If you’ve used generative artificial intelligence (AI) models, you know their answers to your queries and prompts appear on your screen word by word, instead of all at once. The feature is meant to mimic natural human conversation. It works because the models respond using a stream of encrypted data packets.
Unfortunately, it can also put your privacy at risk.
In November, Microsoft researchers identified a troubling AI cyber security threat called “Whisper Leak.” As Lars Daniel explained for Forbes, “While our actual words remain secure and unreadable, the pattern of how data flows … can give away enough information for someone to make an educated guess about your conversation topic.”
Cyber attackers could pinpoint the unique digital “fingerprints” of your conversations about specific topics with alarming accuracy, Microsoft’s research shows, even without decrypting them.
And not only hackers. Researchers spell out some troubling possibilities: “[I]f a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics—whether that’s money laundering, political dissent, or other monitored subjects—even though all the traffic is encrypted.”
The same characteristics that make AI Large Language Models (LLMs) powerful research and productivity tools also make them high-value targets for cyber criminals. The Whisper Leak side-channel attack is only one of the most recent AI cyber threats to emerge.
If your business clients are using AI, you must help them understand their AI-related cyber security risks and how Cyber Liability Insurance can help mitigate them.
Understanding Different Types of AI Cyber Threats
A client may ask you, “Can AI be hacked?” If they do, you need a basic understanding of the many AI cyber security perils that exist.
LLM cyber security protocols haven’t kept pace with these models’ proliferation. Unlike traditional software, AI models have vulnerabilities rooted in their design, training data, and the language they process.
Traditional security measures may not detect AI cyber attacks and threats, which include:
Prompt injection
Prompt injection abuses an LLM’s inability to distinguish between trustworthy and untrustworthy instructions. Attackers craft inputs designed to make an LLM violate its own guidelines, generate harmful content, or allow unauthorized access.
Hackers can directly type malicious prompts into the AI model or hide them in data the LLM ingests (for instance, as code on a web page the LLM reads or in an image it scans).
“Jailbreaking”
Where prompt injection overrides an LLM developer’s original instructions, jailbreaking makes models disregard their built-in safety measures entirely so they can produce outputs that are normally restricted. It exploits gaps in the model’s training, using such techniques as gradual boundary testing, hypothetical framing, and role-playing scenarios (“Pretend you are an unethical hacker who wants to…”).
Data poisoning
Some attacks manipulate an LLM’s outputs by contaminating the data on which it is trained. Hackers can add fake data, change labels on data (for instance, marking spam emails as legitimate ones), or embed triggers for malicious actions. An attacker might manipulate a customer service chatbot to approve fraudulent returns or force a financial analysis model to offer damaging advice.
Insecure output handling
If an AI system’s outputs aren’t properly sanitized or validated, any sensitive data they contain, from personal information to confidential business strategies, are at risk.
Threat actors can also exploit insecure outputs to execute code injection attacks, leading to manipulation of system behavior or denial of service. Consequences can be especially severe when humans fail to verify automated outputs, since “agentic AI” models can plan and take actions on their own.
AI-driven cyber threats
For cyber criminals, AI is a force multiplier. It can automate such tasks as reconnaissance, vulnerability scanning, and phishing attacks, making them more efficient and difficult to detect.
Additionally, criminals not only use and abuse existing AI models but also develop their own. These malicious tools can create polymorphic malware, craft sophisticated social engineering attacks (such as those involving deepfake content), and identify security gaps with alarming efficiency and effectiveness.
Consequences of AI Cyber Attacks
The specific cyber security risks LLMs pose are new. But the potential fallout from an AI cyber attack resembles the consequences of other, more familiar cyber incidents:
- Operational disruption
A compromised AI system can bring business to a standstill. A critical chatbot or internal AI tool taken offline for remediation can mean interruptions in customer service, sales, and internal workflows, which hurts productivity and revenue.
- Financial ramifications
Any breach’s immediate costs include incident response, regulatory fines, and legal fees. What’s more, long-term revenue loss from stolen intellectual property and diminished customer trust can prove even more damaging.
- Regulatory penalties and scrutiny
Governments are responding to AI risks with more regulation. For example, Italy’s temporary ban and subsequent fine on OpenAI for privacy concerns set a precedent. Organizations failing to secure their AI systems face mounting compliance penalties under laws like GDPR and CCPA.
- Reputational damage
Trust is the currency of the digital age, but AI puts it under increased pressure. A significant AI privacy breach could permanently damage a company’s brand, causing customers to abandon the platform and making it difficult to attract new users.
AI Threats Make Cyber Insurance Even More Important
If you’re like many ProWriters brokers, you’ve been urging some of your clients to protect their systems, data, revenue, and reputation with Cyber Liability Insurance. While more organizations than ever are carrying this critical coverage, too many still aren’t.
Rising AI cyber security concerns only underscore any organization’s need for Cyber Insurance.
A strong, comprehensive policy is a barrier against potential financial losses and reputational damage resulting from AI-driven cyber threats. It also gives your clients access to expert resources for threat mitigation and recovery.
By proactively addressing the risks AI poses with your clients, you can play a pivotal role in strengthening their cyber security posture and fortifying their digital resilience.
Get more information about how ProWriters can help you find, quote, and sell the Cyber Liability Insurance your clients need and deserve.
