Singapore’s financial regulator and cybersecurity authority have jointly directed the country’s banks and critical infrastructure operators to urgently review and strengthen their cyber defences against threats posed by frontier artificial intelligence models, with the Monetary Authority of Singapore convening bank chief executives for a collective response session and the Cyber Security Agency of Singapore formally writing to boards of all critical information infrastructure owners on May 5, 2026.
Key Facts At A Glance
- The Monetary Authority of Singapore convened the chief executives of major financial institutions to discuss collective cybersecurity measures against AI-enabled threats.
- The Cyber Security Agency of Singapore issued formal letters on May 5, 2026, to the boards and senior leadership of all critical information infrastructure owners, including those in banking and finance, requiring a review of their cybersecurity risk posture.
- Senior Minister of State for Digital Development and Information Tan Kiat How told Parliament on May 5 that new AI-enabled attacks could be faster, more scalable, and more sophisticated than existing defences anticipate.
- The CSA had separately issued a public advisory on April 15, 2026, warning that frontier AI models can compress the time to identify and exploit vulnerabilities from months to hours.
- The Association of Banks in Singapore confirmed on April 27 that it is working with member banks to monitor emerging AI-driven threats, share intelligence, and coordinate risk-mitigation efforts.
- DBS Group CEO Tan Su Shan said frontier AI models amplify cyber risk by accelerating both attack speed and blast radius. OCBC and UOB each confirmed AI governance and cybersecurity controls are in place.
- The CSA is reviewing standards and obligations for critical information infrastructure owners and has indicated it will publish further technical guidance.
A Coordinated Regulatory Response
The Monetary Authority of Singapore and the Cyber Security Agency of Singapore have mounted a coordinated response to what regulators describe as a structurally new phase of cyber threat to the financial system. The trigger is the emergence of frontier artificial intelligence models capable of autonomously identifying previously unknown software vulnerabilities at speeds that substantially narrow the window between a flaw’s discovery and its exploitation.
On May 5, 2026, Senior Minister of State for Digital Development and Information Tan Kiat How told Parliament that the CSA had sent letters to the boards and senior leadership of all critical information infrastructure owners that day, requiring them to review their cybersecurity posture and account for the specific characteristics of AI-enabled attacks. The financial sector is among the 11 critical sectors covered by Singapore’s Critical Information Infrastructure framework, which also includes energy, water, healthcare, and transport.
The MAS preceded this with a separate convening of the chief executives of major financial institutions in Singapore to discuss collective measures. MAS also publicly stated that financial institutions need to “redouble efforts to strengthen their security defences, pro-actively identify and close vulnerabilities, and raise vigilance on cyber hygiene, including timely security patching,” and that advances in AI would “accelerate the discovery and exploitation of software vulnerabilities in IT systems.”
What The CSA Advisory Requires
The CSA’s April 15, 2026 advisory, designated AD-2026-004, outlined a series of measures organisations are expected to benchmark against. These include ensuring all critical and high-severity vulnerabilities on internet-facing systems have been remediated, enabling multi-factor authentication on all administrative interfaces, establishing network segmentation to limit lateral movement, integrating automated AI-assisted tools for continuous scanning, and embedding security testing throughout procurement and development processes.
The advisory noted that frontier AI models have demonstrated capabilities including software analysis, vulnerability discovery, and security reasoning at a level approaching or complementing cybersecurity practitioners. While the CSA stated there were no current signs of misuse at the time of the advisory, it framed the guidance as preparation for a threat environment that is expected to materialize.
Tan told Parliament that the issue goes beyond any single AI model. He cited OpenAI’s GPT-5.5 as showing comparable cybersecurity capabilities, and pointed to rapidly improving open-source AI models likely to reach similar proficiency within months. He also referenced a new class of malware designated PROMPTFLUX, described as capable of consulting a live AI model during attacks and rewriting its own code in real time to evade detection.
Bank Responses
DBS Group CEO Tan Su Shan publicly acknowledged the risk, stating that frontier AI models amplify the threat by enabling attackers to find weaknesses faster while also enabling banks to defend faster. She described AI overall as “a net positive” for DBS, citing gains in coding and operations. OCBC stated through its head of group operations and technology, Praveen Raina, that all AI-related solutions undergo “rigorous assessment and validation before deployment.” UOB said AI use at the bank is governed by “existing cybersecurity controls and clear internal guardrails” and that it takes “a disciplined and responsible approach to innovation.”
Standard Chartered’s global CEO Bill Winters, speaking separately, described frontier AI capability as a “sensational representation” of a broader trend of rising cyber risks, while indicating the bank is well prepared.
The Association of Banks in Singapore confirmed on April 27 that it was coordinating with member banks to monitor emerging threats, share intelligence, and align risk-mitigation approaches. ABS Director Ong-Ang Ai Boon said local banks had enhanced monitoring and incident response capabilities.
Regulatory Trajectory
Baker McKenzie’s analysis of the CSA’s broader regulatory direction notes that the May 5 parliamentary directive must be read alongside a March 2026 announcement by the CSA that it is reviewing the scope of cybersecurity standards and obligations to potentially include non-critical information infrastructure systems interconnected with CII networks. That review also encompasses enhanced regulations for telecommunications operators, a migration to post-quantum cryptography, and the planned extension of Cyber Trust Mark certification requirements to new categories of entities.
The CSA stated it would selectively share classified threat intelligence with critical information infrastructure owners and equip them with proprietary threat detection systems to complement commercial tools already in use.