AI threats call for smarter training in financial services: OSFI

Artificial intelligence has exponentially elevated cyber risks, and businesses need to change how they prepare their staff to counter the threats, say participants in a cybersecurity workshop attended by insurer and financial service regulators. 

Traditional approaches to staff training are proving inadequate in the face of emerging AI threats, according to participants in a workshop held by the Office of the Superintendent of Financial Institutions (OSFI), Department of Finance Canada, and the Global Risk Institute (GRI). And better information-sharing between businesses and government would help. 

AI technologies are reshaping security and cybersecurity threats by increasing the scale of social engineering attacks and creating deepfakes capable of bypassing identity checks and internal controls. The workshop included 56 Canadian and global AI experts from across the financial services sector, including insurers, policymakers and regulators. 

Asked to identify the Top 3 internal hurdles financial institutions face in managing AI-related security risks, 60% of workshop participants identified the speed at which AI advancement outpaces risk management adaptation as the most significant.  

This was followed closely by third-party vendor vetting.

The third is a lack of clarity in AI governance and oversight, particularly at the executive level. 

Why innovative customer experience will define the future of personal auto insurance Image

Insights Paid Content

Why innovative customer experience will define the future of personal auto insurance

Technology is helping insurers reimagine how they support personal auto customers — and it starts the moment a collision is reported, say experts at Accident Support Services International.

By 

Sponsor Image

Forum participants also emphasized the importance of AI adoption to be use-case or business-case-driven. 

“Rather than seeing AI as the next “bright shiny object,” successful AI adoption should yield measurable shareholder or stakeholder results,” the workshop report reads.  

Most pressing AI challenges 

Asked to identify the financial sector’s AI-enabled threat risks, participants cited four prominent factors. 

• 71% of participants flagged AI-powered social engineering (i.e. convincingly targeted phishing) as the most pressing AI-related challenge. Another 40% highlighted deepfake identity fraud as a major concern. 
• Threat actors are weaponizing AI to automate and intensify cyberattacks. Financial institutions that expand their own use of AI increase their overall attack surface and susceptibility to exploitation. Reliance on opaque third-party AI models and infrastructure exposes financial institutions to descending risks. Multi-source supply chain dependencies create new points of potential failure and avenues for attack by AI fraudsters. 
• AI models and systems consume vast amounts of proprietary or customer-sensitive data. AI is therefore driving data vulnerabilities, because high-value sensitive institutional and client data are becoming increasingly vulnerable targets for threat actors. 

Opportunities for improvement  

Although AI presents serious threats to the financial sector, participants emphasized the potential for AI to strengthen cyber resilience; that’s if institutions adopt the right tools and collaborate effectively. 

Adjusting traditional approaches to employee training is required to defend against increasingly sophisticated social engineering tactics, workshop participants found. They advocated for a “rethinking” of employee training against highly targeted phishing attempts, saying traditional phishing simulations may not be enough. 

“Rather than deceptive simulations, institutions could focus on engaging scenario-based learning and habit-building to prepare staff for sophisticated threats without compromising trust,” the report reads.  

Participants also identified improved information-sharing as a key opportunity to strengthen the financial sector’s cybersecurity. They see better collaboration between organizations and government as a foundational step toward stronger defense. 

And although many insurers require policyholders to adopt multi-factor authentication before being insured, the adoption needs to be universal. Especially when considering third-party supply chain risks.  

Additional forms of verification protect systems, data, and client accounts from compromise. “One participant noted that ‘consumers demand speed and convenience, but there needs to be a balance between redundancies and the risk,’” the report states. 

Participants also emphasized a need for more forms of digital identification and verification. “A robust digital ID framework could help ensure that only verified individuals gain access to sensitive systems and data,” the report reads.  

Alyssa DiSabatino

Alyssa Di Sabatino has been a reporter for Canadian Underwriter since 2021, covering industry trends, market developments, and emerging risks.