LinkedIn
Burges Salmon on Twitter
Summary
There is no doubt that Artificial Intelligence (AI) has been one of the hot topics in society for 2024; and similarly that cyber security has been a hot topic for the pensions industry in recent years. This article looks into the interaction between these two in the pensions context.
In essence, AI will have a significant impact on how schemes deal with cyber security – with it providing both risks and opportunities. This article is therefore relevant for all stakeholders within the industry.
If you are interested in how AI might impact AI in the pensions industry, feel free to check out the following article.
Hot topics
Cyber security is undoubtedly one of the most pressing topics in the pensions industry at present, with the Information Commissioner’s Office having seen a 4,000% increase in data breach reports (six in 2021/22 to 246 in 2022/23).
Similarly, AI, specifically Generative AI, has been arguably the hot topic of the last twelve months. AI was a particular topic of interest at last year’s Pensions and Lifetime Savings Association Annual (PLSA) Conference in October 2023, where the plenary talk on “Harnessing the Power of AI and the Tech Revolution” was the talk of the conference and its prominence is only going to grow. Unsurprisingly, AI is a recurring topic on the programme for the PLSA’s 2024 conference.
A question for pensions scheme stakeholders is: how are cyber security and AI linked in the context of pension schemes?
Given the recent publications of the “Call for views on the Cyber Security of AI” paper (24 May 2024) and the Information Commissioner’s ‘Learning from the mistakes of others’ paper (10 May 2024), the relationship between the two is clearly also a topic on the mind of the government and the ICO, too. Of course, Labour have taken power since the Call for Views was published back in May; but there seems little doubt that it remains high on the government’s list of priorities (e.g. with it having been mentioned early in the King’s Speech).
Managing AI data risk
The possibility of AI putting data at risk should be considered, whether you are an employer (with either your commercial or pensions hat on) or a pension scheme trustee. By way of an example, one of the AI platforms that many will be aware of will be the likes of ChatGPT. These are forms of ‘generative AI’, as you ask them something, and they generate content in response.
When using a generative AI platform, it will store the information input. This places the information at risk of being accessed. Therefore, trustees and employers (and their employees) should ensure to not input any confidential information (or anything they would not wish a stranger to see) into these platforms.
It is advisable for both the employer and scheme (as this becomes more relevant) to have policies in place to monitor and regulate how their employees use AI (especially generative AI) whilst at work and on workplace equipment.
Assisting with cyber breach detection?
The defining attribute of AI is its ability to analyse an extremely large volume of data. This analysis can be fine-tuned to look for particular words or trends.
Therefore, schemes could potentially use AI to detect attempted cyber attacks in future. This is already possible with various ‘threat-hunting’ technology. These platforms analyse past ‘threat detection logs’ to understand the warning signs for cyber attacks, proactively look for these warning signs, and then notify the relevant team should any risk be detected.
Similarly, AI could be used to detect potential vulnerabilities of members’ accounts; for example, should they have a commonly used password (such as, ‘password’) or one that could be commonly guessed (such as their date of birth).
The ICO’s report on ‘Learning from the mistakes of others’ explains that there have been “positive developments in effective analysis of user behaviours and email content”, which enable AI to be a useful tool for schemes to detect phishing attempts.
Assisting with prevention?
Upon the AI (or human team) detecting a potential cyber attack, it is also possible for AI to then assist with the prevention of the attack. This may be achieved either:
- Directly: by the AI preventing the cyber attack itself; or
- Indirectly: in the case of member passwords, by generating an email to the member notifying them of the risk and requesting action.
Key takeaways
AI presents a number of opportunities in the pensions industry and beyond, but also a number of risks. We anticipate that AI will disrupt the pensions industry significantly in due course; in particular on service provider products provided for the benefit of trustees, employers, and members.
For now, pension scheme stakeholders should start having AI conversations, in which they may consider:
- Whether it is appropriate to implement a policy on how AI is used (in particular, generative AI). For example, making it clear that no member data should be uploaded to Chatbots. For employers, you should consider this both from a pensions and non-pensions perspective.
- Whether to consider, either now or further down the line, investing in AI capabilities in order to detect and/or prevent your scheme being subject to a cyberattack.
Throughout this article, we have stated that AI could assist pension schemes with mitigating the risk of cyber attacks. It cannot – and likely will never – stop cyber attacks alone. You must combine any AI technology with proper policies, procedures, in-house knowledge and strong existing data protection measures, in order to minimise the risk of a cyber attack properly.
In our view, the starting point for pension scheme trustees, before implementing any AI options, is to understand how they can improve their cyber resilience through better governance. This will involve meeting the minimum requirements for cyber security under the Pension Regulator’s guidance (which was updated in December 2023) and under the General Code (took effect in March 2024).
To learn more about AI in pensions, feel free to listen to our podcast episode on the topic – here. Be sure to be on the lookout for more articles from us on how AI will impact the pensions industry over the coming months!
If you would like to discuss this topic further with us, please contact your usual Burges Salmon contact or enquire via Chris Brown, Samantha Howell, or Callum Duckmanton.
This article was written by Callum Duckmanton, Samantha Howell and Chris Brown.
"Currently, 47% of organisations who use AI do not have any specific AI cyber security practices or processes in place."
unknownx500
