Eleven days before I wrote about the coming wave of AI-driven cyber attacks, the Bank of England, the FCA and HM Treasury quietly published a joint statement saying broadly the same thing. It landed without much noise on 15 May. If your inbox missed it, you are not alone. Most of the boards I work with did too.
The statement is short. It introduces no new rules, no deadlines, and no numerical thresholds. It does something more interesting. The three most powerful financial authorities in the UK have stood up together and said, on the record, that the cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, at greater scale and lower cost, and that firms who have underinvested in core cyber fundamentals “are likely to become progressively more exposed”.
That last phrase is the one I would have on a slide if I were briefing your board this week.
Yesterday I argued that AI cyber attacks were about to scale and that most boards still treat cyber as an IT line item. The regulators have, in their measured way, said the same. They have set out six domains where action is now expected. None are surprising. All are now uncomfortable to ignore.
Governance is first. The statement is explicit that boards and senior management need sufficient understanding of frontier AI risks. Sufficient is doing a lot of work in that sentence. Most non-executive directors I meet would struggle to explain what a frontier model is, let alone what its cyber implications are for the firm they oversee. That is the gap the regulators want closed.
Investment and resourcing comes next. The statement points specifically at end-of-life systems and software out of vendor support. If your technology estate has any of that lurking in it, and most firms do, you are now on notice. The regulators are also nudging firms to look at their cyber insurance. Underwriters have already started to harden their language around AI risk. That will accelerate.
Vulnerability management is the third domain, and it is the one most directly affected by the new AI capabilities. The Mozilla example I cited yesterday is the leading edge of this. Firms will need to triage and remediate vulnerabilities faster, more frequently, and at scale. The regulators say “through automation where appropriate”, which is a polite way of saying you cannot do this with the team you have today.
Then comes third-party risk. Open-source software is named specifically, which matters because most firms have very little visibility of what is actually inside their supply chain. The statement also covers protection, where firms are being asked to consider AI-enabled defences that can operate at the same speed as AI-enabled attacks. And it closes with response and recovery, pointing back to the cyber resilience effective practices the Bank and FCA published last October.
What the statement does not do is set any kind of clock. There is no deadline, no threshold, no new rule. The footnote is careful to note that it “is not intended to introduce new expectations”. The regulators have chosen to reinforce rather than legislate. That is a deliberate choice, and a defensible one. Rules take years. AI capability is moving in months.
But it leaves you, as a board, with a question. If the three authorities you answer to have written down that this is happening, and have written down what they expect you to be doing about it, and have chosen not to give you a deadline or a threshold, then who decides whether you have moved fast enough?
You do.
Imagine sitting in next month’s board meeting and your CIO presents. Two questions hang in the air. How is the firm positioned against each of the six domains the regulators set out on 15 May? And what evidence would you point to, if a future PRA review opened by asking what the board did in response? Most firms could not answer the second question crisply today. That is the gap the next six months will close, one way or another.
The regulators have done their bit. They have noticed, they have written it down, they have asked politely. Whether you act is now a board decision, and it will be visible in the audit trail either way.