The Bank of England, the Financial Conduct Authority (FCA) and HM Treasury have issued a joint statement warning that frontier AI models pose a mounting threat to the cyber resilience of regulated financial firms and financial market infrastructures (FMIs).
The three authorities have identified several domains in which firms are expected to take active steps. These span board-level governance, investment and resourcing, vulnerability management, third-party risk, network protection, and incident response and recovery.
The statement makes clear that the cyber capabilities of today’s frontier AI models already surpass what a skilled human practitioner can achieve — operating at greater speed, broader scale, and reduced cost. The regulators cautioned that malicious use of these capabilities threatens firm safety and soundness, consumer protection, market integrity, and financial stability, with risks expected to grow as more powerful models emerge. Firms that have underinvested in foundational cyber security are considered particularly exposed.
On governance, the authorities stated that boards and senior management must develop adequate understanding of frontier AI risks to set strategic direction and provide meaningful oversight of control functions. Resourcing and investment decisions should account for the evolving threat landscape, including heightened risks from legacy and end-of-life systems no longer receiving vendor support. Firms were also advised to review whether their existing insurance arrangements remain appropriate.
Regarding vulnerability management, the statement noted that frontier AI models are capable of rapidly identifying and exploiting large numbers of vulnerabilities across a firm’s technology estate. Firms are expected to triage, prioritise, assess, and remediate these vulnerabilities with greater speed and frequency, deploying automation where suitable, while managing the operational risks that come with doing so.
On third-party risk, firms must be able to identify, monitor, and manage external applications, libraries, and services embedded within their networks — including open-source software — and be ready to remediate vulnerabilities flagged by external parties at scale.
For protection, the authorities highlighted that robust access management, network security, and data protection can reduce the attack surface available to frontier AI. Firms were encouraged to consider AI-enabled and automated defences capable of operating at the same pace as AI-driven attacks.
On response and recovery, the statement directed firms to the effective practices guidance on cyber response and recovery capabilities published jointly by the Bank of England, the Prudential Regulation Authority (PRA), and the FCA in October 2025. The Government and UK financial authorities said they would continue monitoring frontier AI developments and engage with the sector through the Cross Market Operational Resilience Group (CMORG).
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
