy & Innovation Officer, FS-ISAC.
“However, just like any new technological development, GenAI increases security risks when it’s not leveraged in a safe and compliant manner. This guidance allows financial institutions to experience the positive offerings of GenAI by outlining the risks and corresponding steps to mitigate the threats.”
Developed by FS-ISAC’s Artificial Intelligence Working Group, the guideline outlines eight foundational steps to developing an effective data governance approach that harnesses the benefits of GenAI while remaining compliant with security standards:
- Consider your risks: Many of the risks associated with traditional data governance can be exacerbated by GenAI. Developing policies, technical controls, clear roles and responsibilities, and accountability metrics, among other steps, can shed light on risks, gaps, and opportunities.
- Data selection criteria: Using datasets requires an accountable, cautious approach with constant oversight. Develop a clear path for data selection, then conduct periodic risk testing to make sure the controls to protect the datasets are working as intended.
- Create and maintain a data lineage inventory: Strong access controls, data sanitization practices, and accurate data classifications are necessary to counteract concerns around data lineage and traceability.
- Be disciplined with data access and authorization: GenAI training data should be segregated and access restricted to ensure models are training on the correct data. Establish a regular review cadence of datasets and their access.
- Obsessively protect your customers’ data: Security techniques including differential privacy, encryption in transit and at rest, data sanitization, and sandboxing should be leveraged to maintain the confidentiality, integrity, and availability of sensitive information.
- Use best practices when building effective test plans: Generate baselines for model testing and leverage cross-sector data sharing to ensure adequate coverage across a domain. Understanding the reliability and completeness of underlying data allows for stronger model testing with fewer limitations.
- Keep current on model vulnerabilities: Fundamental data governance security practices combined with basic cybersecurity hygiene can alleviate vulnerabilities created by the growing threat landscape.
- Require your vendors’ transparency on your data storage: Establish transparent communication with all vendors to ensure activities are compliant with regional and international requirements, as well as the firm’s internal security standards.
GenAI use cases and risks are still evolving, and while GenAI offers great potential for financial services processes, the sector has many concerns about data security, usage, privacy, and compliance. This report is designed to help financial institutions assess their needs and determine a secure and effective approach to using GenAI in data governance.
The report is available for download here.
