The UK’s financial services firms must take active steps to manage the cybersecurity risks stemming from frontier AI, the UK government, the UK's Financial Conduct Authority (FCA) and Bank of England have said.
A missive from the trio on May 15 was intended to clarify and reinforce their message “as the operating environment becomes more complex”.
It warned that the sector must put in place “effective protective, detective, threat containment and cyber-response capabilities” in order to mitigate cyber risks posed by the rapidly advancing technology.
“The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost,” it noted.
“These capabilities, if used maliciously, amplify cyber threats to firms’ safety and soundness, customers, market integrity and financial stability. As more advanced models become available, these risks are expected to increase. Firms that have underinvested in core cybersecurity fundamentals are likely to become progressively more exposed.”
Time to Take Action
The statement urges action across several domains:
- Governance and strategy: boards and senior management must have “sufficient understanding” of frontier AI risks and make investment decisions that reflect the increased threat. This includes protecting unsupported systems and taking out cyber insurance
- Vulnerability management: Firms should be able to “triage, prioritize, risk assess and remediate vulnerabilities” rapidly and at scale – using automation where necessary while mitigating any operational risks
- Third-party risk: Firms should effectively manage frontier AI cyber risks from supply chains, including open source software. They should be able to remediate vulnerabilities identified by third parties at scale and “identify, monitor and manage external applications, libraries and services” integrated into their operations
- Protection: The authorities recommend access management, network security and data protection to help reduce the attack surface, as well as “automated and AI-enabled defenses” to match the velocity of AI-driven attacks
- Response and recovery. Firms should be able to respond to and recover from disruption quickly, noting previous guidance on cyber resilience published by the Bank of England, Prudential Regulation Authority (PRA) and FCA in October 2025
“The government and UK financial authorities will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG),” it concluded.
The BoE, FCA and Treasury also pointed financial services firms to the UK National Cyber Security Centre's (NCSC) resources that could help them prepare for a vulnerability “patch wave,” better understand frontier AI, and use AI to find vulnerabilities.