Balancing Innovation and Risk Management: The General Counsel’s Role in Driving Digital Transformation
June 05, 2023
Cyber risks and threats related to advanced technologies such as artificial intelligence, blockchain, cryptocurrency and metaverse environments require oversight and guidance from the general counsel to ensure safe and effective implementation.
Advanced, emerging technologies provide exciting developments in terms of innovation and efficiency, but they also introduce new and evolving cybersecurity threats. Developments in artificial intelligence, blockchain, cryptocurrency, the metaverse and other areas offer tremendous untapped potential, but when left unprotected, their application can inadvertently create unexpected entry points for threat actors to exploit.
Pursuing digital transformation with cutting-edge technologies requires careful attention to technical due diligence, risk management and cybersecurity. While these may be viewed by some as barriers to progress, with a careful balance between being on the front end of technology adoption and protecting against potential cybersecurity hazards, organizations can safely drive innovation. General counsel play a critical role in ensuring this digital transformation happens safely and securely.
Where Advanced Technology Meets Cyber Risk
The recent popularity of AI has brought to light many use cases, and vulnerabilities, it creates for organizations. While allowing for benefits like workflow automation and virtual customer assistance, it also creates significant room for error, inaccuracies and cyber attacks that could endanger private and sensitive customer information.1 For example, AI systems can be vulnerable to adversarial machine learning attacks, where a threat actor can edit input data of the model, leading to a different output than intended.2 This alteration can cause a security system to make incorrect decisions or introduce new vulnerabilities.
Blockchain technology is an essential development for the digital transformation of supply chains, the financial sector, environmental, social and governance (“ESG”) tracking and other use cases. This technology can facilitate immutable, transparent and trustworthy tracking and sharing of countless data points. Yet the technology is not bulletproof to cyber risks. The decentralization and transparency that provides blockchain’s many benefits may also create openings for threat actors to gain access to information and systems, including consensus protocol threats, deficiencies in smart contract coding and privacy breaches.
The metaverse blends virtual and physical realities, and as it continues to expand and develop, so do the capabilities of threat actors in this space. Many metaverse applications collect large amounts of dynamic personal data from users (including biometric and granular private details) to build multi-sensory virtual experiences. This data could be very attractive to actors who may be motivated to steal it for nefarious purposes. Because the metaverse is still in its infancy, some applications may also use hardware and software that lacks strong security protections, all of which could lead to numerous cybersecurity, privacy or physical threats.
General counsel can engage in discussions with IT and technology development teams to conduct careful decision making about how data is handled in metaverse implementations. Considerations should include what resides in servers versus on chain, and the connection between those two. For example, biometric data may be stored off chain, but if it is connected to the metaverse, the connection point becomes a possible vulnerability. General counsel can prompt thinking around where that data sits, tokenizing it when possible so it’s protected, how and if it gets connected to the chain, etc.
Role of the General Counsel in Digital Transformation
When digital transformation accelerates ahead of strong data privacy, security and risk frameworks, the fallout can be severe. Ponemon’s Digital Transformation and Cyber Risk report found that 82% of IT security and C-level respondents had experienced at least one data breach because of security flaws in digital transformation activities. Such incidents may be a result of vulnerabilities in technology that was not assessed by legal and security together, exposures among third-party providers or M&A transactions that were pursued in support of transformation but not extensively evaluated for potential security risk.
Conversely, when organizations implement strong risk due diligence and follow privacy and security by design practices in their transformation initiatives, they can identify and plan for vulnerabilities before they create problems. With a risk-based approach, teams can tap into the full potential of digital innovation and progress, without increasing risk exposure. For example, during a large M&A transaction, FTI Consulting experts provided a large digital assets company with a detailed and verified technical audit of a target company, assessing its technology roadmap, infrastructure, security practices and other factors. This proactive, risk-based approach allowed the company to proceed with the purchase, which would fuel its innovation and growth plans, but in a manner that mitigated the possible risks and vulnerabilities.
The general counsel can and should work closely with IT and cybersecurity teams to achieve this. Each department should be adequately informed on digital transformation updates and be able to provide a unique perspective on benefits and risks. For example, general counsel can provide important guidance on the legal and regulatory implications of new technologies implemented at an organization. By partnering with cybersecurity and IT teams, general counsel can oversee proper safeguards are in place ahead of implementation to ensure any compliance or security issues are handled. Regularly sharing information will foster an environment that makes security across the enterprise a priority.
How to Implement Digital Transformation Securely
General counsel can take several practical steps to ensure all new and emerging technologies are implemented securely across an organization:
Collaborate and Encourage Discussion. Always involve the IT and cybersecurity teams, as well as other technical experts that bring domain expertise, when using new technologies. General counsel can establish regular touchpoints with involved departments to ensure proper communication and collaboration with digital transformation activities.
Ask Questions to Evaluate Risk. When evaluating risk and exposures in new technology for both third party and proprietary implementations, ask key questions to cover any security concerns.
- Have all necessary parties thoroughly vetted the technology?
- What will the technology be used for? Are there any compliance or regulatory concerns with this use?
- Have there been any reported security concerns with this technology? How can these be proactively accounted for?
Thoroughly Assess Third-Party Technologies. Third-party technologies can expose an organization’s data to additional vulnerabilities they possess. Conducting third-party risk assessments before introducing any outside systems into an organization’s networks allows potential risks to be mitigated prior to implementation.
Stay Informed. Technological advancements can present threat actors with the opportunity to gain access to an organization’s networks. Staying up to date on the latest news on threat actor innovations allows an organization to adequately prepare and avoid becoming the next target.
AI and other new emerging technologies provide great opportunities for efficient business growth and innovation, and they can be enhanced, rather than hindered, with proper cybersecurity controls. General counsel should bridge the gap between innovation and risk management by working closely with the IT, cybersecurity and technology teams to ensure smooth and secure digital transformation across the organization.
1: Tyler Weitzman, “Understanding The Benefits And Risks Of Using AI In Business” Forbes (March 1, 2023), https://www.forbes.com/sites/forbesbusinesscouncil/2023/03/01/understanding-the-benefits-and-risks-of-using-ai-in-business/?sh=5c727dc86bba.
2: Kerem Gülen, “AI and Ethics: Balancing progress and protection” Dataconomy (January 16, 2023), https://dataconomy.com/2023/01/16/artificial-intelligence-security-issues/.