CySEC warns Cyprus financial firms over AI-driven cyber threats

Financial firms told to bolster cyber defencesThe Cyprus Securities and Exchange Commission (CySEC) has warned regulated financial entities about the growing cybersecurity threats posed by advanced artificial intelligence models and called on firms to strengthen their digital resilience frameworks in line with European rules. In a circular sent to relevant stakeholders, CySEC drew attention to the increasing risks associated with so-called frontier AI models, which it said are capable of identifying and exploiting software vulnerabilities at unprecedented speed and scale. The regulator addressed the warning to Cyprus Investment Firms (CIFs), central securities depositories, trading venues, crypto-asset service providers, alternative investment fund managers and UCITS management companies. According to CySEC, recent developments in advanced AI systems have demonstrated both the benefits of these technologies for defensive cybersecurity purposes and the dangers arising from their potential malicious use. The commission explained that these developments could significantly accelerate vulnerability discovery and exploitation cycles. It added that this may increase the sophistication, frequency and scale of cyberattacks directed at financial institutions and their ICT third-party service providers. CySEC reminded entities covered by the Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, that they are required to maintain robust ICT risk management frameworks capable of responding to evolving cyber threats, including those linked to emerging AI technologies. The regulator said it expects firms, in a manner proportionate to their size, nature, scale and complexity, to assess whether their existing ICT risk management arrangements remain adequate. Where necessary, entities should strengthen controls and processes to address the changing threat environment, it added. CySEC urged firms to enhance the identification and assessment of ICT vulnerabilities, including through stronger threat intelligence and improved vulnerability monitoring capabilities. The commission also advised firms to review the effectiveness and speed of vulnerability remediation and patch management processes, particularly for critical systems and legacy infrastructure. In addition, the regulator stressed the importance of ensuring that ICT systems continue to incorporate security and resilience by design. It also called on firms to reassess identity and access management controls and the resilience of critical ICT assets. Particular attention should also be given to the preparedness and resilience of ICT third-party service providers and supply chain dependencies, according to the circular. CySEC further encouraged firms to strengthen monitoring and detection capabilities in order to identify increasingly sophisticated cyber threats. The regulator said entities should consider greater use of automation and enhanced security orchestration to improve response times and incident handling capabilities. It also stressed the importance of ensuring that backup, restoration and disaster recovery arrangements remain effective under severe cyber scenarios. According to the circular, backup systems should be appropriately segregated and subjected to regular testing under realistic operational conditions. The commission additionally emphasised the need for AI-related cyber risks to be properly reflected in ICT risk assessments, governance arrangements and operational resilience planning. Firms should also maintain processes that enable them to learn from incidents, testing exercises and emerging threat intelligence, it said. CySEC reiterated that DORA requires financial entities to protect ICT systems and assets against unauthorised access and malicious activities. They must also be able to detect anomalous activities and ICT-related incidents. Moreover, firms are required to maintain robust business continuity arrangements, together with effective backup and restoration capabilities. The framework also obliges institutions to conduct appropriate ICT testing and vulnerability assessments. In addition, regulated entities must manage risks associated with ICT third-party providers effectively. CySEC said it will continue monitoring developments related to frontier AI technologies and their implications for operational resilience and cybersecurity across the financial sector. The regulator added that it may engage with regulated entities, where appropriate, regarding their level of preparedness, governance arrangements and implementation of relevant ICT risk mitigation measures. What is more, CySEC urged financial institutions to remain vigilant and to adopt proactive measures to ensure that their digital operational resilience frameworks continue to evolve in line with the changing cyber risk landscape.