The Director's Cut

The Headline: New York State Bans DeepSeek – A Governance Wake-Up Call

New York state’s ban of DeepSeek, a Chinese generative AI app, on government devices should prompt directors to assess whether their organization is adequately addressing data security within AI governance strategies.

DeepSeek’s affordability has driven rapid adoption, but its hidden data-sharing mechanisms and politically skewed reponses pose risks. NY state’s decision stems from serious concerns over data privacy, censorship, and potential foreign access to sensitive information—similar to those raised about TikTok—highlighting the growing regulatory and cybersecurity risks surrounding AI technologies.

The ban comes as research showed hacking groups with known links to China, Iran, Russia and North Korea all use AI to support cyber activity, including writing malicious code and creating authentic-looking phishing emails.

Boards should require management to conduct regular risk assessments of AI tools integrated into operations, with clear oversight of supplier security practices. The DeepSeek case highlights the need for AI governance policies that address data privacy, geopolitical risks, and reputational exposure, ensuring organizations are not unknowingly compromised by foreign-state influences.
 

Questions Directors Should Ask Management:

• How do we evaluate and manage risks from third-party AI tools used in our business?
• Do our cybersecurity measures address AI-related threats, including misinformation and potential foreign interference?
• Are we keeping up with government regulations and global concerns about AI security and data privacy?
   

On the Radar

1. Are Our Incident Response and Business Continuity Plans Sufficient?

The 2024 cyberattack on UnitedHealth’s Change Healthcare unit exposed data from 190 million Americans and cost over $3 billion to date. Hackers exploited weak access controls, including missing multifactor authentication, and even after paying a $22 million ransom, operations remained disrupted for months—underscoring the need for stronger cybersecurity defenses and incident response planning.”

Governance Implications:

• Boards must ensure cybersecurity is a standing agenda item, with direct reporting from CISOs on incident response preparedness.
• Directors should require annual cybersecurity stress tests and third-party audits to assess vulnerabilities, particularly in critical systems like payment processing.
• With HIPAA regulations tightening, boards must proactively oversee compliance efforts and resource allocation for cyber resilience

2. Are We Underestimating Regulatory Penalties for Cybersecurity Failures?

Regulators are cracking down on weak cybersecurity. MGM Resorts recently paid $45 million to settle lawsuits over data breaches, while the SEC fined Ashford for misleading disclosures on a breach affecting 46,000 people. These cases highlight the financial and reputational risks of inadequate cyber controls.

Governance Implications:

• Boards must hold executives accountable for clear and timely cyber incident disclosures, ensuring compliance with SEC and industry regulations.
• Directors should review cybersecurity compliance reports quarterly and require legal counsel to brief them on regulatory risks.
• Non-compliance now carries steep financial penalties—board-level oversight is essential to mitigating legal and reputational damage.”

3. Are We at Risk of Cyber-Physical Sabotage?

Environmental activists escalated tactics last month by sabotaging digital infrastructure at major insurance firms across the U.K.. The ‘Shut The System’ group cut fiber optic communications cables accessible from the street to protest firms accused of underwriting fossil fuel projects. The actions led to building-wide internet connectivity outages and operational disruption. Physical sabotage of corporate network connectivity could become more common.

Governance Implications:

• Boards in high-risk industries (energy, finance, insurance) should require scenario planning for activist-driven cyber disruptions, ensuring business continuity measures are in place.
• Directors must review cyber risk insurance policies regularly to confirm coverage for politically motivated sabotage, as these threats evolve beyond traditional cybercrime into direct operational disruption.
   

The Indicator

Ranking of ‘Cybersecurity Attacks on Your Country’ in survey results published in the Munich Security Report this month. Cyber risk was ranked above other global risks such as ‘Extreme Weather and Forest Fires’, ‘Political Polarization’, and 'Economic or Financial Crisis in Your Country’. U.S. respondents ranked ‘Russia’ as the main security concern.

***

Zscaler is a proud partner of NACD’s Northern California and Research Triangle chapters. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email (rsloan[@]zscaler.com) Rob Sloan, VP Cybersecurity Advocacy at Zscaler, if you would like to learn more.