The Cyprus Securities and Exchange Commission (CySEC) has issued a circular highlighting increasing cybersecurity risks arising from the emergence of frontier Artificial Intelligence (AI) models. These advanced systems are described as capable of identifying and exploiting software vulnerabilities at unprecedented speed and scale, with significant implications for the financial sector.
According to CySEC, recent developments in advanced AI systems present both potential defensive benefits and heightened threats. While such technologies may support improved cybersecurity, they can also be used maliciously, accelerating vulnerability discovery and exploitation cycles. This evolution is expected to increase the sophistication, frequency, and scale of cyber-attacks against financial entities and their ICT third-party service providers.
Scope of entities and key risks
CySEC addresses its warning to a broad range of regulated entities, including Cyprus Investment Firms (CIFs), Central Securities Depositories, Trading Venues, Crypto-Asset Providers (CASPs), Alternative Investment Fund Managers (AIFMs), and UCITS Management Companies. The regulator stresses that these entities face heightened exposure as attackers leverage frontier AI to probe and compromise ICT systems more rapidly and effectively.
The circular underlines the risk that AI-driven tools could systematically scan for weaknesses, shorten the time between vulnerability discovery and exploitation, and enable more complex, large-scale attacks. This may affect both core financial operations and the services provided by ICT third-party providers that support regulated entities.
Recommended measures for regulated entities
In response to these developments, CySEC urges regulated entities to enhance their digital operational resilience frameworks. Specifically, firms are called on to:
- Enhance ICT vulnerability identification and assessment processes.
- Review vulnerability remediation and patch management arrangements.
- Reassess identity and access management controls.
- Evaluate the preparedness of ICT third-party service providers.
- Strengthen monitoring and detection capabilities.
- Ensure backup and disaster recovery arrangements remain effective.
- Reflect AI-related cyber risks in ICT risk assessments and governance arrangements.
CySEC states it will continue to monitor developments related to frontier AI technologies and their impact on operational resilience and cybersecurity in the financial sector. Regulated entities are urged to remain vigilant and to take proactive measures so that their digital operational resilience frameworks evolve in line with the changing cyber risk environment.
The circular was issued by Dr. George Theocharides, Chairman of the Cyprus Securities and Exchange Commission, and is dated 17 June 2026.
