8 steps to secure GenAI integration in financial services

GenAI offers financial services institutions enormous opportunities, particularly in unstructured dataset analysis and management, but may also increase security risks, according to FS-ISAC.

GenAI can organize oceans of information and retrieve insights from it that you can use to improve business operations, maximize your markets, and enhance the customer experience. Those GenAI-analyzed datasets can turn up information about fraud, threats, and risks, which present remarkable security opportunities.

“GenAI presents enormous opportunities for financial firms to improve business operations, provide better customer service, and even improve their cybersecurity posture,” said Michael Silverman, Chief Strategy & Innovation Officer at FS-ISAC. “However, just like any new technological development, GenAI increases security risks when it’s not leveraged in a safe and compliant manner.”

FS-ISAC outlines eight foundational steps to developing an effective data governance approach that harnesses the benefits of GenAI while remaining compliant with security standards.

Consider your risks

Many of the risks associated with traditional data governance can be increased by GenAI. Developing policies, technical controls, clear roles and responsibilities, and accountability metrics, among other steps, can shed light on risks, gaps, and opportunities.

Interviewing your current data governance team and individual data stewards may shed more light on risks, gaps, and opportunities. Understanding those risks in aggregate will be important as you develop your policies, standards, and processes.

Data selection criteria

Using datasets requires an accountable, cautious approach with constant oversight. Develop a clear path for data selection, then conduct periodic risk testing to make sure the controls to protect the datasets are working as intended.

Privacy regulations must be part of the criteria – the privacy rights of the customer/client are paramount, and they may request their data be forgotten. That means you must be able to trace where and how the customer’s data has been used.

Create and maintain a data lineage inventory

Strong access controls, data sanitization practices, and accurate data classifications are necessary to counteract concerns around data lineage and traceability.

In addition, companies must ensure they can identify and resolve missing data classifications for datasets. Strong access controls, data sanitization, and dynamic and accurate data classifications are necessary, especially when using LLMs that contain PII or customer decisioning.

Be disciplined with data access and authorization

GenAI training data should be segregated and access restricted to ensure models are training on the correct data. Establish a regular review cadence of datasets and their access.

To ensure GenAI technologies produce intended outputs, GenAI training data needs to be clearly segregated and access restricted so that models do not accidentally train on incorrect data. The architecture of the model needs to account for this segregation, too.

Controlling access to model parameter tuning is just as important as controlling access to training data or embeddings, as model parameter tuning can impact the outputs generated by these models.

Obsessively protect your customers’ data

Security techniques including differential privacy, encryption in transit and at rest, data sanitization, and sandboxing should be leveraged to maintain the confidentiality, integrity, and availability of sensitive information.

Use best practices when building effective test plans

Generate baselines for model testing and leverage cross-sector data sharing to ensure adequate coverage across a domain. Understanding the reliability and completeness of underlying data allows for stronger model testing with fewer limitations.

Keep current on model vulnerabilities

Fundamental data governance security practices combined with basic cybersecurity hygiene can alleviate vulnerabilities created by the growing threat landscape.

Require your vendors’ transparency on your data storage

Establish transparent communication with all vendors to ensure activities are compliant with regional and international requirements, as well as the firm’s internal security standards.

GenAI use cases and risks are still evolving, and while GenAI offers great potential for financial services processes, the sector has many concerns about data security, usage, privacy, and compliance.