Corporate Risk Radar podcast series: Europe | Episode 3 | AI and cyber risks dominate concerns for business leaders

In the third episode of the Corporate Risk Radar Podcast Series, host Eva Maria Barbosa explores the risks associated with artificial intelligence (AI) and cyber security; both raised as major C-suite concerns in Clyde & Co’s Corporate Risk Radar research. For this discussion, Barbosa is joined by Jan Spittka, a Partner in the Düsseldorf office with extensive experience in data privacy and cybersecurity matters, and Paul Malek, a Partner in the Düsseldorf office and market leading expert on cyber insurance and cyber risk, spanning data breaches, liability, and business interruption issues.

AI and cyber were identified as the top two technology risks amongst C-suite in the Corporate Risk Radar research and guests kick off by discussing how this aligns with their experience, and how cyber-attack and defence strategies have developed in recent years. The conversation shifts to the current hype around AI and the challenge of balancing opportunity with managing significant risks. To conclude, guests provide advice on how to respond following a cyber-attack, and a review of how upcoming regulations will impact cyber and AI strategies going forward. 

Malek states that it is “absolutely reasonable” that cyber is a key focus for board members, explaining that while incidents have decreased slightly in frequency, they have become more aggressive and targeted. Spittka agrees, adding that actors are quick “to adapt to newly implemented defence and resilience strategies,” with new threats such as the exfiltration of data causing significant data protection issues including a worse-case scenario where data “ends up in a publicly accessible breach database.”

Shifting focus to AI, Spittka says that the rise of large language models (LLMs) such as ChatGPT has “triggered the interest of various types of regulators” and is “a double-edged sword” which “brings a lot of opportunity but is not free of regulatory restrictions.” Organisations must be aware that AI can be used both for and against them, for example to improve cyber security, as well as by threat actors to increase their offensive capacities. Consequently, it is a key area for insurers to consider going forward.

When asked to describe the impact of a cyber-attack, Malek likens it to “a fire all through the company for two weeks, in all locations, in all offices, in all countries,” with the potential for high damages and costs. He advises that organisations need diverse, dedicated expertise to bring the situation under control and establish the facts, before notifying relevant regulators. In the EU this must happen within 72 hours and, where personal data is involved, customers must also be notified.

Spittka outlines the data protection implications of AI, where the technology is trained on personal data or used for decision-making relating to individuals. Regulation requires organisations to be transparent about the logic behind these systems and this presents challenges, particularly if an organisation hasn’t trained the system: “When looking at AI models, often it's not clear how they actually work and function,” says Spittka. And organisations must be prepared for even greater regulation, with the EU AI Act set to introduce further limitations and obligations, along with new administrative and enforcement requirements.

Cyber security also has upcoming regulation to be aware of and Malek outlines the impact of the EU Network and Information Security Directive (NIS2 directive), which must be rolled out in member states by October 2024. Impacting around 160,000 companies, he says it will “bring a lot of new standards and minimum rules for cyber security.”

The most important takeaway for listeners? For Spittka, organisations should “always keep data protection, digital regulation and cyber securities in mind when developing or purchasing new systems, because every euro spent at this stage is a euro saved later.” Malek echoes this sentiment, encouraging business leaders to act before it’s too late: “Coming into the office one day and seeing nothing is working, we got hacked… prepare for this scenario.