The European Central Bank has held discussions with commercial lenders about new risks arising from recent advances in artificial intelligence and will ask banks to adopt practical defensive steps, ECB Supervisory Board member Frank Elderson said on Wednesday.
Elderson said progress in AI has increased the likelihood that cyberattackers could rapidly identify and exploit vulnerabilities in bank systems, and that small weaknesses might be combined into larger, more serious threats. In response, the ECB intends to send a formal letter to the chief executive officers of all banks requiring them to take proactive measures to preserve the resilience and security of their systems.
Following the initial outreach, the central bank will conduct focused follow-up with individual banks, Elderson said. He made clear that the challenges extend beyond conventional cybersecurity concerns and require a strategic, sustained management response. That response should include management taking ownership and allocating specialized expertise and resources over several years.
On the question of costs, Elderson acknowledged the measures could be expensive to implement. He noted, however, that strong profitability in the banking sector should mean lenders have the financial capacity to invest in such defenses. He also pointed to a disparity in burden across the industry: large banks will generally be better positioned to fund enhanced protections, while small and medium-sized banks may face greater difficulty.
Elderson highlighted additional points of vulnerability outside banks themselves. Critical infrastructure relied upon by banks - including cloud service providers, telecommunications networks, payment systems and utilities such as electricity and water - could also become targets. Under his assessment, scenarios that were once viewed as unlikely may now be more plausible given the speed and capabilities of new AI models.
Summary
The ECB has recently met with commercial banks and will send a letter to bank chief executives requesting practical defense measures against AI-enabled threats. The bank will follow up with targeted engagement, and supervisors warn the response will require strategic, multi-year management attention and potentially significant investment. Large banks are likely better positioned to absorb costs than smaller lenders, and critical infrastructure providers may also be exposed.
Key points
- The ECB will request concrete AI-defense measures from all banks via a letter to CEOs and will conduct targeted follow-up.
- Supervisors say the risks encompass more than cybersecurity and demand sustained management ownership, expertise and resources over several years.
- Large banks are better placed to fund defenses; small and medium-sized lenders may struggle. Critical infrastructure providers could also be targeted.
Risks and uncertainties
- Increased likelihood of sophisticated cyberattacks that can combine small vulnerabilities into serious threats - affecting the banking sector and financial markets.
- Potential resource and funding strains for small and medium-sized lenders in implementing costly defense measures - impacting banking-sector stability and competition.
- Exposure of critical infrastructure providers, including cloud, telecoms, payment systems and utilities, which could amplify operational risks for banks.