Cyber-security risk, regulation and AI

Manuel Sanchez at iManage explains how to tame today’s data governance triad

 

The events of 2024 – which included waves of third-party-driven hacks and data breaches, a multitude of new regulations, and advancements around generative AI – have underscored the necessity of comprehensive and robust data governance strategies as a cornerstone of effective risk management. 

 

In 2025, organisations will need to effectively tame this new triad of data governance challenges if they hope to safely navigate today’s fast-changing landscape.

 

Supply chain vulnerabilities and phishing threats

One of the primary lessons learned from the cyber-onslaught of 2024 is the need for a thorough reassessment of vulnerabilities within the supply chain. Cyber-attackers have increasingly exploited weaknesses in third-party vendors and partners, gaining access to critical systems and data through these indirect channels. 

 

As a result, organisations must adopt a holistic view of their supply chain security and implement stringent measures to evaluate and mitigate risks at every level.

 

They can start by thoroughly screening suppliers right at the outset. Bringing together critical information relating to third-party vendors – whether that’s information from risk assessment questionnaires that they’ve filled out, their corporate and financial data, or recent news items or Internet “chatter” about the vendor –can help create a more in-depth and nuanced risk profile for vendors. 

 

It’s also worth taking a closer look at what sorts of policies, plans, and processes vendors have in place to manage risk. For example, what do the business continuity and disaster recovery processes look like? In the event of a disaster, how long will it take to restore access to systems? As far as the data centers that are hosting cloud services, who exactly has access to those data centers? If a breach is detected, how much time elapses before the customer is notified, and how is the customer notified? 

 

More than just being clearly documented, these plans and policies should be regularly refreshed to ensure the documentation hasn’t gone out of date. They should also be made readily accessible to any potential customer who wants to view them.

 

Addressing supply chain vulnerabilities mitigates cyber-security risk on one front, but organisations also need to blunt the impact of phishing attacks, which show no signs of slowing down. 

 

The actionable advice here is to devote resources towards end-user awareness and education. This means communicating on a regular cadence to end users that phishing is an ongoing threat and that they shouldn’t click on any links in emails that are of a suspect nature. Simulated phishing attacks can be a useful tool here as far as reinforcing key “cyber-hygiene” practices.

 

Adapting to an array of regulations

In addition to these cyber-security challenges, the “data governance triad” also includes a slew of new regulations around how data must be handled.

 

We can consider GDPR to be "the first shot fired” in the ongoing regulatory shift that is underway. GDPR remains one of the most stringent and comprehensive data protection laws globally – and it imposes strict requirements on organisations regarding the collection, processing, and storage of personal data. 

 

The other side of the pond has taken action of their own. The California Consumer Privacy Act (CCPA) is another significant regulation that impacts data governance practices, granting California residents specific rights concerning their personal information and imposing obligations on businesses to protect and manage this data responsibly. Additional US states are releasing their own laws modeled after CCPA.

 

Even international standards bodies are weighing in on the importance of data governance. The National Institute of Standards and Technology (NIST) recently released its Cybersecurity Framework 2.0 (CSF 2.0), where it placed a new emphasis on data governance as one of its key principles.

 

Streamlined data management will play a role not just in maintaining data security, but in effectively maintaining customer trust and compliance with these regulations. Practically speaking, this means that organisations need to know what data they actually have, where that data is actually located, and what kind of data retention and data governance principles they actually have in place.

 

This granular level of detail is becoming increasingly important as growing public awareness of data rights leads to a greater volume of data subject access requests (DSARs). Organisations that take the time to develop capabilities to effectively manage their data will be best positioned to respond to these types of requests.

 

New technologies, new governance challenges

The final element of the data governance triad is around generative AI, which has added new layers of complexity for organisations to wrestle with – mainly because of the piles of data used to train the large language models (LLMs) that underpin AI tools. 

 

Organisations need to ask themselves questions like: which pieces of data are being used to train the LLMs? Where exactly does that data reside? Where does the AI processing of that data actually take place? It’s easy for an organisation to quickly find itself in hot water if data resides in one jurisdiction but is processed in another, which could potentially violate data sovereignty or geolocation requirements. 

 

Additionally, there should be caution against feeding the generative AI model confidential data that contains sensitive or privileged information.

 

There are several concrete steps organisations take to minimise data governance risk around generative AI. For starters, by using a single, centralised repository (such as a document management system (DMS)) for files, they can gain a baseline level of control over the data that feeds the generative AI model. Information barriers and security policies within the DMS will ensure that no one has access to confidential documents that they shouldn’t.

 

Additionally, a platform approach that combines AI with document management helps eliminate any data sovereignty or geolocation risk, because the AI is powered by data that never has to leave the DMS or the specific datacentre in which that DMS and its documents are domiciled.

 

Give data governance the attention it deserves

The evolution of data governance in 2025 is not just a necessity but a strategic imperative. Organisations must address supply chain vulnerabilities and phishing threats, comply with stringent data protection laws, and manage the complexities introduced by generative AI. 

 

In doing so, organisations will ensure they have a proper handle on their data governance requirements while equipping themselves to more effectively navigate a dynamic and challenging landscape.

 

---

 

Manuel Sanchez is an Information Security and Compliance Specialist at iManage

 

Main image courtesy of iStockPhoto.com and RerF