LONDON, May 15, 2026 — The Financial Conduct Authority, Bank of England and HM Treasury said Friday that frontier artificial intelligence models are increasing cyber risks facing regulated financial firms and financial market infrastructures, warning firms to strengthen operational resilience and cybersecurity capabilities against faster and more scalable AI-driven attacks.
In a joint statement, the UK authorities said the cyber capabilities of current frontier AI models already exceed what a skilled practitioner could achieve and can operate “at a significantly higher speed, greater scale, and lower cost.”
The authorities said malicious use of such systems could amplify threats to firms’ safety and soundness, customers, market integrity and financial stability.
Governance and operational resilience
The statement said regulated firms and financial market infrastructures should take active steps across governance, vulnerability management, third-party risk oversight, protection, and recovery capabilities in response to evolving AI-driven cyber threats.
The authorities said boards and senior management should maintain sufficient understanding of frontier AI risks to oversee strategy and control functions effectively.
Investment and resourcing decisions should also reflect emerging cyber risks, including exposure to unsupported legacy systems and systems no longer receiving vendor support, according to the statement.
Vulnerability management and supply-chain risks
The statement said frontier AI models could accelerate the identification and exploitation of vulnerabilities across firms’ technology infrastructure, requiring faster and more scalable remediation capabilities, including automation where appropriate.
The authorities also said firms should strengthen oversight of third-party and supply-chain risks, including risks linked to external applications, libraries, services and open-source software integrated into their networks.
According to the statement, firms should maintain capabilities to identify, monitor, manage and remediate vulnerabilities identified by third parties at scale.
AI-enabled defensive measures
On protection measures, the authorities said firms should maintain effective access management, network security and data protection controls to reduce exposure to AI-driven attacks.
The statement also said firms should consider adopting automated and AI-enabled defensive systems capable of operating at comparable speed to frontier AI-driven cyber threats.
The authorities further said firms should maintain the ability to respond to and recover from disruption quickly and referred market participants to cyber resilience practices published by the Bank of England, Prudential Regulation Authority and FCA in October 2025.
Implications for digital financial infrastructure
While the statement did not directly reference digital assets, the guidance addresses operational resilience, third-party dependencies, cyber preparedness and infrastructure vulnerabilities that increasingly intersect with digital financial infrastructure and broader financial technology markets.
The statement said the UK government and financial authorities would continue monitoring frontier AI developments and engage with industry through the Cross Market Operational Resilience Group.
