The global financial sector faces mounting pressure to embrace artificial intelligence as a defensive weapon against escalating cybersecurity threats. Marlene Amstad, president of Switzerland's FINMA market regulator and chair of an international supervisory technology forum, warned this week that banks and financial watchdogs cannot afford to lag behind the velocity of modern cyberattacks. Speaking following a collaborative hackathon involving around 100 policy specialists and technology experts, Amstad articulated a central challenge confronting regulators worldwide: the traditional pace of institutional adaptation has become dangerously misaligned with the speed at which attackers exploit vulnerabilities.
The urgency reflects a broader shift in how cybercriminals operate in the digital age. As hackers leverage increasingly sophisticated techniques to penetrate financial systems, institutions must fundamentally rethink their defensive architecture. Amstad emphasised that banks need to accelerate their vulnerability patching procedures, moving from lengthy testing and deployment cycles to more rapid response mechanisms. This acceleration paradoxically requires deploying the same technology—artificial intelligence—that simultaneously creates new operational risks. The tension between needing speed and maintaining safety has become a defining characteristic of financial regulation in 2024.
International coordination on this challenge has crystallised around FINMA's initiative within the International Organization of Securities Commissions, a standard-setting body whose members oversee approximately 95 percent of global financial markets. By anchoring regulatory technology development within this established framework, policymakers aim to create interoperable solutions rather than a fragmented landscape where each jurisdiction develops proprietary tools. This approach addresses a critical vulnerability: a patchwork of incompatible systems would itself become a weakness that sophisticated attackers could exploit.
The recent hackathon in Zurich represented a tangible manifestation of this international push. The assembled specialists focused on concrete problem-solving, particularly developing supervisory tools for cryptocurrency markets—an area where regulatory oversight remains comparatively underdeveloped. Digital asset markets have become attractive targets for cybercriminals precisely because supervisory gaps create operational blind spots. By bringing together regulators, technologists, and policy experts under one roof, organisers hoped to accelerate the translation of theoretical AI capabilities into practical regulatory tools.
Amstad's comments reveal that regulators are exploring architecturally embedded safeguards rather than relying solely on detection after breaches occur. This preventive approach would involve integrating security measures directly into the design of digital asset systems from inception. Such an approach represents a philosophical shift from reactive regulation toward proactive system design. The implications extend beyond mere technical implementation: it suggests regulators increasingly view themselves as active participants in financial infrastructure development rather than distant observers.
Recent experiences with advanced AI models like Anthropic's Mythos have exposed uncomfortable truths about the technology's dual-use potential. While these models excel at identifying software vulnerabilities—theoretically enabling faster remediation—they simultaneously create new security concerns. Financial institutions deploying such tools face the paradox of inviting powerful models into their systems to identify risks those same models could potentially exploit. This dilemma has attracted government attention, as evidenced by the U.S. government's recent order restricting Anthropic's export of its latest Mythos and Fable models on national security grounds.
The geopolitical dimensions of AI regulation are becoming increasingly visible. Chinese cybersecurity firm 360 Security Technology recently announced the development of domestic alternatives to Western AI models, highlighting how technological restrictions create incentives for fragmentation. This competitive dynamic could result in divergent regulatory approaches across different jurisdictions, complicating international financial cooperation. For regulators seeking to maintain coherent oversight across borders, technological protectionism presents a genuine dilemma.
Amstad articulated Switzerland's position directly: the country must retain access to the most advanced AI models to strengthen its financial systems before deploying them in production environments. This stance reflects recognition that regulatory capability increasingly depends on technological parity with the threats being managed. By maintaining access to cutting-edge models, regulators can test vulnerabilities and understand attack vectors in controlled environments, ideally before malicious actors discover them in the wild. Yet this argument also exposes potential tensions with national security policies that restrict the export or dissemination of powerful AI systems.
For Southeast Asian financial regulators and institutions, these developments carry significant implications. The region's rapid digital transformation and growing fintech ecosystem mean cybersecurity vulnerabilities could emerge at scale before adequate safeguards exist. Regional regulators monitoring these international initiatives must consider whether to adopt similar coordinated approaches or develop Asia-specific frameworks. The cost of failing to act is substantial: a major cyberattack on critical financial infrastructure could destabilise not just individual institutions but regional capital markets and cross-border payment systems that developing economies increasingly depend upon.
The fundamental challenge regulators face remains unresolved: how to harness AI's defensive capabilities while containing its risks. Neither complete restriction of advanced models nor unfettered deployment solves the underlying problem. Instead, the international regulatory community is pursuing a middle path involving controlled access, collaborative development, and embedded safeguards. Whether this approach proves adequate against increasingly sophisticated threats remains uncertain. What is clear is that regulators can no longer maintain the comfortable distance from technology development they once enjoyed; they have become integral participants in an ongoing race between defensive innovation and offensive capability.
