On 15 May 2026, the Bank of England (BoE), Financial Conduct Authority (FCA) and HM Treasury (HMT) (the Regulators) published a joint statement on frontier AI models and cyber resilience.
Summary
The Regulators consider that AI continues to evolve rapidly and that, in particular, frontier AI models represent a step-change in capability, with significant implications for cyber security and operational resilience.
As a result, the Regulators highlight that in their view it is essential that firms have effective protective, detective, threat containment and cyber response capabilities including to address faster and more disruptive frontier AI-driven attacks, in particular that firms should be taking active steps in relation to:
- Governance and strategy: Firms should ensure their boards and senior management have sufficient understanding of frontier AI risks. Investment and resourcing decisions should reflect the emerging threat, including increased exposure from end-of-life systems or those out of vendor support. Firms should also consider whether they have appropriate insurance in place.
- Identification and risk management of vulnerabilities: Firms should be able to triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale, including through automation where appropriate, while mitigating the operational risks from doing so.
- Managing risks from third parties: Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software. Firms should also be prepared to address and remediate vulnerabilities identified by third parties at scale.
- Protection: Effective access management, network security, and data protection should enable firms to reduce the attack surface a frontier AI model might access and limit the likelihood and impact of such attacks. Firms should consider adopting automated and AI-enabled defences to operate at comparable speed to AI-driven attacks.
- Response and Recovery: Firms should be able to respond to and recover from disruption quickly. Firms should read and consider the effective practices on cyber resilience published by the Regulators in October 2025.
Next steps
The Regulators will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group.