The Bank of England, FCA and Treasury have released a joint statement on Frontier AI models and cyber resilience.
The regulators say frontier AI models represent a "step-change in capability", with significant implications for cyber security and operational resilience.
The statement said: "The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost.
"These capabilities, if used maliciously, amplify cyber threats to firms’ safety and soundness, customers, market integrity, and financial stability."
As more advanced models become available, these risks are expected to increase and the regulators say firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed.
What this means for regulated firms
In the statement, the Bank, FCA and Treasury say it is "essential that firms have effective protective, detective, threat containment and cyber response capabilities including to address faster and more disruptive frontier AI-driven attacks".
The Government and UK financial authorities judge that firms should be taking active steps across several domains:
- Governance and strategy. Firms should ensure their boards and senior management have sufficient understanding of frontier AI risks. Investment and resourcing decisions should reflect the emerging threat, including increased exposure from end-of-life systems or those out of vendor support. Firms should also consider whether they have appropriate insurance in place.
- Identification and risk management of vulnerabilities. Frontier AI models can rapidly identify and enable exploitation of a potentially large number of vulnerabilities across firms’ technology estates. Firms should be able to triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale, including through automation where appropriate, while mitigating the operational risks from doing so.
- Managing risks from third parties. Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software. This means firms should have the capabilities to identify, monitor, and manage external applications, libraries, and services integrated into their networks. Firms should be prepared to address and remediate vulnerabilities identified by third parties at scale.
- Protection. Effective access management, network security, and data protection should enable firms to reduce the attack surface a frontier AI model might access and limit the likelihood and impact of such attacks. Firms should consider adopting automated and AI-enabled defences to operate at comparable speed to AI-driven attacks.
- Response and Recovery. Firms should be able to respond to and recover from disruption quickly.
