The Bank of Japan has published a request urging financial institutions to take immediate cybersecurity measures in response to the changing threat posed by frontier AI. The core message is that firms should prepare for a potential sharp increase in vulnerability discovery and patch releases, with senior management directly involved in decisions on prioritization, resourcing and implementation. The request frames the issue as a firm-wide management priority rather than a matter for IT and cybersecurity teams alone. The attached measures call on institutions to identify priority services and systems, especially externally accessible systems supporting critical services such as internet banking, and to focus resources on those assets. Firms are asked to reduce technical debt so patching targets can be identified quickly, secure staff capacity for patching and vulnerability triage, and confirm that vendors and maintenance contracts can support timely remediation, including during nights and holidays. The guidance also pushes firms to move beyond reliance on CVSS scores alone by prioritizing vulnerabilities based on their potential effect on the institution's own services and likelihood of exploitation, while strengthening layered defenses where patching is difficult through tools such as web application firewalls, bot mitigation, network segmentation, multi-factor authentication for privileged accounts and endpoint detection and response. It also tells firms to prepare for service disruption scenarios, including possible proactive suspension of critical services or systems, and to maintain information-sharing through industry and regulatory channels. The request says these actions should be pursued on a short-term basis with approximately one month as a general guideline, while institutions continue to review and update their approach as AI-related threats evolve. It also notes that the measures were developed through a working group following Financial Services Agency-led public-private discussions on AI-related cyber risks in the financial sector.
Bank of Japan2026-06-15
Bank of Japan requests short term cyber measures for financial institutions to address frontier AI driven vulnerability risks
The Bank of Japan has asked financial institutions to urgently strengthen short-term cybersecurity measures to address the risk that frontier AI will accelerate vulnerability discovery and exploitation. Firms are expected to treat the issue as a management priority, focus patching and defenses on critical systems, and ensure vendors, contracts and contingency plans can support rapid response. The measures are framed as immediate actions, with about one month as a general guideline and ongoing review as threats evolve.