Regulators Issue Joint Warning on Frontier AI Cyber Risks to Financial Firms

On 15 May 2026, the Financial Conduct Authority (FCA), the Bank of England (BoE) and His Majesty's Treasury (HMT) published a joint statement setting out their expectations for how regulated firms and financial market infrastructures (FMIs) should respond to the escalating cyber risks posed by frontier artificial intelligence (AI) models.

The authorities warn that the cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, operating at significantly higher speed, greater scale and lower cost. If used maliciously, these capabilities amplify threats to firms' safety and soundness, to customers, to market integrity and to wider financial stability. Firms that have underinvested in cyber security fundamentals are expected to become progressively more exposed as models advance.

The statement identifies several domains in which firms should take active steps. Boards and senior management are expected to have a sufficient understanding of frontier AI risks to set strategic direction and oversee control functions, with investment, resourcing and insurance arrangements reflecting the emerging threat. End-of-life systems and those out of vendor support are flagged as areas of heightened exposure.

Firms are also expected to triage, risk assess and remediate vulnerabilities more quickly, more frequently and at scale, using automation where appropriate. Third-party and supply chain risks, including those arising from open-source software, must be actively identified, monitored and managed. On protection, the authorities point to access management, network security and data protection as essential controls, and encourage firms to consider AI-enabled defences capable of operating at the speed of AI-driven attacks.

Response and recovery capabilities should align with the effective practices on cyber resilience published by the BoE, the Prudential Regulation Authority (PRA) and the FCA in October 2025. The authorities will continue to monitor developments and engage with industry through the Cross Market Operational Resilience Group (CMORG).

Firms are encouraged to follow ongoing guidance from CMORG and the National Cyber Security Centre (NCSC), including the NCSC's recent publications on vulnerability patch waves and the use of AI models in vulnerability management.