AI-driven cyber risk is accelerating pressure on financial services firms across EMEA

The escalating cyber threat landscape

Emerging AI capabilities – including those referenced through Anthropic’s reported Claude Mythos model and Project Glasswing initiative – indicate a potential step-change in the speed at which cyber vulnerabilities can be identified and exploited. While these capabilities are still subject to validation, the broader direction is increasingly clear: AI is likely to compress the time between vulnerability discovery, disclosure and exploitation.

Historically, sophisticated cyber-attacks were limited to a relatively small number of highly capable state-backed or criminal actors. As AI models evolve, advanced cyber capabilities are expected to depend less on specialist expertise and increasingly on access to data, computational resources and the ability to operationalise these technologies at scale.

Financial services organisations across EMEA may be particularly exposed due to complex technology estates, significant third-party dependencies, interconnected infrastructure, strict uptime expectations and heightened regulatory scrutiny. The challenge is not that AI creates entirely new vulnerabilities, but that it enables existing weaknesses to be identified and exploited faster than organisations can remediate them.

“The question is no longer whether vulnerabilities exist, but the speed at which organisations can identify, prioritise and remediate them before they are exploited by attackers,” said Zoltan Szollosi, Deloitte CE Cyber Strategy & Transformation Leader.

“Financial institutions need to see this as an operational resilience challenge as much as a cyber security risk. While the fundamentals remain unchanged, the tolerance for delay is rapidly diminishing.”

The evolving regulatory landscape across EMEA reinforces this direction of travel. Operational resilience, third-party risk management and ICT governance are becoming increasingly important in an environment where cyber risks can materialise at machine speed.

Adapting cyber defence in the AI era

While the threat environment is changing rapidly, the core cyber security priorities remain broadly consistent. Rapid patching, strong identity and access management, network segmentation, continuous monitoring and effective incident response remain fundamental components of cyber resilience. What is changing materially is the importance of automation – including carefully governed AI-assisted automation – in vulnerability management and cyber operations.

Financial services organisations increasingly need to move from periodic and reactive vulnerability management towards continuous identification, prioritisation and remediation processes supported by AI-enabled capabilities. This also requires a more contextual and threat-informed approach to prioritisation, focused on business criticality, exploitability and operational impact rather than theoretical severity scores alone.

“Artificial Intelligence can enhance the cyber defence capabilities, particularly vulnerability detection and remediation prioritisation efforts,” added Laszlo Toth, Deloitte CE Cyber Defense and Resilience Leader. “However, organisations must also maintain strong governance, human oversight and clearly defined operational guardrails to ensure automation improves resilience rather than introducing additional risk.”

The report highlights that automation without effective governance can introduce additional operational and cyber risks, including large-scale misconfiguration or uncontrolled changes across complex environments. Human oversight, validation processes and strong governance therefore remain critical as organisations expand their use of AI-enabled cyber capabilities.

Practical priorities for financial institutions

In the short term, the report recommends targeted vulnerability remediation initiatives focused on end-of-life systems, externally exposed assets, critical business services and high-value data environments. Organisations should also assess remediation timelines and identify operational bottlenecks that slow down patching and decision-making.

Over the medium term, firms are encouraged to establish more continuous and intelligence-led vulnerability management capabilities supported by automation and AI-assisted analysis. Boards and executive teams should also treat AI-enabled cyber risk primarily as an operational resilience issue rather than solely a technical security topic.

The longer-term outlook may ultimately favour defenders if organisations use this period to modernise cyber operations and accelerate remediation capabilities before advanced AI-enabled attack techniques become more widely accessible.

The full report, Machine-Speed Cyber Risk: What EMEA Financial Services leaders need to know, is available for download here.