ChatGPT & Cybersecurity: Is It a Double-Edged Sword?

It was just 12 years ago when we were introduced to Siri on Apple devices and only nine years ago when Amazon debuted its Alexa personal assistant. In just a decade (give or take), our lives have transformed to make room for these artificial intelligence innovations, and they’ve become part of our daily lives. Now, we’re seeing even greater leaps and bounds into the future of AI with the release of technology like ChatGPT.

ChatGPT differs from Siri and Alexa in that it’s not necessarily a personal assistant that can manage your calendar or adjust the temperature in your house even when you’re miles away. What it does do, though, is allow businesses, primarily, to engage with their customers through an AI-driven platform that holds intelligent conversations, answers questions and creates solutions through natural language understanding. And the more conversations it has, the more it learns, ultimately allowing it to understand increasingly complex concepts, which could be a revolutionary advancement for credit unions.

That level of technology, though, can present a paradox – a dreaded double-edged sword. While ChatGPT can certainly be a level up in technology-assisted operations for financial institutions, it doesn’t come without its security issues – some of which are significant and require considerable research and review by your credit union.

Cybersecurity Risks of ChatGPT

Good or evil? ChatGPT is simply a tool that is programmed to learn from information and experiences. That means, it can be amazing in the right hands, or it can be extremely dangerous in the wrong hands. On the good side, it can be taught to analyze information and maybe even detect potential cyberattacks. But on the evil side, it can also be taught to exploit weaknesses in code and firewalls, insert malicious code on your network, or even create and send phishing emails that target your members.

Availability to anyone. As previously mentioned, ChatGPT is a technology tool that can usher your credit union into the modern age with ease. But it’s just as readily available to cyber criminals. There is no way to discern how ChatGPT will be used from one person or place of business to the next, which makes it an open source for anyone, regardless of their intentions.

Access to information. ChatGPT has the ability to access any information available to it. That could be anything on the internet, in the cloud, on your servers and so on. That can be incredibly helpful when trying to locate member information and troubleshooting issues. But, with access to any of these things comes the risk that the information can be shared in scenarios of impropriety or questionable ethics. In addition, that data can be tampered with, removed or even held hostage (similar to ransomware).

Misuse of information. Not only does ChatGPT have access to a wealth of information, it also can use that information in a variety of ways. Whether those ways are good or bad depends upon what it has been taught to do, or what it learns to do over time. The risks, though, are that ChatGPT provides inaccurate or altogether misleading information, divulges private information (including personal identifiers, financial data, etc.) and uses information for schemes such as social engineering and impersonation.

Reliance on technology. ChatGPT is powered by AI. That artificial intelligence is undoubtedly something that has been around for a while, but it still has its unknowns. With such heavy reliance on technology, ChatGPT poses two big challenges: What happens if the technology goes down or fails, and what are the implications of a purely tech-driven tool that isn’t bound by morals and ethics?

Navigating the Risks of ChatGPT

Have you noticed a pattern here – the “yes, but” pattern to be exact? There’s no doubt that there are two faces of ChatGPT, and they certainly play contradictory roles. Credit unions need to think about the entire spectrum of risk – from the legal and reputational risks if member data is inadvertently leaked, to the operational risks if networks or servers are compromised by ChatGPT cyberattacks. However, there are ways to navigate the risks of ChatGPT and maybe even make it a manageable venture for your institution.

• Take no shortcuts when it comes to due diligence and spend ample time vetting your options for the use, management and security of ChatGPT.
• Create stringent policies and procedures for handling ChatGPT. These should address which employees have access to controls over ChatGPT, what systems ChatGPT has access to, how to monitor the data coming in and going out to members and more.
• Consider the specific role of ChatGPT within your organization and how you can use the human qualities of your staff to balance the mechanization of AI. This will allow you to have more security-focused eyes on the ChatGPT technology while also maintaining the credit union movement’s personalized approach to member service.

With ChatGPT technology come lots of advantages, not the least of which include more resources for assisting your members and new logic to help work through various aspects of your operations. Those benefits have their place, just like the Amazon Alexas and Apple Siris we’ve come to love and maybe even can’t live without. But with those advantages, we see just as many cybersecurity and risk concerns, such as data exposure, ethical dilemmas and the number of resources needed to safeguard this readily available tool from cyber criminals.

That’s the proverbial double-edged sword we’re talking about. ChatGPT serves a purpose, without question; but that purpose can contradict itself just as easily as it can converse with your members. Without it, we run the risk of falling behind other industries and, even within our industry, other financial institutions. With it, we also run the risk of what such a powerful AI solution means for our data security.

From a risk standpoint, it’s hard to give a concrete solution as to how credit unions should proceed with the trailblazing technology that is ChatGPT. The truth is, it’s really a matter of the risk you’re willing to accept and how you want to modernize your credit union. The best advice I have is this: Do your research, analyze all potential risks (cybersecurity or otherwise) and consequences, weigh the pros and cons, and consider the big picture of overall risk to your institution and your members. In other words, do what you must to keep from falling on that double-edged sword!

John Cuneo is Information Security Director for the $5.2 billion, Greensboro, N.C.-based Vizo Financial Corporate Credit Union.