Markets Open
Global Markets
S&P 500 7,492.17 ▼ -0.6% DOW 52,858.78 ▼ -0.4% NASDAQ 25,772.06 ▼ -1.3% RUSSELL 2K 2,980.14 ▼ -1.0% VIX 16.34 ▲ +4.9% GOLD 4,119.6 ▼ -0.9% CRUDE OIL 72.25 ▲ +5.4% EUR/USD 1.14 ▼ -0.2% BTC 63,711 ▼ -0.1% ETH 1,787.82 ▼ -0.4%
Fintech

ECB asks major banks for plans on AI-driven cyber risks

The central bank wants significant institutions to file AI cyber risk plans by end-October and has delayed a separate IT questionnaire to 2027.

Rafael Ortiz

By Rafael Ortiz · Fintech Correspondent

· 3 min read

The European Central Bank has asked the chief executives of significant institutions to submit action plans by the end of October for handling cyber threats amplified by artificial intelligence, according to Finextra. The request follows concern over Anthropic’s Mythos AI tool, which the ECB said could have “potentially profound implications” for the resilience of banks’ IT systems.

The move places AI-enabled cyber risk into the supervisory workload for large banks at a time when lenders and regulators are assessing how emerging models could change the speed, scale and sophistication of attacks. Finextra reported that the ECB has also pushed back the deadline for a separate IT risk questionnaire to February 2027 so banks can concentrate on the AI-focused plan.

Short-term measures centre on exposed systems

According to the ECB letter cited by Finextra, banks are being told to focus first on three areas: faster patch management at scale, stronger threat monitoring and detection, and checks on third-party risk management.

Patch management is the process of identifying software weaknesses and applying fixes before attackers can exploit them. At a large bank, that task covers internal systems, customer-facing services, outsourced software and open-source components that may sit inside business-critical technology. AI-enabled tools can raise the pressure on those processes if they help attackers find vulnerable systems or automate parts of an intrusion campaign.

The ECB’s letter says: “As part of the short-term effort, prioritising protection of perimeter technologies and internet-facing and externally exposed ICT assets, including third-party software and open-source components, is key to preparing for the rise in AI-enabled cybersecurity threats.”

Perimeter technologies and internet-facing assets include systems that connect a bank’s internal networks with customers, vendors and public networks. Supervisors often treat those assets as a priority because they can form entry points for attackers if configuration gaps or unpatched vulnerabilities remain in place.

Legacy systems and recovery plans also in scope

The ECB is also calling for longer-term work on banks’ technology foundations, Finextra reported. The central bank wants institutions to modernise legacy infrastructure and strengthen operational resilience through response and recovery mechanisms, including crisis management and information-sharing arrangements.

Operational resilience in this context refers to a bank’s ability to keep critical services running, or restore them within acceptable limits, after a cyber incident or technology failure. Recovery mechanisms can include tested response procedures, decision-making protocols during a crisis and arrangements for sharing information with relevant parties.

The ECB’s latest intervention follows an earlier meeting in May, when Finextra reported that the central bank summoned lenders to discuss the seriousness of risks linked to Anthropic’s Mythos. Banks and regulators globally have been assessing the implications of the tool’s release, according to Finextra.

The central bank also indicated that artificial intelligence is not the only emerging technology under review. Finextra reported that banks should expect a separate ECB letter on cyber and operational challenges linked to quantum computing.

This story draws on original reporting from Finextra Research.

More from Fintech

All Fintech →