"The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost," the Bank of England, the UK's Financial Conduct Authority (FCA) and the Treasury warned in a joint statement issued on May 15.
The warning and its focus
The May 15 missive from the Bank of England, the FCA and the Treasury was short and direct: as frontier AI models advance, financial services firms must strengthen cyber defences or face amplified threats to safety and soundness, customers, market integrity and financial stability. The agencies said these models' capabilities "if used maliciously, amplify cyber threats" and warned that "as more advanced models become available, these risks are expected to increase."
Governance and strategy: boards, unsupported systems and insurance
The trio urged boards and senior management to have "sufficient understanding" of frontier AI risks and to make investment decisions that reflect the increased threat. That guidance specifically calls for firms to protect "unsupported systems" and to consider cyber insurance as part of a wider strategy. Put bluntly in the notice: "Firms that have underinvested in core cybersecurity fundamentals are likely to become progressively more exposed."
Vulnerability management and third‑party risk
The authorities pressed firms to improve how they handle vulnerabilities at speed and scale. Firms should be able to "triage, prioritize, risk assess and remediate vulnerabilities" rapidly — using automation where necessary while still "mitigating any operational risks." They also highlighted supply-chain exposures: firms must manage frontier AI cyber risks that arise from third parties, including open source software. The letter expects firms to be able to remediate vulnerabilities identified by third parties at scale and to "identify, monitor and manage external applications, libraries and services" that are integrated into their operations.
Protection, response and recovery; NCSC resources and prior guidance
On technical controls the authorities recommended classic and AI-era measures: access management, network security and data protection to reduce the attack surface, alongside "automated and AI-enabled defenses" to match the velocity of AI-driven attacks. They insisted firms should have the ability to respond to and recover from disruption quickly, pointing back to earlier cyber-resilience material: guidance on cyber resilience published by the Bank of England, the Prudential Regulation Authority (PRA) and the FCA in October 2025.
The statement also directed firms to the UK National Cyber Security Centre's (NCSC) resources to prepare for a potential vulnerability "patch wave," to better understand frontier AI, and to use AI as a tool to find vulnerabilities — explicitly recommending the NCSC materials as part of a response toolkit.
Cross Market Operational Resilience Group (CMORG) and ongoing monitoring
The agencies made clear that their communication is not a one-off. "The government and UK financial authorities will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG)," the statement concluded, signaling continued oversight and industry engagement as the technology evolves.
What this means for technologists, policymakers and insurers
- Technologists and security teams: expect pressure to automate detection and patching workflows and to deploy "AI-enabled defenses" that can operate at AI-driven attack tempo; teams will also need to inventory and manage external applications, libraries and services at scale.
- Policymakers and regulators: the Bank of England, FCA and Treasury have positioned monitoring and cross-market engagement—via CMORG—as the mechanism for ongoing supervision of frontier AI risks to financial stability and market integrity.
- Financial firms and insurers: boards and senior management must reassess investments in cyber fundamentals, protect unsupported systems, and consider cyber insurance as one element of strategy; insurers and firms will both be watching remediation capacity for third-party and open-source vulnerabilities.
The message from May 15 is unambiguous: frontier AI is no longer a hypothetical risk to be deferred. The Bank of England, the FCA and the Treasury have laid out specific expectations — from board-level understanding and cyber insurance to automated remediation and AI-enabled defenses — and have signalled they will keep watching developments through CMORG. For firms that have delayed investment in basic cyber hygiene, the agencies made the stakes plain: increased exposure is the likely outcome unless action is taken.
https://www.infosecurity-magazine.com/news/bank-england-fca-treasury-alarm/




