2026-07-03

Added · Updated

July 2026 CEO Letter on AI and Technology Vulnerability Management

The Guernsey Financial Services Commission requires financial firms to treat technology risk as a dynamic exposure and maintain robust IT patching regimes capable of addressing vulnerabilities rapidly exposed by advanced AI discovery tools. Firms must verify that both internal processes and outsourced third-party providers can execute accelerated remediation cycles without compromising established security controls. Senior management and boards are directed to actively oversee these evolving technological threats and ensure continuous system reviews align with the regulator’s principles-based framework.

Guernsey Financial Services Commission logo

Guernsey

Guernsey Financial Services Commission

Click to view thumbnail

7 July 2026 Dear CEO Ongoing Technology Risk and the Use of Advanced Vulnerability Discovery Tools The Commission supports innovation and recognises the role that Artificial Intelligence (“AI”), in all forms, could play in transforming the way financial services are administered, managed and delivered at all levels (Policy Statement – Use of Artificial Intelligence — GFSC). Recent international developments, including the use of advanced AI tools to identify vulnerabilities within existing software, have demonstrated both the opportunities and risks arising from rapidly advancing technology. The Commission notes that such tools do not necessarily create new weaknesses; rather, they expose ones that already exist within systems relied upon by firms, customers and markets. This discovery capability can materially improve defensive arrangements, but it also reinforces the importance of continuous and proactive maintenance of technology environments. The Bailiwick’s principles‑based regulatory framework is deliberately designed to enable firms to embrace technological change without inhibiting innovation. It also places a responsibility on firms to ensure systems that are in use are subject to ongoing review and updates where appropriate. Firms should be satisfied that technology risk is not treated as static, but as an evolving exposure, requiring ongoing monitoring. It is important that the firms, understand the IT patching regime in place for its organisation, and that it remains appropriate, especially if, with recent developments, there is a need to rectify weaknesses in a significantly shortened timeframe without reducing checks and controls. If a firm is using a third￾party outsourced provider, they should ensure that this outsourced provider is able to meet the ongoing needs of the firm with respect to this changing environment. I should be grateful if you could bring this letter to the attention of your Board and senior management. Yours sincerely, Conor Osborough Director of Technology