Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Questions to Assess AI Usage

    Posted 06-21-2024 10:51 AM

    Have you started asking your vendors about their use of AI? If yes, what are the questions you are asking?

    These are questions we are considering asking:

    Are you using Artificial Intelligence in any aspect of the products or services you provide for our company?

    • If yes, are you using Artificial Intelligence for the processing and handling of the data we provide you?
    • If yes, please share how that is being done. We need a better understand of how you are using the data we provide.

    Are you using the data we provide you to train an AI model?



    ------------------------------
    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance
    ------------------------------


  • 2.  RE: Questions to Assess AI Usage

    Posted 06-21-2024 11:04 AM

    Hello all. Our organization is now implementing the use of AI in our risk questionnaires. Primarily, the source used for the AI tool, whether it is internal or external. For example, an AI chatbot on a helpdesk product uses AI. Does this chatbot pull answers from outside the vendor or does the vendor have their own data warehouse where the data is pulled from?

     

    I hope this helps!

     

    Glory Polonia

    IT Operations & Vendor Management

     

    CONFIDENTIAL:

    This message and any attachments contain information that may be confidential, subject to privilege or exempt from disclosure under applicable law. These materials are intended only for the use of the intended recipient. If you are not the intended recipient of this transmission you are hereby notified that any distribution, disclosure, printing, copying, storage, modification or the taking of any action in reliance upon this transmission is strictly prohibited. Delivery of this message to any person other than the intended recipient shall not compromise or waived such confidentiality, privilege, or exemption from disclosure as to this communication. If you have received this communication in error, please immediately notify the sender and delete the message from your system.

     

    Please consider the environment before printing this email. 

     






  • 3.  RE: Questions to Assess AI Usage

    Posted 06-21-2024 11:04 AM

    Hi,

     

    As a matter of fact we are!  We have had all of our mission critical vendor owners follow-up with their vendors regarding AI.  We are asking the same questions you have listed as well as:

    • Is PII involved with AI?
    • Future plans with AI?

     

    I am also adding it to my contract review.

     



    Kelli Shoup | Technology Support Lead/Information Security Specialist
    The Farmers Bank






  • 4.  RE: Questions to Assess AI Usage

    Posted 06-24-2024 10:32 AM

    As a reminder, I have an open item on here asking if anyone has developed an AI policy that they would be willing to share?

    I know it's early, especially for the financial services industry (I work for a community bank); however, I was hoping that someone had one. We're not looking to copy it – just to get some ideas. Policies should be brief as a best practice. So it's hard to put everything into a one or two-page document.

     

    Thanks!

     






  • 5.  RE: Questions to Assess AI Usage

    Posted 06-24-2024 10:41 AM

    Have you taken a look at

    Our commitments to advance safe, secure, and trustworthy AI - Microsoft On the Issues

    It refers you to the NIST AI Framework that has a RMF Playbook that might help.




  • 6.  RE: Questions to Assess AI Usage

    Posted 06-24-2024 12:04 PM

    Hi Mark,
    Looking at some of the financial firms, has anyone looked at the proposed AI industry letter of January 2024 from NY DFS Superintendent Harris?

    https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2024_nn_proposed

    Proposed Insurance Circular Letter

    January 17, 2024

    TO: All Insurers Authorized to Write Insurance in New York State, Licensed Fraternal Benefit Societies, and the New York State Insurance Fund

    RE: Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing

    STATUTORY AND REGULATORY REFERENCES: N.Y. Ins. Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 3221, 3425, 3426, 4224, and 4305, and Articles 24 and 26; 11 NYCRR 82; 11 NYCRR 89; 11 NYCRR 90; 11 NYCRR 243

    Also referenced:  PRESS RELEASE

    https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202401171

    https://www.governor.ny.gov/news/governor-hochul-unveils-fifth-proposal-2024-state-state-empire-ai-consortium-make-new-york  




  • 7.  RE: Questions to Assess AI Usage

    Posted 06-24-2024 12:06 PM

    The above mentioned third party vendors:

    D. Third-Party Vendors

    1. Insurers retain responsibility for understanding any tools, EDCIS, or AIS used in underwriting and pricing for insurance that were developed or deployed by third-party vendors and ensuring such tools, EDCIS, or AIS comply with all applicable laws, rules, and regulations.
    2. To ensure appropriate oversight of third-party vendors, insurers should develop written standards, policies, procedures, and protocols for the acquisition, use of, or reliance on ECDIS and AIS developed or deployed by a third-party vendor. Additionally, insurers should put in place procedures for reporting any incorrect information to third-party vendors for further investigation and update, as necessary. Further, insurers should develop procedures to remediate and eliminate incorrect information from their AIS that the insurer has identified or has been reported to a third-party.



  • 8.  RE: Questions to Assess AI Usage

    Posted 06-24-2024 12:32 PM

    For other sources,  there is Colorado law on consumer protections for AI that passed; as well as recent concerns of Microsoft Re-Cast taking snapshots of everyone's screens on tablets and PCs that are stored locally, but supplemented by a CLEAR TEST database for attackers to peruse.

    i.e, AI – any "human" thoughts on AI features enabled by default (Google, Windows)

    - Windows Recall – continuously takes snapshots of your screens

    Microsoft Recall Flagged as a "security disaster"

    https://www.theverge.com/2024/6/3/24170305/microsoft-windows-recall-ai-screenshots-security-privacy-issues

    CoPilot+ PC:  https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15

    Manage Recall for IT Admins: https://learn.microsoft.com/en-us/windows/client-management/manage-recall

    - AI in LAW:  Colorado SB24-205 Consumer Protections for Artificial Intelligence

                    "Groundbreaking AI Consumer Protection Legislation

    https://leg.colorado.gov/bills/sb24-205

    Text: https://leg.colorado.gov/sites/default/files/2024a_205_signed.pdf

    Related article:   https://www.akingump.com/en/insights/blogs/ag-data-dive/colorado-enacts-groundbreaking-ai-consumer-protection-legislation