By David Barwick – FRANKFURT (Econostream) – European Central Bank Executive Board member Frank Elderson said Wednesday that the ECB would ask banks to take proactive steps to protect themselves against cyber risks stemming from frontier artificial intelligence models.

Elderson, who is also vice chair of the ECB Supervisory Board, said in a keynote speech in Zurich that the ECB would send a “dear CEO letter” to all banks asking them to ensure the continued robustness and security of their systems.

The ECB would then follow up with individual banks in a targeted manner, he said.

“Our aim is straightforward: to ensure that banks take the necessary steps now, before these technologies are more widely used by threat actors,” he said.

Frontier AI models were changing the cyber threat landscape by lowering barriers for attackers, increasing the speed at which vulnerabilities could be exploited and exposing weaknesses that had been tolerated for too long, he said.

“This is not about creating a sense of alarm, but rather a sense of urgency,” Elderson said.

The challenges posed by new generations of AI models should not be seen merely as a cybersecurity issue, but as a firm-wide strategic challenge with potential implications for banks’ safety and soundness, he said.

Bank management bodies needed to take clear ownership of the issue and ensure that resources and tools were commensurate with the scale of the challenge, he said.

The ECB last week brought together supervised banks to discuss the implications of frontier AI models for banks’ resilience and the practical actions needed in response, he said.

AI was already widely used by banks, Elderson said, citing ECB annual data showing that more than 85% of banks under European banking supervision use artificial intelligence.

Used responsibly, AI could help banks strengthen operations, improve risk management and enhance IT security, he said. At the same time, it also “vastly improves the capabilities available to malicious actors.”

Cyberattacks that previously required substantial expertise, time and resources could in the future be carried out more quickly, at scale and by a broader set of malicious actors, he said.

The direction of travel was “unmistakable,” Elderson said.

“[T]he speed, scale and accessibility of advanced cyber capabilities are increasing, and the time available to defenders is shrinking,” he said. “Banks therefore need to prepare more quickly, more effectively and more consistently across the sector.”

The ECB official said operational resilience was not separate from the debate on banking-sector competitiveness, but part of the foundation that shaped banks’ ability to compete.

If banks were unable to maintain customer trust by providing reliable service, their competitiveness in an increasingly digitalized financial system would be undermined, he said.

Strengthening operational resilience required multi-year investment in people, systems and governance, he said. Strong bank profitability gave the sector an opportunity to continue investing.

The defensive capabilities of the banking sector were not evenly distributed, he said, with some larger banks better placed to match IT budgets to the scale of the task than small and medium-sized banks.

Still, Elderson said this was no reason for inaction.

“[A]ll banks must be able to ensure a sufficient level of operational resilience,” he said.

The point was particularly important at a time when further proportionality in supervision and regulation had become topical, he said.

There were areas where a more proportionate approach was worth pursuing, he said. “Such enhanced proportionality, however, cannot come at a cost of prudent risk management.”