Cybersecurity

With promise of revolutionary benefits, AI also presents dramatic cybersecurity risks which organizations need to rapidly identify and systematically mitigate. Cybersecurity is already evolving from a tangential business consideration to a key component of business operations, especially in the wake of highly disruptive cyberattacks such as supply chain compromises and ransomware incidents. AI is turbocharging those risks, and regulators are taking note.

Key legal risks / issues

1. Data breaches: It is not just threat actor use of AI to advance traditional cybersecurity threats like phishing, AI itself can be used to process trade secret or other confidential information, including personal information, which becomes a potential target, especially for extortion-based attacks. AI tools may have vulnerabilities that can be exploited by attackers, presenting organizations with the risk of a data breach. The average cost of a data breach in 2023 was $4.45 million.[1]

2. Model poisoning: AI ingests huge troves of data to create a model of expected outputs. If the model is poisoned by feeding it bad data, the outputs will be bad too (this is referred to as the GIGO, or garbage in, garbage out problem). A poisoned AI model could produce bad code that could lead to exploitable vulnerabilities. It could also produce inaccurate research or discriminatory results that could present the organization with additional legal risk.

3. Data leakage: As noted above, AI models are generated based on the data they ingest. If employees “feed” a public AI tool with sensitive or confidential data, the AI model may incorporate that into its model and feed it back to outside parties as an output to a query.

4. Deepfake-enabled fraud: Fraudsters are leveraging AI to create convincing deepfakes, or digital impersonations of real people, to advance their fraudulent schemes. Specifically, they are creating digital replicas of C-suite executives and using them to direct unwitting employees to wire money to criminal-controlled accounts.

[1] IBM Security & The Ponemon Institute, The 2023 Cost of a Data Breach Study: Global Overview (2023), available at https://www.ibm.com/security/data-breach.

Actions for consideration

1. Risk assessments: Organizations should conduct risk assessments against any AI tool to identify any potential vulnerabilities that the tool may introduce to its systems or data. Risk assessments are a key component of a risk management program, and are increasingly becoming a regulatory requirement.

2. Defense-in-depth information security program: Organizations should employ multiple layers of security measures to protect their assets. Legal should be involved in the process of reviewing and approving cybersecurity policies and procedures. These measures should include means of detecting and mitigating risk from deepfake-enabled fraud (like unique phrases or code words to verify speakers).

3. AI auditing: Legal teams should ensure that AI tools are audited to ensure they are reliable and accurate, and for potential bias in their results.

computer motherboard with cooling fans

Related contacts

Michael Bahar

Co-Lead of Global Cybersecurity and Data Privacy E: michaelbahar@eversheds-sutherland.com T: +1 202 383 0882 View profile

Paula Barrett

Co-Lead of Global Cybersecurity and Data Privacy E: paulabarrett@eversheds-sutherland.com T: +44 20 7919 4634 View profile

Philip James

Partner E: philipjames@eversheds-sutherland.com T: +44 20 7919 0700 View profile

Rhys McWhirter

Partner E: rhysmcwhirter@eversheds-sutherland.com T: +852 2186 4969 View profile

Issues to consider

Explore more legal issues to consider and associated actions for consideration.

View all issues to consider

Additional resources

close up of circuit board

AI Risk Navigator

Our AI Risk Navigator provides you with a concise and insightful report for your AI use case, showing you the thematic risks and recommended steps you should take to address them.

Visit AI Risk Navigator
person working on laptop

AI preparedness checklist USA

What every company should be doing now.

View checklist
traffic and roadwork signals at night

AI insights

View all our latest AI insights including articles, legal briefings and media mentions.

View insights

Jargon buster

This is a guide to the AI-related terminology you need to know.

Visit jargon buster

Regional contacts

Please reach out to our regional contacts for more information.

Visit regional contacts

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page