Key facts
- ECB will ask banks to proactively address cybersecurity risks from advanced AI models.
- A 'dear CEO letter' will be sent to banks regarding system robustness and security.
- Frontier AI models are changing the cyber threat landscape by lowering barriers for attackers.
- The ECB views AI's impact on cybersecurity as a strategic, firm-wide challenge.
- Over 85% of banks under European supervision already use AI.
The European Central Bank (ECB) is preparing to formally request that banks implement proactive measures to mitigate escalating cybersecurity risks associated with advanced artificial intelligence (AI) models. Frank Elderson, a member of the ECB's Executive Board and Vice Chair of its Supervisory Board, announced that a 'dear CEO letter' will be distributed to all supervised banks. This letter will urge them to ensure the continued robustness and security of their IT systems in anticipation of evolving cyber threats. The ECB plans to follow up with individual institutions on a targeted basis to confirm these preparatory actions are taken before malicious actors can widely exploit new AI technologies. Elderson explained that frontier AI models are significantly altering the cyber threat landscape by reducing the technical expertise, time, and resources required for attacks, thereby increasing their speed and scale. He characterized these challenges as a strategic, firm-wide issue impacting banks' overall safety and soundness, emphasizing that bank management must assume clear responsibility and allocate commensurate resources. He noted that AI is already in use by over 85% of banks under European supervision, often for operational and security enhancements. However, AI also amplifies the capabilities of malicious actors, necessitating faster, more consistent preparation across the sector. Elderson also pointed out that critical infrastructure supporting banks, such as cloud providers and payment systems, could become targets, increasing the likelihood of scenarios previously considered tail risks. While acknowledging that larger banks may have an advantage in affording defenses, he stressed that all banks, including small and medium-sized lenders, must achieve a sufficient level of operational resilience.