Financial Watchdogs Race to Deploy AI Defences Against Mounting Cybersecurity Threats

The world's financial regulatory bodies are confronting an uncomfortable reality: they must embrace the very technology driving new security risks if they are to protect the global banking system from increasingly sophisticated cyberattacks. Marlene Amstad, president of Switzerland's FINMA and chair of an influential international supervisory technology forum, articulated this urgency in recent remarks, signalling that the financial sector's traditional approach to risk management is no longer adequate in an era where artificial intelligence is accelerating both offensive and defensive capabilities.

Amstad's warning arrives against a backdrop of mounting alarm about how AI systems are exposing previously hidden vulnerabilities in critical financial infrastructure. Machine learning models designed to detect software flaws have recently illuminated a troubling landscape of potential security exposures that could enable sophisticated cyberattacks or be exploited for espionage. The challenge facing regulators is not merely defensive: they must understand how AI itself operates, what safeguards are necessary, and how to establish accountability mechanisms when algorithms are making decisions that affect financial stability across borders.

The stakes have prompted unprecedented coordination among market supervisors globally. FINMA has been instrumental in establishing a dedicated forum within the International Organization of Securities Commissions, the body that sets standards for market regulation across jurisdictions representing approximately 95 percent of global financial markets by value. This initiative reflects recognition that no single regulator, no matter how well-resourced, can adequately address AI-driven risks in isolation. Instead, supervisors are pursuing a collective intelligence approach, pooling expertise and resources to develop tools that can be shared and adapted across different regulatory environments.

The practical expression of this collaboration materialised this week when roughly 100 policy specialists and technology experts convened for a hackathon—an intensive problem-solving sprint typical of Silicon Valley but now increasingly employed by financial regulators. The participants focused specifically on building innovative supervisory tools for cryptocurrency market oversight, an area where technological sophistication among market participants often outpaces regulatory capacity. The exercise demonstrated that regulators can move at startup speed when institutional survival is at stake, though sustaining such momentum beyond individual events presents a persistent challenge.

Amstad emphasised that the response cannot merely be defensive patching of existing systems. As cybercriminals utilise AI to identify and exploit vulnerabilities more rapidly than human teams can patch them, financial institutions require fundamentally different operational approaches. This includes the possibility of embedding security safeguards directly into the underlying architecture of digital asset systems—a proactive strategy that treats security as an inherent feature rather than a layer added after deployment. Such an approach would represent a significant departure from how many legacy banking systems have been constructed.

The emergence of practical vulnerabilities in advanced AI models underscores the urgency. Experience with systems such as Anthropic's Claude models has revealed operational risks that were previously theoretical. These discoveries have prompted governments to reassess which AI capabilities should be allowed to cross borders or remain subject to export restrictions. The United States government recently ordered Anthropic to halt exports of its latest Claude models, citing national security implications—a decisive move that highlights how AI has become entangled with state security competition.

This geopolitical dimension introduces another layer of complexity for Swiss and other European regulators. When the U.S. restricts access to cutting-edge AI systems on national security grounds, non-American regulators face a difficult choice: accept a technological disadvantage in supervising their own financial systems, or pursue alternative sources of advanced AI capability. The situation became more complicated this week when Chinese cybersecurity firm 360 Security Technology announced development of a domestically-created alternative to the restricted Claude models, potentially offering another path forward but introducing questions about data sovereignty and espionage risks.

For Switzerland specifically, Amstad's insistence that the country must retain access to the most advanced AI models reflects both pragmatic necessity and a broader strategic concern. Switzerland's position as a global financial hub depends partly on maintaining supervisory capacity that matches or exceeds that of larger financial centres. If Swiss regulators lack access to equivalent AI tools, the country risks becoming less attractive to sophisticated financial institutions or facing regulatory arbitrage where firms locate operations in jurisdictions with more technologically capable oversight.

The toolkit being developed through FINMA's initiatives encompasses more than just detection and monitoring systems. Regulators are exploring how AI itself can be used to stress-test financial systems before crises occur, to model cascading failures across interconnected markets, and to identify systemic risks that emerge only when multiple institutions' behaviours interact. This represents a maturation of regulatory thinking: rather than reacting to scandals and failures, supervisors are attempting to build predictive capacity grounded in advanced analytics.

Yet significant obstacles remain. Regulatory institutions typically lack the recruitment and retention capacity to attract top-tier AI talent that financial firms can afford. Moving sophisticated AI tools from hackathons into sustained operational deployment requires not just technical skill but institutional change—new governance structures, revised regulatory frameworks, and training programmes for supervisory staff accustomed to more traditional methods. The transition also raises accountability questions: if AI systems identify a risk and regulators act on that signal, who bears responsibility if the AI assessment proves wrong?

For Malaysian readers observing these developments, the implications extend beyond Switzerland. As Bank Negara Malaysia and other regional regulators increasingly supervise financial institutions operating across multiple jurisdictions, they must contend with the same technological shifts reshaping oversight in developed markets. The vulnerabilities being identified in global financial infrastructure are not geographically bounded, and cyberattacks targeting institutions in Southeast Asia routinely originate from actors exploiting techniques and tools developed globally. The race among major regulators to deploy AI for supervisory purposes will inevitably influence what standards and practices become expected throughout international finance.

The momentum toward regulatory adoption of AI reflects pragmatic acceptance that financial supervision cannot remain static. As financial institutions harness AI to manage risk and optimise operations, regulators must develop equivalent capacity simply to understand what they are overseeing. This creates a peculiar dynamic where technological competition drives innovation in oversight itself, potentially improving market stability even as it creates new dependencies on complex systems that themselves require constant monitoring. The challenge ahead is ensuring that this technological arms race strengthens rather than destabilises the financial systems regulators are tasked with protecting.