The Bank of England, the Financial Conduct Authority (FCA) and HM Treasury have issued a joint statement warning that frontier AI models pose a growing and material threat to the cyber resilience of regulated financial firms and financial market infrastructures (FMIs).
The three authorities have set out that firms must take active steps across governance, vulnerability management, third-party risk, protection, and response and recovery to address the escalating risks posed by frontier AI. The statement makes clear that underinvestment in core cyber security fundamentals will leave firms progressively more exposed as more advanced models become available.
Central to the authorities' concerns is the speed and scale at which frontier AI can be weaponised. The cyber capabilities of current frontier AI models already exceed what a skilled human practitioner could achieve, operating faster, at greater scale, and at lower cost. Used maliciously, these capabilities could amplify threats to firms' safety and soundness, their customers, market integrity, and the broader stability of the financial system.
On governance, firms are expected to ensure their boards and senior management have sufficient understanding of frontier AI risks in order to set strategic direction and oversee how control functions respond. Investment and resourcing decisions must reflect the emerging threat, including exposure arising from end-of-life systems or those no longer receiving vendor support. Firms are also advised to review whether their insurance arrangements remain appropriate.
When it comes to vulnerability management, frontier AI models can rapidly identify and facilitate exploitation of a potentially large number of weaknesses across a firm's technology estate. Regulated firms must be able to triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale - including through automation - while managing the operational risks that this brings.
Third-party risk is also highlighted as a key area of concern. Firms are expected to identify, monitor, and manage external applications, libraries, and services integrated into their networks, and to be prepared to remediate vulnerabilities identified by third parties at scale, including those originating from open-source software.
On protection, the statement stresses that effective access management, network security, and data protection are essential to reducing the attack surface accessible to a frontier AI model, and to limiting the likelihood and impact of any such attack. Firms are encouraged to consider deploying automated and AI-enabled defences capable of operating at a comparable speed to AI-driven threats.
For response and recovery, regulated firms are directed to the effective practices on cyber resilience published jointly by the Bank, the Prudential Regulation Authority (PRA) and the FCA in October 2025. The three authorities have stated they will continue to monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG).