THE POLICY EDGE

IMF Finds AI Could Turn Cybersecurity into a Financial Stability Challenge

The IMF argues that artificial intelligence is changing how cyber risks spread through the financial system, requiring regulators to treat cybersecurity as a core financial stability issue rather than solely an operational concern

Listen to the article
Reports/Data Releases image

Key Details

The IMF Note examines how artificial intelligence is reshaping cyber risk in finance by increasing the speed, scale and interconnectedness of attacks while identifying reforms needed to strengthen financial stability.

Theme

Key Finding

AI-enabled cyber risk

AI accelerates vulnerability discovery, phishing, exploit development, malware generation and cyber operations, enabling attacks to spread more rapidly and at lower cost than traditional methods.

Financial stability risk

Shared cloud platforms, software, payment infrastructure, AI systems and third-party technology providers create common dependencies that can transmit cyber disruptions across multiple financial institutions simultaneously.

Dual-use AI

AI strengthens both cyber defence and cyber offence, compressing the time available for institutions to detect, respond to and recover from attacks.

Governance gaps

Existing cyber resilience and supervisory frameworks were largely developed before machine-speed AI capabilities emerged and often provide limited oversight of AI-specific and third-party cyber risks.

EMDE exposure

Emerging market and developing economies face similar cyber threats but generally have weaker supervisory capacity, fewer defensive resources and slower adoption of advanced cybersecurity capabilities.


IMF’s Seven Policy Recommendations

Recommendation

Objective

Update cyber-risk surveillance

Incorporate AI-enabled threats, common-mode failures and systemic cyber scenarios into financial stability monitoring.

Strengthen third-party oversight

Expand regulatory oversight of cloud providers, AI developers and other critical technology vendors whose disruption could affect multiple institutions.

Enhance cross-sector coordination

Improve coordination across finance, telecommunications, energy, data infrastructure and other critical sectors.

Expand cyber simulation exercises

Test operational, liquidity and macro-financial consequences of AI-enabled cyber incidents rather than isolated operational failures.

Develop AI-specific disclosure standards

Improve transparency and consistency in reporting AI-related cyber incidents and operational disruptions.

Advance international coordination

Promote greater cooperation on AI governance, cybersecurity standards and cross-border supervisory responses.

Establish frontier AI monitoring capacity

Build institutional capability to monitor rapidly evolving frontier AI models and emerging cyber risks, particularly in emerging economies.


Summary

Financial Stability Is Becoming the Primary Concern

The IMF note, Artificial Intelligence and Cybersecurity in the Financial Sector, argues that AI is changing not only cyber threats but also the way cyber shocks spread through the financial system, making cybersecurity an increasingly important financial stability concern. Rather than viewing cyber incidents as isolated operational failures affecting individual institutions, regulators increasingly need to assess how AI can accelerate attacks across interconnected financial infrastructure and create broader systemic disruption.

The report therefore calls for cybersecurity to become an integral part of financial stability surveillance, with central banks and financial regulators incorporating AI-enabled cyber risks alongside more traditional sources of systemic financial risk.

AI Changes Existing Risks Rather Than Creating Entirely New Ones

A key finding is that AI does not necessarily introduce entirely new forms of cyberattack. Instead, it significantly increases the speed, scale and automation of existing threats by reducing the time, expertise and cost required to discover vulnerabilities, generate phishing campaigns, develop exploits and conduct cyber operations.

This compression of the time between vulnerability discovery and exploitation leaves financial institutions with progressively shorter windows to detect, contain and respond to cyber incidents.

Shared Digital Infrastructure Magnifies Systemic Risk

The IMF identifies shared digital infrastructure as the principal channel through which AI-enabled cyber risks can evolve into financial stability concerns. Banks, payment systems, market infrastructure, insurers and financial intermediaries increasingly depend on common cloud providers, software platforms, operating systems, AI services and third-party technology vendors.

These shared dependencies create common-mode risks, where a vulnerability in one widely used technology or service provider can simultaneously affect numerous institutions. AI increases the likelihood that such vulnerabilities can be identified, exploited and propagated before conventional supervisory and operational responses can contain them.

Unlike traditional operational incidents confined to individual firms, AI-enabled attacks on common infrastructure have greater potential to disrupt payment systems, clearing and settlement operations and broader financial markets.

AI Strengthens Both Cyber Defence and Cyber Offence

The Note emphasises AI’s dual-use nature. The same technologies that strengthen cybersecurity can also strengthen cyberattacks.

For financial institutions, AI offers significant defensive capabilities, including continuous threat monitoring, anomaly detection, fraud prevention, vulnerability assessment, automated incident response and cyber-risk reporting. At the same time, malicious actors can use AI to generate sophisticated phishing campaigns, create synthetic identities and deepfakes, automate exploit development and conduct cyber operations at machine speed.

The IMF therefore argues that prevention alone is no longer sufficient. Institutions must increasingly design systems that minimise the blast radius of successful breaches through stronger containment, recovery, business continuity planning and operational resilience. Human oversight, secure system design and clear governance remain essential if defensive AI is to strengthen rather than weaken cyber resilience.

Governance and Supervisory Capacity Must Catch Up

Perhaps the report’s most important institutional message is that governance is struggling to keep pace with technological change.

The IMF notes that frontier AI capabilities are advancing faster than existing cybersecurity benchmarks, making traditional assessment methods progressively less effective. Supervisory authorities also face increasing opacity when evaluating the capabilities, limitations and cyber potential of advanced AI systems, reducing their ability to anticipate emerging risks.

The report further observes that much frontier AI governance continues to rely on voluntary commitments by developers rather than comprehensive statutory oversight. These challenges are likely to be particularly significant for emerging market and developing economies (EMDEs), which often face similar cyber exposure but possess fewer supervisory resources, weaker institutional capacity and more limited access to advanced defensive technologies.


International Policy Thinking Is Converging

The IMF’s warning that artificial intelligence is changing the scale, speed and transmission of cyber risk in finance reflects a broader shift in international policy thinking. Cyber risk is increasingly being treated not only as an operational or information technology issue, but as a potential financial stability concern capable of disrupting markets, payment systems and critical financial infrastructure.

Recent analysis by the OECD reaches a similar conclusion, arguing that cyber incidents can generate systemic risks through shared digital infrastructure, third-party technology providers and growing financial interconnectedness. The European Central Bank (ECB), reaches a complementary conclusion from a different direction. Rather than focusing on cybersecurity, it argues that increasingly autonomous AI systems could amplify market volatility, accelerate financial transmission channels and introduce new forms of systemic risk that existing regulatory frameworks may struggle to address.


What Are Common-Mode Risks?

Common-mode risks arise when multiple financial institutions rely on the same technology, cloud provider or digital infrastructure, allowing a single disruption to affect many organisations at once. The IMF warns that AI can identify and exploit vulnerabilities in shared systems much faster, increasing the likelihood that isolated cyber incidents escalate into broader financial stability risks.


What Is the “Blast Radius” of a Cyber Breach?

The blast radius is the maximum extent to which a cyberattack can spread within an organisation or across interconnected systems. The IMF argues that institutions must not only prevent attacks but also limit their impact through network segmentation, rapid detection, containment and recovery measures, reducing the risk of cascading failures.


Policy Relevance

  • Financial supervisors will increasingly need cyber expertise alongside prudential expertise. As AI changes how cyber shocks spread through interconnected financial systems, cybersecurity is becoming a core component of financial stability assessment rather than solely an operational resilience function.

  • India’s expanding digital financial ecosystem increases the importance of AI-aware financial supervision. As digital payments, digital public infrastructure, cloud-based financial services and AI adoption deepen across the financial sector, regulators will need to assess how technological interdependencies could transmit operational disruptions into broader financial stability risks.

  • Technology concentration is emerging as a macro-financial issue. Dependence on a relatively small number of cloud providers, AI developers and other critical technology vendors means that third-party oversight will increasingly become part of financial stability regulation rather than simply an outsourcing or procurement concern.

  • Operational resilience frameworks will need to prioritise containment and recovery alongside prevention.Supervisory expectations are likely to place greater emphasis on cyber simulations, business continuity planning and limiting the “blast radius” of successful breaches as AI reduces the time available to respond to cyber incidents.

  • Financial regulation and AI governance will become increasingly interconnected. Supervisors will require stronger institutional capacity to assess frontier AI capabilities, evaluate AI-related cyber risks and develop regulatory approaches that evolve alongside rapidly advancing technologies.

  • Cross-sector and international coordination will become more important for maintaining financial stability.Because AI infrastructure, cloud services and cyber risks operate across sectors and national borders, effective oversight will increasingly depend on coordination among financial regulators, cybersecurity agencies, digital infrastructure authorities and international standard-setting bodies.


Follow the Full Note Here: Artificial Intelligence and Cybersecurity in the Financial Sector

Rethinking Public Policy Through Insight | Inquiry | Impact

Opinion • Grassroots Voices • Policymakers Perspectives • Expert Analysis • Policy Briefs