How AI is transforming third-party risk assessment at the University of Kentucky

When the University of Kentucky Information Technology Services (UK ITS) Cybersecurity team identified gaps in its security design, it enlisted the help of outside experts. Together with current and former chief information officers and chief information security officers from other universities, our cybersecurity experts found that data sharing needed to be addressed. Protecting sensitive data of people who attend and work within our university is crucial, as it safeguards our community from data breaches.

Given the evolving cyber threat landscape, UK ITS developed a new third-party risk assessment process leveraging AI. Concurrently, UK Procurement received directives to enhance software purchase risk management. These efforts resulted in meaningful cybersecurity enhancements that have benefited our university community. 

Working alongside UK Procurement, Office of Legal Counsel and Risk Management, the cybersecurity team initiated the design and testing of a comprehensive third-party risk assessment process. After several weeks of refinement and beta testing with business officers, the project team streamlined operations and integrated a software solution identified by cybersecurity, enhancing compliance with third-party risk assessment rules.

Despite initial success, the project's scope expanded beyond expectations. Collaborating with the software provider, the team recognized the potential of AI to support risk assessments. Focusing on tasks like summarizing lengthy reports such as SOC2, the AI tool significantly increased efficiency, allowing more assessments to be handled in less time. This innovative approach not only saves hours of work but also reduces costs associated with manual processing.

Employing third-party data risk processes has provided the university with valuable insights into data-sharing practices, enhancing our ability to protect sensitive information. AI-driven tools have significantly boosted the team's capacity to process requests efficiently and conduct thorough assessments. Integrating AI into third-party data risk management forms a key component of a broader privacy initiative, encompassing cybersecurity assessments and data classification efforts to foster a culture of privacy at the University of Kentucky.