The ChatGPT (Generative Pretrained Transformer)- an OpenAI platform- was released in November 2022 and has been an instant success. In simple terms, ChatCPT is an artificially intelligent model that has been trained to generate text that imitates human language once it has been prompted with a query or question. The producers of the model expect to release a new version soon!
ChatGTP has been identified as a problem in education sector that could potentially enable some students to engage in unfair practice undermining the integrity of assessment procedures. We have also in the press read about lawyers in different jurisdictions making submissions to courts by using texts obviously prepared by ChatCPT. In insurance sector, especially cyber risk insurers are also concerned of the potential disruptive impact of this OpenAI platform on their business models.
If prompted ChatCPT will refuse to write ransomware or malicious codes and when denying such requests, it will explain that ransomware is both “illegal” and “unethical”. However, there is no guarantee that a person will not find a way to create a malicious code by utilizing ChatCPT. As long as right questions are posed, the current version of the model could give anyone step by step guidance as to how to create a malicious code. This is a genuine concern for cyber risk insurers as it potentially makes it easier to produce such a malicious code (even by amateurs) and then target a business. Small and medium sized (SMEs) businesses, which do not have appropriate cyber security measures in place, are particularly vulnerable to ransomware attacks.
Also, it is possible that if prompted ChatGPT can write convincing phishing emails that can be utilized in social engineering campaigns by threat actors. Again, this increases the possibility that an employee in a company or business could engage with such a convincing phishing email potentially compromising the cyber security of the organization in question.
In recent months, cyber risk insurers have reported that ChatCPT has been utilized by criminals in ransomware negotiations potentially tilting the balance in favour of such criminal elements-one underwriter who discussed the matter with the author believes that ransomware negotiations are getting more difficult by the day thanks to ChatGPT and sums paid by insurers are increasing as a result!
The main problem stems from the fact that OpenAI remains largely an unregulated area and realistically this will not change anytime soon. While there is an expectation on the creators of ChatGPT to ensure that their tool cannot be easily manipulated by threat factors, there is no denying the fact that ChatGPT has broadened the potential attack surface for businesses and this a particular concern for cyber risk insurers. If the new version of ChatGPT is not designed to better detect such threat factors (and block such requests), we should expect an increase in the successful ransomware attacks on businesses which will potentially lead to a further increase in cyber risk insurance premiums. We cannot stop innovation, but we have every right to expect the producers to put in place mechanism to prevent their harmful use. Cyber risk insurers are hoping that the new version of this OpenAI tool will be equipped to deal with those who are panning to use it for criminal purposes. This will be a good illustration of how tech can perform the function of regulation as well as innovation!