LogoRegulatory Alerts
2026-05-15

The Bank, FCA and HM Treasury joint statement on Frontier AI models and cyber resilience

The Bank of England, Financial Conduct Authority, and HM Treasury require regulated firms and financial market infrastructures to proactively plan for and mitigate cybersecurity risks posed by rapidly evolving frontier AI models. Firms must strengthen board-level governance, accelerate the identification and remediation of vulnerabilities at scale, manage third-party supply chain risks, and adopt automated AI-enabled defences to match the speed of AI-driven attacks. These measures align with existing operational resilience rules and aim to protect financial stability, customer safety, and market integrity against faster, more disruptive cyber threats.

Bank of England logo

United Kingdom

Bank of England

Click to view thumbnail

Statement from the Bank of England, Financial Conduct Authority and HM Treasury

Published on
15 May 2026

Statement

Why frontier AI matters for firms

Artificial intelligence (AI) continues to evolve rapidly. Frontier AI models represent a step-change in capability, with significant implications for cyber security and operational resilience.

The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost. These capabilities, if used maliciously, amplify cyber threats to firms’ safety and soundness, customers, market integrity, and financial stability. As more advanced models become available, these risks are expected to increase. Firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed.

What this means for regulated firms

It is essential that firms have effective protective, detective, threat containment and cyber response capabilities including to address faster and more disruptive frontier AI-driven attacks.

In line with our operational resilience rules and expectations, regulated firms and financial market infrastructures (FMIs) (referred to as ‘firms’), need to take action to plan for and mitigate cybersecurity risks posed by frontier AI.

The Government and UK financial authorities judge that firms should be taking active steps across several domains. 1

Governance and strategy . Firms should ensure their boards and senior management have sufficient understanding of frontier AI risks. This is important to set strategic direction and oversee how control functions manage risks.

Investment and resourcing decisions should reflect the emerging threat, including increased exposure from end-of-life systems or those out of vendor support. Firms should also consider whether they have appropriate insurance in place.

Identification and risk management of vulnerabilities . Frontier AI models can rapidly identify and enable exploitation of a potentially large number of vulnerabilities across firms’ technology estates. Firms should be able to triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale, including through automation where appropriate, while mitigating the operational risks from doing so.

Managing risks from third parties . Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software. This means firms should have the capabilities to identify, monitor, and manage external applications, libraries, and services integrated into their networks.

Firms should be prepared to address and remediate vulnerabilities identified by third parties at scale.

Protection . Effective access management, network security, and data protection should enable firms to reduce the attack surface a frontier AI model might access and limit the likelihood and impact of such attacks. Firms should consider adopting automated and AI-enabled defences to operate at comparable speed to AI-driven attacks.

Response and Recovery . Firms should be able to respond to and recover from disruption quickly. Firms should read and consider the effective practices on cyber resilience published by the Bank, PRA and FCA in October 2025.

The Government and UK financial authorities will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG).

Further information for firms

Firms should also keep up to date with relevant publications in this space by CMORG and the NCSC, the UK’s technical cyber authority. For example, firms can watch CMORG’s Frontier AI Risk Mitigation Webinar (14 May 2026).

In addition, the NCSC continues to publish practical guidance on how firms should consider and manage the risks from frontier AI. This includes:

Preparing for a ‘vulnerability patch wave’ | National Cyber Security Centre

Why cyber defenders need to be ready for frontier AI | National Cyber Security Centre

10 questions to ask when using AI models to find vulnerabilities | National Cyber Security Centre, NCSC vulnerability management .

[1] This note is not intended to introduce new expectations; it brings together and reinforces existing messages to support firms as the operating environment becomes more complex.

Other news

News // Memorandum of Understanding

Bank of England and Financial Conduct Authority...

Bank of England and Financial Conduct Authority – Memorandum of Understanding on the supervision of Financial...

News // Minutes

Minutes of the Synchronisation thematic engagement...

Minutes of the Synchronisation thematic engagement working group - 30 April 2026

News // Statistical notice

Statistical Notice 2026/05 - Implementation...

Statistical Notice 2026/05 - Implementation of Bank of England Statistics Taxonomy v1.3.1

News // Statistical notice

Statistical Notice 2026/04 - BEEDS User Acceptance...

Statistical Notice 2026/04 - BEEDS User Acceptance Testing (UAT) Environment – Statistical Taxonomy v1.3.1...

View more Other news

Back to top

Share