InfiniteFlow-stock.adobe.com
European Central Bank demands AI security ’action plan’
European Central Bank gives banks deadline to outline their plans to defend against artificial intelligence-based security threats
The European Central Bank (ECB) has given banks four months to outline how they plan to protect against artificial intelligence (AI)-based cyber threats.
Banks have until 31 October this year to submit an action plan to the Joint Supervisory Team at the ECB.
Claudia Buch, chair of the supervisory board at the ECB, wrote to major banks demanding they “assess the impact of the evolving threat landscape without delay”.
She highlighted that AI’s ability to identify vulnerabilities quickly means existing unresolved weaknesses, which could be years old, “become increasingly material and pose significant risks to operational resilience”.
In April, UK banks were on red alert as Anthropic’s Mythos AI model quickly revealed thousands of security flaws, many of which had been undetected for years. At the time, the software firm’s European boss, Pip White, said the company had opened Mythos to a number of organisations, including Microsoft, Amazon Web Services (AWS) and some financial institutions.
“Mythos has really showed us that there are a lot of very severe vulnerabilities right now,” she said, adding that Mythos found vulnerabilities in every single operating system and in every single web browser.
In Buch’s letter to bank bosses, she demanded an “action plan outlining concrete measures to strengthen relevant controls, allocating the necessary resources, assigning clear roles and responsibilities, and defining timelines for implementation”.
She said focus should be put on accelerating vulnerability and patch management at scale; enhancing monitoring, detection and AI-enabled defensive capabilities; and verifying that third-party risk management is fit for purpose.
Buch said responsibility lies with the banks’ management and stressed that strategic ICT-related decisions, including investments and resource allocation, may need to be revisited.
In recognition of the challenge faced by banks in providing an action plan, the ECB has extended the deadline for completing its annual Risk Questionnaire from September 2026 to February 2027.
More to come
Buch signed off with a warning that more is to come as quantum computing development accelerates.
“Lastly, the ECB would like to highlight that other emerging technologies, like the ongoing progress towards practical quantum computing, will have a significant impact on the cyber security landscape,” she wrote. “The adoption of post-quantum cryptography may involve a longer time frame, but must start now and necessitates sustained, strategic investment over time. The ECB will address the emerging risk to traditional encryption methods posed by advances in quantum computing in a separate letter in due course.”
In the UK, regulators are turning up the volume in response to AI threats. The Financial Conduct Authority (FCA) published a “landmark review” this week, describing AI as a “defining force” that will change financial services to consumers, but one that could “amplify risks”.
Announced in January, The Mills Review looked at the impact AI could have on consumers, finance firms and regulators in the future.
The review, which was carried out by FCA director Sheldon Mills, was announced shortly after a Treasury Committee warned in January that financial regulators’ current approach to AI is exposing the UK public and the country’s financial system “to potential serious harm”.
In his conclusion, Mills said AI is likely to become a defining force in retail financial services, transforming how firms operate, how consumers make financial decisions and how markets function.
Jonathan Frost, director of global advisory for EMEA at cyber security company BioCatch, said: “Agentic AI is about to make fraud dramatically cheaper to run and easier to scale, fundamentally changing the economics of financial crime. Banks that rely on deterministic rules risk being overwhelmed, with threat actors seeking to use AI to automate fraud pipelines that learn and adapt in real time.”
Read more about AI and cyber threats
- Frontier AI models will pose a greater cyber security risk to governments and businesses than previously thought, putting them at risk within months.
- Anthropic’s Claude Mythos has generated buzz and alarm among CIOs and CISOs, who fear the model could expose vulnerabilities and drive unprecedented levels of hacking.
- Mythos Preview exposed 10,000-plus security flaws at tech giants in one month, revealing both opportunities and risks for the future of cyber security.
