Elderson: AI reshapes cyber threats, demands bank resilience

Elderson highlighted that AI adoption is widespread among significant European banks, with over 85% utilizing the technology.

While AI can strengthen operations and risk management, it also vastly improves malicious actors' capabilities.

He noted that sophisticated cyberattacks, once requiring deep technical expertise and months of effort, can now be launched with greater speed and precision by a broader range of actors due to new large-scale AI models.

These tools can discover and exploit vulnerabilities at unprecedented speed and scale, combining minor weaknesses into serious attacks.

This structural shift lowers the "price of admission" for cybercriminals, making advanced attacks more accessible and challenging even state-of-the-art defenses.

Elderson emphasized that the speed, scale, and accessibility of advanced cyber capabilities are increasing, while defenders' time to react is shrinking.

Elderson acknowledged that banks and supervisors have made significant progress in operational resilience over the past decade, with financial services among the best-prepared sectors for cyberattacks.

He cited the 2024 cyber resilience stress test on 109 banks, which confirmed existing frameworks while highlighting areas for improvement, with almost three-quarters of findings already addressed.

The Digital Operational Resilience Act (DORA), which entered into force last year, provides a regulatory framework fostering continuous improvement in IT and cyber risk management, enhancing oversight of critical third-party providers.

DORA also tasks supervisors with testing institutions' ability to detect, respond to, and recover from sophisticated real-world threats.

These collective efforts have raised the cost and complexity of successful attacks, pushing threat actors towards less prepared sectors.