FCA to review claims management practices

Why frontier AI matters for firms

Artificial intelligence (AI) continues to evolve rapidly. Frontier AI models represent a step-change in capability, with significant implications for cyber security and operational resilience.

The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost. These capabilities, if used maliciously, amplify cyber threats to firms' safety and soundness, customers, market integrity, and financial stability. As more advanced models become available, these risks are expected to increase. Firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed.

What this means for regulated firms

It is essential that firms have effective protective, detective, threat containment and cyber response capabilities including to address faster and more disruptive frontier AI-driven attacks.

In line with our operational resilience rules and expectations, regulated firms and financial market infrastructures (FMIs) (referred to as 'firms'), need to take action to plan for and mitigate cybersecurity risks posed by frontier AI.

The Government and UK financial authorities judge that firms should be taking active steps across several domains.*

Governance and strategy: Firms should ensure their boards and senior management have sufficient understanding of frontier AI risks. This is important to set strategic direction and oversee how control functions manage risks.

Investment and resourcing decisions should reflect the emerging threat, including increased exposure from end-of-life systems or those out of vendor support. Firms should also consider whether they have appropriate insurance in place.

Identification and risk management of vulnerabilities: Frontier AI models can rapidly identify and enable exploitation of a potentially large number of vulnerabilities across firms' technology estates. Firms should be able to triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale, including through automation where appropriate, while mitigating the operational risks from doing so.

Managing risks from third parties: Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software. This means firms should have the capabilities to identify, monitor, and manage external applications, libraries, and services integrated into their networks. Firms should be prepared to address and remediate vulnerabilities identified by third parties at scale.

Protection: Effective access management, network security, and data protection should enable firms to reduce the attack surface a frontier AI model might access and limit the likelihood and impact of such attacks. Firms should consider adopting automated and AI-enabled defences to operate at comparable speed to AI-driven attacks.

Response and Recovery: Firms should be able to respond to and recover from disruption quickly. Firms should read and consider the effective practices on cyber resilience published by the Bank, PRA and FCA in October 2025.

The Government and UK financial authorities will continue to actively monitor frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG).

Further information for firms

Firms should also keep up to date with relevant publications in this space by CMORG and the NCSC, the UK's technical cyber authority. For example, firms can watch CMORG's Frontier AI Risk Mitigation Webinar (14 May 2026).

In addition, the NCSC continues to publish practical guidance on how firms should consider and manage the risks from frontier AI. This includes: