The Cyprus Securities and Exchange Commission (CySEC) has issued a statement drawing the attention of Regulated Entities to the increasing cybersecurity risks associated with the emergence of frontier Artificial Intelligence (AI) models it says are "capable of identifying and exploiting software vulnerabilities at unprecedented speed and scale."
As noted in the statement, which was signed by CySEC Chairman Dr. George Theocharides, "Recent developments in advanced AI systems have highlighted both the potential benefits of such technologies for defensive cybersecurity purposes and the heightened risks arising from their possible malicious use. These developments may significantly accelerate vulnerability discovery and exploitation cycles and increase the sophistication, frequency, and scale of cyber-attacks targeting financial entities and their ICT third-party service providers."
In its statement, CySEC reminds all Regulated Entities falling within the scope of Regulation (EU) 2022/2554 on Digital Operational Resilience for the financial sector (DORA) that they are obliged to maintain robust ICT risk management frameworks capable of addressing evolving cyber-threats, including those arising from emerging AI technologies.
"In this context, CySEC expects such Regulated Entities, proportionate to their size, nature, scale and complexity, to assess whether their existing ICT risk management arrangements remain adequate and, where necessary, to strengthen relevant controls and processes," the statement continues.
In particular, Regulated Entities are encouraged to consider the areas laid down below:
Areas for Consideration
Identification and vulnerability management
- Enhance the identification and assessment of ICT vulnerabilities, including through improved threat intelligence and vulnerability monitoring capabilities.
- Review the effectiveness and timeliness of vulnerability remediation and patch management processes, especially for critical systems and legacy infrastructure.
Protection and prevention
- Ensure that ICT systems continue to incorporate security and resilience by design.
- Reassess identity and access management controls and the resilience of critical ICT assets.
- Evaluate the preparedness and resilience of ICT third-party service providers and supply-chain dependencies.
Detection capabilities
- Strengthen monitoring and detection capabilities to identify increasingly sophisticated cyber threats.
- Consider the use of automation and enhanced security orchestration to improve response times and incident handling capabilities.
Response and recovery
- Ensure that backup, restoration, and disaster recovery arrangements remain effective under severe cyber scenarios.
- Verify that backup systems are appropriately segregated and regularly tested under realistic operational conditions.
Governance and continuous improvement
- Ensure that AI-related cyber risks are appropriately reflected in ICT risk assessments, governance arrangements, and operational resilience planning.
- Maintain processes for learning from incidents, testing exercises, and emerging threat intelligence.
Requirements under DORA
CySEC further reminds that, under DORA, Regulated Entities are required to:
- Protect ICT systems and assets against unauthorised access and malicious activities.
- Detect anomalous activities and ICT-related incidents.
- Maintain robust business continuity, backup and restoration arrangements.
- Conduct appropriate ICT testing and vulnerability assessments.
- Manage ICT third-party risks effectively.
Ongoing Monitoring and Engagement
CySEC said it will continue to monitor developments relating to frontier AI technologies and their implications for operational resilience and cybersecurity within the financial sector. CySEC may engage with Regulated Entities, where appropriate, regarding their level of preparedness, governance arrangements, and implementation of relevant ICT risk mitigation measures.
"Regulated Entities are urged to remain vigilant and to take proactive measures to ensure that their digital operational resilience frameworks continue to evolve in line with the changing cyber risk environment," the statement concluded.
For any queries, please contact CySEC in writing via email at ict.oversight@cysec.gov.cy
