ECB tells banks: Fix AI cyber gaps by Oct. 31

ECB President Christine Lagarde Speaks On Closing the Gender Gap In Financial Literacy
Claudia Buch, chair of the supervisory board at the European Central Bank (ECB)
Alex Kraus/Bloomberg
  • Key insight: Beyond faster patching, the letter tells banks to shrink their internet-facing attack surface, replace end-of-life technology and elevate cyber decisions to the board.
  • What's at stake: The euro-area subsidiaries of J.P. Morgan, Goldman Sachs, Citi and Morgan Stanley are ECB-supervised, so they face the same Oct. 31 deadline as any European bank.
  • Forward look: The ECB signals it is not done, saying a separate letter on the cyber risk from quantum computing is coming.

Overview bullets generated by AI with editorial review.

Processing Content

The European Central Bank ordered the banks it supervises to draw up formal plans for defending against AI-powered cyberattacks and gave them until Oct. 31 to hand in those plans.

The order came Tuesday in a letter to the chief executive of every bank the ECB directly oversees, signed by its top supervisor, Claudia Buch.

Each plan has to spell out the concrete steps a bank will take to defend against AI-powered attacks, name who inside the bank is accountable for carrying them out, put money and staff behind the work and set deadlines for finishing it. The plan then goes to the ECB team that supervises the bank.

Those supervisors will meet with each bank to review its plan. The ECB said it will also study them collectively to find shared weaknesses.

The letter does not threaten a specific penalty for missing the deadline. It said the action plans are supervisory expectations and that the ECB will keep pressing each bank on its progress.

The letter still carries weight, according to Justin Herring, former head of the cybersecurity division at the New York State Department of Financial Services who is now a partner at the law firm Mayer Brown. Banking regulators "can absolutely hold banks to a deadline like this," he said.

Herring said he would expect the ECB to "grant some leeway if a bank's plan is delayed for good reason" or comes in less complete than the regulator wants, given how new the questions are.

"But if the ECB is dissatisfied with the response, they can impose a range of sanctions," he said, from "a formal order to comply to fines or restrictions on the ability to take on new business."

As recently as the spring, the ECB was making the case from conference stages that banks need to treat frontier artificial intelligence (the most advanced, cutting-edge models) as a turning point in cybersecurity.

Not only does Buch's letter come with a due date; it pushes back other due dates to allow banks to meet it, a concrete signal of the urgency the ECB sees in AI-powered cyber threats.

The ECB directly supervises a handful of euro-area subsidiaries of the largest American banks, including JPMorganChase, Goldman Sachs, Citi and Morgan Stanley. So, these subsidiaries will also face the Oct. 31 deadline.

The letter is one of the most detailed playbooks any major regulator has published on the cyber risks of frontier AI and a roadmap for U.S. supervisors if they decide to start a crackdown (although they have, to date, signaled no appetite for doing so).

In its spring risk report, the Office of the Comptroller of the Currency said AI "is significantly transforming the cyber threat landscape" and increasing "the speed, scale, and sophistication" of attacks.

However, it has set no comparable requirement or deadline, nor has any other U.S. regulator. But that does not mean U.S. supervisors are quiet, according to Herring.

"While there has been no open letter, major U.S. financial institutions have been inundated with questions from regulators about deploying frontier AI models and preparing for adversaries with such powerful tools," he said.

He called the level of attention "unprecedented," saying he had "never seen this kind of focus on a specific set of cybersecurity tools before."

JPMorganChase, Goldman Sachs, Citi and Morgan Stanley did not immediately respond to requests for comment about how their European units are preparing for the October deadline from the ECB.

The clearest glimpse of frontier models' capabilities came this year when AI company Anthropic said its controlled-release AI model found thousands of previously unknown vulnerabilities across major operating systems and web browsers. The company has kept access to the model tightly restricted.

The ECB did not directly name that model (called Claude Mythos). Rather, Buch called the danger a lasting shift "rather than a temporary phenomenon or a risk tied to any single tool."

When describing the new paradigm, she characterized it the same way Anthropic has described Mythos; AI that can find software flaws and build working exploits far faster than people can.

What the ECB is asking for

The heart of the ECB's letter is a to-do list.

For one, it tells banks to "accelerate vulnerability and patch management at scale." AI is helping attackers find and exploit software flaws faster, which shrinks the window a bank has to install a fix before an intruder reaches the hole.

That is one among several items; some others are far heavier lifts. For example, another is to shrink what an attacker can reach, known as the attack surface. Buch said that will require identifying and cutting unneeded internet-facing systems.

The systems the letter tells banks to consider cutting include third-party software and open-source components, cloud environments and connections to outside vendors.

Unlike patching, which banks already run on a cycle, this is structural work; it means taking inventory of every internet-facing system and outside dependency then decommissioning or isolating whatever the bank does not need.

This changes how a bank's technology is built and connected rather than just running a routine task faster.

Another item on the ECB's to-do list for banks is to modernize aging technology by replacing what the letter calls "legacy, unsupported or end-of-life" systems, which is the kind of overhaul that takes years rather than quarters.

Of everything on the ECB's list, that is the heaviest lift, Herring said, calling the replacement of legacy technology "the biggest long-term challenge."

Most banks run systems "built over years or decades, with parts that are difficult to adapt to modern requirements," he said. Those are the hardest to keep patched, just as frontier AI models grow "extremely good at finding vulnerabilities that need to be patched."

Banks also have to sharpen their monitoring, detection and their own AI-aided defenses and confirm that their oversight of critical technology suppliers still holds up.

The ECB pushed the issue of AI-powered threats into the boardroom. Responsibility "primarily lies with banks' management bodies," Buch wrote, and decisions about technology spending, staffing and risk tolerance "may need to be revisited."

The ECB frames these demands as meeting the requirements of the EU's Digital Operational Resilience Act, the bloc's rulebook for keeping financial firms running through technology failures.

The letter also presses banks to close gaps flagged in the ECB's 2024 cyber stress test, which examined 109 banks.

A shrinking timeline

To give banks bandwidth to shift focus to AI-powered threats, the ECB is pushing back other deadlines. A yearly technology-risk questionnaire, which banks must normally complete by September, is now due February 2027. The regulator said it may also ease some on-site inspections case by case.

The same day Buch issued the ECB letter, the European Systemic Risk Board (the EU body that watches for threats to the financial system as a whole) issued a formal warning about "systemic cyber risks stemming from frontier artificial intelligence models."

The board made the case that these models change the math of an attack. It said the models can run "fully automated cyber-attacks" and build a working exploit in "minutes or hours" where human experts once needed "days or weeks," what the board called a "collapse of defensive time buffers."

Its deeper worry is scale. If a flood of critical vulnerabilities hits many banks at once, there is "no fully effective mitigation framework available," the board said.

Buch signaled the ECB is not done; she wrote that a separate letter on preparing for quantum computing, which threatens the encryption banks rely on today, is coming.


For reprint and licensing requests for this article, click here.
Regulation and compliance Cyber Security Artificial Intelligence European Union Risk management Technology
MORE FROM AMERICAN BANKER
Load More