On 15 May 2026, the Bank of England, FCA and HM Treasury issued a joint statement on “frontier” AI models and cyber resilience. For regulated firms in UK financial services, it sets a clear new bar: the cyber threat landscape has shifted, and firms that have underinvested in security fundamentals are now visibly exposed.
This isn’t a future-state warning, it’s a present-tense regulatory expectation.
Why frontier AI changes the cyber security equation
The UK’s financial authorities have confirmed what many CISOs already suspected: the most up-to-date AI models are already outperforming skilled human attackers – faster, cheaper, and at greater scale.
Used maliciously, these capabilities amplify every category of risk that matters to a regulated firm: safety and soundness, customer protection, market integrity, and financial stability. And the trajectory only steepens. As more capable models reach the open market, the gap between attacker speed and defender response will widen – unless firms close it deliberately.
What UK regulators expect firms to do
The joint statement sets out five domains where regulated firms and financial market infrastructures (FMI) are expected to demonstrate active progress:
1. Governance & strategy
Boards and senior management must understand frontier AI risk well enough to set strategic direction and challenge control functions. Investment decisions should reflect rising exposure, particularly from end-of-life or unsupported systems and cyber insurance arrangements should be reviewed.
2. Vulnerability identification & management
Frontier AI can identify and exploit vulnerabilities across an estate at machine speed. Firms must triage, prioritise, risk-assess and remediate more quickly, more frequently, and at scale, with automation where appropriate.
3. Third-party and supply chain risk
Open-source libraries, integrated services and external applications all sit inside your attack surface. Firms need the capability to identify, monitor and remediate third-party vulnerabilities at scale.
4. Protection
Access management, network security and data protection should be tuned to reduce the surface a frontier AI model could reach. Regulators explicitly encourage firms to adopt AI-enabled defences that can operate at the same speed as AI-driven attacks.
5. Response and recovery
Firms must be able to respond to and recover from disruption rapidly, aligned with the Effective Practices on Cyber Response and Recovery Capabilities (published by the Bank, PRA and FCA in October 2025).
The authorities will continue to monitor frontier AI developments and engage industry through the Cross Market Operational Resilience Group (CMORG).
Four questions every finance leader should be asking
If a frontier AI-powered attack hit your firm next quarter, could you:
For many firms, the honest answer to at least one of these is “not yet.” That’s the gap regulators now expect you to close.
Proteq Advanced: cyber resilience built for regulated firms
Equity’s Proteq Advanced is a compliance-focused cyber security solution built specifically for regulated firms in UK financial services. It maps directly to the domains highlighted in the Bank of England statement:
Because Proteq Advanced is engineered around the regulatory frameworks your firm already operates under, the same investment that strengthens your security posture also strengthens the evidence base you present to regulators.
Move from regulatory awareness to regulatory confidence
Frontier AI has changed what “good looks like” for cyber resilience in financial services. The regulators have said so plainly. The question is no longer whether to act, it’s how quickly and how well.
Equity helps finance-sector firms move from regulatory awareness to regulatory confidence, with a clear path from current state to a Proteq Advanced-aligned posture.