AI and Cyber Risk: UK Regulators Sound the Alarm
On 15 May 2026, the Bank of England, Financial Conduct Authority, and HM Treasury issued a joint statement warning that the cyber capabilities of current frontier AI models already exceed those of a skilled human practitioner at significantly higher speed, on a greater scale, and at a lower cost. This announcement follow’s Anthropic’s agreement to brief members of the Financial Stability Board on vulnerabilities in the cyber defences of the global financial system identified by its latest AI model, Mythos. This was requested by the governor of the Bank of England.
The risks of falling into the wrong hands
In April, Anthropic disclosed that Mythos had "found thousands of high-severity vulnerabilities, including some in every major operating system and web browser", warning that “the fallout for economies, public safety and national security could be severe". Access to Mythos has so far been limited to only around 40 organisations, primarily in the US, following a White House request to not distribute it more widely.
This concern is not hypothetical. Verizon’s annual Data Breach Investigations Report, published on 19 May 2026, found that nearly a third (31%) of all breaches began with the exploitation of vulnerabilities. This is the first time in 19 years that this has surpassed stolen credentials as the biggest point of entry.
The uneven distribution of access to models such as Mythos has raised practical concerns, with organisations and regulators outside the US worried about asymmetric levels of protection. Earlier this month, the IMF warned that frontier AI models "elevate cyber risk to a potential macro-financial shock" and called for closer international collaboration to address this issue.
Keeping pace with an evolving threat landscape
The implications are clear: firms that have invested insufficiently in their core cybersecurity measures are likely to become increasingly exposed as AI models advance. Regulated firms will be expected to take active steps in several areas, such as board-level governance, vulnerability management, overseeing third-party risk, and improving response and recovery capabilities.
Boards and senior management in particular should ensure that they have a sufficient understanding of the risks associated with frontier AI and that investment and resourcing decisions reflect the emerging threat environment. This includes prioritising capacity within security teams. Firms should review whether their end-of-life systems, or systems that are no longer supported by the vendor, are increasing their exposure, and consider whether they have appropriate insurance is in place. Vulnerability management processes should be assessed for speed and scalability, including through automation where appropriate. Third-party and supply chain risks, including those relating to open-source software, should be actively identified and managed. According to the Verizon report, 48% of all data breaches involved a third party – a 60% increase on the previous year.
What next?
The evidence suggests that authorities worldwide are treating AI-driven cyber threats with significantly greater urgency. The FSB is now preparing a report on "sound practices" for AI adoption in the financial system, and a consultation on the report is expected to launch next month.
The message for multinational companies is clear, whether they are regulated financial institutions or not: cyber resilience frameworks must keep pace with the capabilities of the AI models that could be used to probe them.
