A joint regulator warning: Frontier AI and cyber resilience issues for regulated financial services firms

On Friday last week, the Bank of England, Treasury and FCA issued a joint statement on the new threats to cybersecurity and operational resilience posed by the recently released frontier AI models.

If you want some back-reading on this rapidly developing topic, take a read of my recent posts on Mythos etc. and on the recently released collaborative survey looking at key issues across the globe in AI in financial services. 

The regulators are justifiably uneasy right now. Here is why:

• The current frontier AI models are significantly capable and can be expected to very quickly become even more capable;
• In the wrong hands, these models pose a very serious threat to the financial services ecosystem and every participant in it; and
• Any firm that has underinvested in its security fundamentals is a weak link in the ecosystem's defences.

The call to action for regulated firms is clear:

• Ensure that you are ready to respond to and contain malicious acts driven by the latest frontier AI models:
  • Get boards and senior managers up to speed with the latest risks;
  • Invest and resource your teams consistent with the threat level;
  • Identify your vulnerabilities, triage them and fix them;
  • Consider your third-party risks, address them and fix them;
  • Think about where automation and ‘AI-enabled defences’ may be needed to empower you to act quickly enough; and
  • Be prepared to respond to threats quickly. 

It is challenging not to get dragged into a doom-loop, but these threats are very real and there are many stories, some light-hearted and some less so, about the capabilities of these latest models. Given this jointly issued warning, it is beyond clear what the regulators are expecting of firms, and all regulated firms need to be focused on fixing their vulnerabilities and getting up to speed with the latest risks as a matter of priority. 

Our thought leadership:

You can subscribe to our monthly financial services regulation update by clicking here, clicking here for our AI blog, and here for our AI newsletter. You can meet our financial services experts here and our AI experts here.

The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost. These capabilities, if used maliciously, amplify cyber threats to firms’ safety and soundness, customers, market integrity, and financial stability. As more advanced models become available, these risks are expected to increase. Firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed.

https://www.bankofengland.co.uk/news/2026/may/boe-fca-and-hm-treasury-joint-statement-on-frontier-ai-models-and-cyber-resilience