ECB Sets Halloween Deadline for Banks to File AI Cybersecurity Action Plans

Fintech News

ECB Sets Halloween Deadline for Banks to File AI Cybersecurity Action Plans #

The European Central Bank has given eurozone banks until October 31 to submit formal action plans addressing cybersecurity risks posed by advanced artificial intelligence models, according to a letter sent to bank chief executives on Tuesday.

The directive, signed by ECB supervisory chief Claudia Buch, cites the emergence of frontier AI systems, including Anthropic’s Claude Mythos, as a reason for the requirement. Buch called on lenders to accelerate their software patching cycles, strengthen AI-assisted cyber defenses, and tighten governance over third-party technology providers. Over a longer horizon, she urged institutions to modernize their underlying IT infrastructure.

Regulators warn that advanced AI models can now reverse-engineer software patches in roughly 30 minutes, compressing the window between a vendor releasing a security fix and an attacker exploiting the underlying vulnerability to near zero. That makes traditional patch-management timelines inadequate, according to the ECB.

ECB executive board member Frank Elderson has noted that euro area banks lack direct access to the most powerful frontier AI models, while certain U.S. institutions face no such restriction. Elderson has used the disparity to push for deeper intelligence-sharing among European lenders, arguing that pooling threat information can partially compensate for the access gap.

The European Systemic Risk Board issued a companion warning about the financial-stability implications of large-scale AI-enabled cyberattacks. The ESRB cautioned that widespread disruptions could erode public confidence in financial institutions and, in extreme scenarios, trigger runs on companies or even countries seen as having weaker cyber defenses.

To free up resources for the new cybersecurity priorities, the ECB said it is postponing a separate information-technology survey and may scale back certain planned inspections and other supervisory activities. The regulator described the exercise as resilience-building rather than a new compliance mandate.

Source: Invezz