AI models pose systemic cyber risks, ESAs back ESRB warning
The European Supervisory Authorities (ESAs) support the European Systemic Risk Board's (ESRB) warning on systemic cyber risks from frontier AI models. Financial entities must adapt cybersecurity, and supervisors should reflect these risks.
AI amplifies cyber vulnerabilities
The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) have formally endorsed the European Systemic Risk Board's (ESRB) recent warning regarding systemic cyber risks posed by frontier AI models.
These advanced AI technologies significantly enhance the ability to rapidly identify and exploit high-severity vulnerabilities in IT systems.
This presents a new frontier in cyber threats, demanding heightened vigilance from the financial sector.
While the EU's robust regulatory framework, including the Digital Operational Resilience Act (DORA) and the AI Act, provides a solid foundation for managing cyber and AI-related risks, the speed, scale, and sophistication of these new AI-driven tools are raising serious concerns.
AI-enabled cyber-attacks could critically undermine the operational resilience of financial entities across the EU.
The ESAs emphasize that the rapid evolution of highly capable AI-driven tools necessitates an immediate and adaptive response from the financial sector to maintain robust cybersecurity and ensure stability across the financial system.
Urgent call for adaptation
The ESAs have consistently raised awareness about ICT risks from frontier AI models, encouraging financial entities to strengthen cybersecurity.
Now, supporting the ESRB's warning, they urge financial entities to adapt their cybersecurity capabilities and invite competent authorities to reflect these developments in supervisory activities.
The ESAs also back the ESRB's call for the European Union to enhance its capacity, expertise, and strategic autonomy in this critical area, requiring broad stakeholder involvement.
To ensure compliance with DORA, the ESAs are actively collaborating with the EU supervisory community for proactive risk identification and mitigation.
As Overseers of Critical ICT Third-Party Providers, they are engaging with these providers on adaptation measures to manage risks and ensure service continuity for the EU financial sector.
This ongoing work, including clarifying supervisory expectations, aims to promote a consistent, risk-based approach.