Nicosia, Cyprus. The Cyprus Securities and Exchange Commission has warned regulated financial entities about growing cybersecurity threats linked to advanced artificial intelligence models and called for stronger digital resilience frameworks in line with European rules.
Warning to regulated entities
In a circular sent to relevant stakeholders, CySEC highlighted increasing risks associated with so-called frontier AI models, which it said can identify and exploit software vulnerabilities at unprecedented speed and scale.
The warning was addressed to Cyprus Investment Firms, central securities depositories, trading venues, crypto-asset service providers, alternative investment fund managers and UCITS management companies.
Benefits and risks of advanced AI
According to CySEC, recent developments in advanced AI systems have shown both the benefits of these technologies for defensive cybersecurity purposes and the risks arising from their potential malicious use.
The commission said these developments could significantly accelerate vulnerability discovery and exploitation cycles.
It added that this may increase the sophistication, frequency and scale of cyberattacks targeting financial institutions and their ICT third-party service providers.
DORA obligations
CySEC reminded entities covered by the Digital Operational Resilience Act, formally Regulation (EU) 2022/2554, that they are required to maintain robust ICT risk management frameworks capable of responding to evolving cyber threats, including those linked to emerging AI technologies.
The regulator said it expects firms, in a manner proportionate to their size, nature, scale and complexity, to assess whether their existing ICT risk management arrangements remain adequate.
Where necessary, entities should strengthen controls and processes to address the changing threat environment, it said.
Steps requested by the regulator
CySEC urged firms to improve the identification and assessment of ICT vulnerabilities, including through stronger threat intelligence and improved vulnerability monitoring capabilities.