https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-5887087031835933
(adsbygoogle = window.adsbygoogle || []).push({});
British financial firms should strengthen cyber defences against advanced artificial intelligence models that could make cyber attacks faster, cheaper and harder to contain, the Bank of England, the Financial Conduct Authority and HM Treasury said.
In a joint statement published on Friday, the authorities said frontier AI models had reached a level of capability with “significant implications” for cybersecurity and operational resilience across financial services.
The statement did not announce new rules. It told regulated firms and financial market infrastructure providers to use existing resilience frameworks to assess how frontier AI could affect their exposure to cyber threats.
The authorities said current frontier AI models already show cyber capabilities that can exceed those of a skilled practitioner in some areas, particularly when speed, scale and cost are taken into account.
“These capabilities, if used maliciously, amplify cyber threats to firms’ safety and soundness, their customers, market integrity and UK financial stability,” the statement said.
The warning reflects growing concern among regulators that the latest AI systems could change the pace of cyber activity against banks, insurers, payment providers and market infrastructure.
Financial firms already manage frequent cyber threats, including phishing, ransomware, data theft and attacks on suppliers. The concern raised by regulators is that advanced AI could reduce the time and cost needed to find weaknesses in systems, analyse software and support more complex attacks.
The authorities said the risks were expected to increase as models become more advanced.
They told boards and senior managers to ensure they understand frontier AI risks and can oversee the way firms respond. That includes decisions on cybersecurity investment, vulnerability management, third-party risk, data protection and incident response.
The statement said firms should consider whether their current investment plans are enough, particularly where they rely on old technology or unsupported software.
Legacy systems remain a persistent problem in financial services. Some systems are difficult to replace because they support core operations or are connected to multiple other platforms. Regulators said those systems could become more exposed as AI improves the ability to identify weaknesses at speed.
The authorities also pointed to vulnerability management as a priority.
Large firms often hold long lists of known technical weaknesses. Some are fixed quickly. Others remain open because a fix is expensive, technically difficult or could disrupt business operations.
If frontier AI tools make it easier to identify exploitable vulnerabilities, firms may face a faster cycle of discovery, prioritisation and patching. The regulators said companies should ensure they can assess, rank and remediate vulnerabilities at scale.
That could require more automation, better asset inventories and faster internal decision-making. It could also increase pressure on firms that have delayed upgrades to ageing systems.
The warning comes after senior Bank of England officials raised concerns about disruption from newer AI models. Sam Woods, chief executive of the Prudential Regulation Authority, said earlier this month that the latest models could create “quite significant disruption” for the financial sector, including by increasing demands on banks to patch weaknesses.
The joint statement also focused on third-party and supplier risks.
https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-5887087031835933
(adsbygoogle = window.adsbygoogle || []).push({});
Financial firms rely on cloud providers, external software vendors, outsourced technology services, open-source libraries and other external tools. Regulators said firms should be able to identify, monitor and manage external applications, libraries and services connected to their networks.
That requirement is difficult for companies with complex technology estates. A firm may know its main suppliers but still have limited visibility over smaller software dependencies inside products or services it uses.
A weakness in a widely used software library or vendor platform can affect many firms at once. Frontier AI could make those weaknesses easier to find and test.
The authorities said firms should review controls around access management, network security and data protection. They said firms also need capabilities to protect against attacks, detect them, contain threats and respond when incidents occur.
The statement said firms should consider automated and AI-enabled defensive tools where appropriate.
That shows regulators are not advising companies to avoid AI. The warning is aimed at the risk that attackers may use advanced models while firms continue to rely on slower manual processes.
Automated defence, however, depends on basic information about a firm’s systems. Companies need to know what technology they run, which services are connected, who has access, what data is held and how incidents are escalated.
Without that information, new tools may not reduce risk.
The authorities said firms that have underinvested in cyber fundamentals are likely to become more exposed as AI capabilities improve.
The warning is part of a wider shift in the way financial regulators are treating artificial intelligence. The issue is moving beyond questions about internal AI adoption, model governance and customer outcomes. Regulators are now also focused on how AI could be used against firms from the outside.
That distinction matters. A financial firm does not need to build or deploy a frontier AI model to face risk from one. Exposure can come through attackers, suppliers, software vulnerabilities or shared infrastructure.
The authorities said firms should think about the full range of ways frontier AI could affect operational resilience.
https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-5887087031835933
(adsbygoogle = window.adsbygoogle || []).push({});
The financial sector is a particular focus because disruption can spread quickly. A cyber incident at a bank can affect customers and payment flows. A problem at a major supplier can hit several firms at once. A disruption to market infrastructure can have wider consequences for trading, settlement and confidence.
The statement did not identify any specific firm as underprepared.
It also did not say that frontier AI has already caused a major cyber incident in the UK financial sector. The warning is preventative, aimed at forcing companies to close gaps before the threat becomes harder to manage.
For firms, the immediate work is likely to be practical rather than theoretical: review old systems, check supplier exposure, accelerate patching where possible, tighten access controls and test incident response plans against faster-moving attacks.
The regulators’ message is that frontier AI may not create entirely new cyber weaknesses. It may make existing weaknesses easier to find, easier to exploit and harder to ignore.