Europe’s Warning: AI Turns Cyber Risk Into a Market Stability Issue
Europe’s markets watchdog has put AI-driven cyber threats firmly on the financial stability agenda. Verena Ross, chair of the European Securities and Markets Authority (ESMA), says cyber risks are rising in both scale and speed, as artificial intelligence models make it easier to launch sophisticated attacks. Geopolitical tensions are amplifying these vulnerabilities, prompting ESMA to reach out to the financial entities it supervises to reassess their cybersecurity defences in light of recent AI developments. The sector was recently jolted by reports that a new AI model, Mythos, can identify and exploit previously unknown software vulnerabilities, raising the prospect of automated, zero‑day style attacks moving far faster than traditional defences. Ross stresses that supervisors at both national and EU level need to “up our game”, building expertise not only to oversee banks and brokers, but also the critical third‑party technology providers that underpin financial markets security.
How Generative AI Supercharges Cyberattacks in Finance
Generative AI is transforming the offensive playbook against financial institutions. Large language models can draft highly personalised phishing emails at scale, imitating internal tone and jargon to trick employees into revealing credentials. Deepfake tools can clone a CEO’s voice or image convincingly enough to authorise fraudulent fund transfers or mislead investors during virtual briefings. Models like Mythos reportedly go further by scanning code bases and network configurations to detect and exploit previously undiscovered vulnerabilities, compressing what once took skilled hackers weeks into hours. In capital markets, AI agents could be weaponised to manipulate order books, trigger algorithmic trading responses, or seed false market-moving narratives via synthetic news and social content. As more trading, settlement and risk management systems rely on AI in finance, adversaries can also target the models themselves, feeding poisoned data or reverse‑engineering them to predict and exploit automated behaviours.
AI in Finance Expands the Attack Surface for Markets
At the same time as AI raises cyber risk, it is becoming deeply embedded in financial operations. Banks, brokers and asset managers are rapidly adopting AI-driven investment strategies, trade surveillance and credit scoring. Across the wider corporate world, AI is now woven into daily work: a Gallup survey cited in recent HR analysis found that half of employed adults in the U.S. use AI at least a few times a year, with 28% using it a few times a week or more, and 13% using it daily. This growing dependence, often including “shadow AI” that bypasses formal IT controls, creates a larger, more complex attack surface. New enterprise AI platforms and model-context tools are being integrated into business workflows, while engineering teams are encouraged to “token-maxx”, rapidly experimenting with powerful models. Without strong AI risk management, every new AI integration in trading, client onboarding or analytics can become another potential entry point for AI cyber threats.
Regulators Respond With Tougher Resilience and AI Risk Expectations
Globally, regulators are pivoting from seeing cyber incidents as pure IT problems to treating them as systemic financial risks. ESMA has already named a set of critical third‑party technology providers to the EU’s finance industry under new rules aimed at strengthening tech and operational resilience, and is openly considering how AI providers might fit into this framework. Ross has emphasised the need for supervisors to build capabilities to understand what firms are doing with AI and to oversee their key technology partners. Elsewhere, supervisors are pushing for more frequent cyber resilience testing, clearer incident disclosure, and board‑level accountability for AI risk management. The direction of travel is clear: financial entities are expected to demonstrate that they can withstand, detect and respond to AI cyber threats, and that they understand dependencies on external cloud, data and AI platforms that could become single points of failure for markets.
Why Malaysian and ASEAN Investors Should Care—and What to Look For
For investors in Malaysia and the wider ASEAN region, AI-fuelled cyber risk is now an investment risk. Banks, brokers and AI-heavy tech stocks are increasingly exposed: a serious breach can disrupt trading, compromise client data, trigger regulatory penalties and wipe out hard‑won digital trust—factors that can feed directly into earnings volatility and valuation downgrades. As global supervisors tighten expectations, regional regulators are likely to follow, raising compliance costs for firms that have underinvested in cybersecurity. Investors can protect themselves by treating cybersecurity for investors as part of fundamental analysis. In annual reports and news, look for independent cyber audits, clear cyber governance at board level, AI-specific risk frameworks, and evidence of testing against AI cyber threats. Disclosures about critical third‑party providers, incident response drills, and training to counter phishing and deepfakes are additional signals that a company is taking the new AI threat landscape seriously.