Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation requires an adversary to craft and deliver a prompt injection payload into an active ChatGPT session where sensitive data is present — not trivial, but a known and documented attack class against LLM tooling, and OpenAI has confirmed the exfiltration path is not fully closed even with Lockdown Mode enabled. Impact is high because affected organizations in regulated sectors (financial services, healthcare, legal) routinely process sensitive or regulated data through ChatGPT workflows, meaning a successful exfiltration event carries material regulatory, reputational, and operational consequences disproportionate to the CVSS score.
Treatment rationale: The threat is active-surface and vendor-acknowledged as incompletely controlled, making acceptance untenable for regulated-industry users; avoidance (prohibiting ChatGPT entirely) is operationally disproportionate for most organizations; mitigation — enabling Lockdown Mode as a baseline, imposing data-handling policies that prohibit sensitive data entry into ChatGPT sessions, and conducting a formal AI vendor risk review — directly reduces exposure while preserving business utility.
Third-Party / Supply-Chain Risk
OpenAI is a third-party AI-as-a-service processor handling data submitted by enterprise users across Free, Go, Plus, Pro, and Business (Self-Serve) tiers. Per NIST SP 800-161 framing, organizations have limited visibility into OpenAI's internal processing controls and no direct ability to close the residual exfiltration gap OpenAI has itself disclosed — this is a classic inherited risk from a shared-platform provider where the vendor's acknowledgment of an incomplete control transfers residual risk to the subscriber organization. Supply-chain exposure is particularly acute for organizations that have integrated ChatGPT into automated workflows via API or plugin tooling, where data flows may be less visible to end users.
Loss Exposure (illustrative)
Magnitude: moderate to high — illustrative $250K–$2M per incident for a mid-sized regulated-industry organization, driven primarily by regulatory response, breach notification, and reputational remediation costs rather than direct technical recovery
Frequency: For an organization with broad ChatGPT adoption and no data-handling policy restricting sensitive input, illustrative frequency of a material exfiltration event is low-to-moderate annually — the attack requires targeting and session access, but the exposure surface scales with user count and workflow integration depth
Annualized: Illustrative ALE of $50K–$400K for a mid-sized regulated-industry organization with broad ChatGPT adoption and no compensating data-handling controls — driven by low-to-moderate frequency against moderate-to-high per-event loss
Basis: Loss magnitude derived from the regulatory-notification and reputational-remediation cost profile typical of a third-party data processor incident involving sensitive business data; no third-party report figures cited. Frequency derived from the combination of a non-trivial but non-commodity attack vector (prompt injection requiring session access) against a large exposed user base with no current data-handling policy controls. ALE range is the product of illustrative frequency and magnitude and is intended for relative risk prioritization only.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If employees have submitted personally identifiable information, protected health information, or other regulated data through ChatGPT sessions, a confirmed exfiltration incident may invoke state and federal breach-notification obligations — verify with counsel.
• Existing cyber-insurance policies may contain AI-tool or third-party SaaS exclusions, or may require notification of known vendor-acknowledged control gaps as a condition of coverage — verify with broker.
• Enterprise agreements or data processing addenda with OpenAI may define data handling obligations and liability allocation relevant to this disclosure — verify with counsel.
