GFSC issues Dear CEO letter on technology risk
8th July 2026Advances in frontier artificial intelligence (“AI”) models are reshaping the cyber risk landscape. These models are increasingly capable of identifying software vulnerabilities, including within large, complex and legacy code bases, at a speed and scale that was previously unattainable. Whilst these capabilities have the potential to enhance cyber resilience when used responsibly, they are also likely to accelerate the discovery of exploitable weaknesses across digital infrastructure.
The Commission does not want to heap new burdens on firms. Rather we have spent some time talking and listening to international counterparts and experts in the fields of AI and quantum computing all of whom seem to concur that these society changing technologies are advancing markedly faster than expected even a year ago, with threats increasing. In these relatively unprecedented circumstances we think it is proper to ask the leaders of the firms we regulate to review their technology risk management arrangements, including vulnerability management, patching processes and third-party oversight. The accompanying Dear CEO letter which we have issued to firms highlights relevant matters.
3 July 2026
Dear CEO
Ongoing Technology Risk and the Use of Advanced Vulnerability Discovery Tools
The Commission supports innovation and recognises the role that Artificial Intelligence (“AI”), in all forms, could play in transforming the way financial services are administered, managed and delivered at all levels (Policy Statement – Use of Artificial Intelligence — GFSC).
Recent international developments, including the use of advanced AI tools to identify vulnerabilities within existing software, have demonstrated both the opportunities and risks arising from rapidly advancing technology.
The Commission notes that such tools do not necessarily create new weaknesses; rather, they expose ones that already exist within systems relied upon by firms, customers and markets. This discovery capability can materially improve defensive arrangements, but it also reinforces the importance of continuous and proactive maintenance of technology environments.
The Bailiwick’s principles‑based regulatory framework is deliberately designed to enable firms to embrace technological change without inhibiting innovation. It also places a responsibility on firms to ensure systems that are in use are subject to ongoing review and updates where appropriate. Firms should be satisfied that technology risk is not treated as static, but as an evolving exposure, requiring ongoing monitoring.
It is important that the firms, understand the IT patching regime in place for its organisation, and that it remains appropriate, especially if, with recent developments, there is a need to rectify weaknesses in a significantly shortened timeframe without reducing checks and controls. If a firm is using a third-party outsourced provider, they should ensure that this outsourced provider is able to meet the ongoing needs of the firm with respect to this changing environment.
I should be grateful if you could bring this letter to the attention of your Board and senior management.
Yours sincerely,
Conor Osborough
Director of Technology