UK authorities: Firms must address frontier AI cyber risks

Frontier AI models pose significant cyber security and operational resilience challenges, with their capabilities already surpassing skilled human practitioners in speed, scale, and cost.

If used maliciously, these advanced AI tools can amplify cyber threats to firms' safety, market integrity, and financial stability.

UK financial authorities emphasize that regulated firms and financial market infrastructures (FMIs) must implement effective protective, detective, threat containment, and cyber response measures to counter faster and more disruptive AI-driven attacks.

This includes ensuring boards and senior management possess sufficient understanding of frontier AI risks to set strategic direction and oversee control functions.

Investment and resourcing decisions should reflect this emerging threat, addressing increased exposure from end-of-life systems and considering appropriate insurance.

Firms must also enhance their ability to rapidly identify, prioritize, and remediate vulnerabilities across their technology estates.

Managing risks from third parties and supply chains, including open-source software, is crucial.

Firms need capabilities to identify, monitor, and manage external applications, libraries, and services integrated into their networks, and be prepared to address vulnerabilities identified by third parties at scale.

Effective access management, network security, and data protection are essential to reduce the attack surface a frontier AI model might exploit.

Firms should consider adopting automated and AI-enabled defenses to operate at comparable speed to AI-driven attacks.

Firms must also be able to respond to and recover from disruption quickly, considering effective practices on cyber resilience published by the Bank, PRA, and FCA.

The UK financial authorities will continue to actively monitor frontier AI developments and engage with industry through CMORG.