Generative AI Policy: Strengthening Security and Compliance in Financial Firms

Written by Travis Deforge, Director of Offensive Cybersecurity at Abacus Group 

The rise of generative AI presents both opportunities and risks for financial institutions. While AI can enhance efficiency and decision-making, it also introduces security, compliance, and operational challenges. The recent discussions around DeepSeek AI highlight the importance of implementing strong governance, risk, and compliance (GRC) frameworks to ensure financial firms use AI responsibly.

AI Governance: A Necessary Framework for Financial Services 

Financial firms must establish clear AI governance policies to ensure compliance and mitigate risks. This includes evaluating AI models, aligning them with existing security controls, and ensuring they do not conflict with regulatory obligations. Instead of outright banning AI tools, firms should implement measures to ensure AI adoption is safe and responsible within their environment. 

A well-structured AI governance policy should define approved AI providers, outline data privacy measures, and enforce security protocols that prevent unauthorized AI use. DeepSeek AI’s data processing and storage practices raise concerns, particularly for firms handling sensitive financial data. Understanding where data is stored and processed is critical for ensuring compliance with regulatory requirements such as GDPR, DORA, and SEC regulations. 

Strengthening Security Measures for AI in Financial Services 

Rather than focusing solely on restricting AI tools, firms should prioritize enhanced security practices around AI adoption. This includes: 

• Implementing strict endpoint security controls to prevent unauthorized AI use. 
• Ensuring third-party AI providers comply with data governance policies
• Conducting regular security assessments to evaluate AI model risks
• Implementing Data Loss Prevention (DLP) strategies to monitor and control AI interactions with sensitive data.
• Educating employees on AI-related security threats, including phishing scams and fraudulent AI tools

Recent cybersecurity incidents, such as the rise of AI-powered malware and impersonation scams, highlight the evolving threats facing financial firms. Attackers are increasingly targeting AI tools to exploit vulnerabilities, steal credentials, and compromise proprietary data. As a result, financial institutions must proactively manage AI security risks. 

A Call to Action: Responsible AI Adoption 

The discussions around DeepSeek AI serve as a reminder that financial firms must be diligent in managing AI-related risks. This doesn’t mean banning AI outright but rather ensuring it fits within a secure and compliant operational framework. 

Firms should take this opportunity to review their AI governance policies, reinforce security controls, and educate employees on AI risks. By doing so, financial institutions can harness the benefits of AI while mitigating potential threats to data security, regulatory compliance, and business integrity.