Japan's FSA asks financial institutions to take nine short-term cyber measures against the frontier-AI threat

On 22 May 2026 Japan's Financial Services Agency asked financial institutions to implement nine short-term cybersecurity measures in response to a changed frontier-AI threat — covering priority-asset identification, technical-debt resolution, patching capacity, vendor contracts, risk-based patching, defences beyond patching, disruption preparedness and external collaboration — with direct senior-management involvement and a guideline timeframe of about one month.

The FSA's request responds to frontier AI accelerating the identification of vulnerabilities and generation of exploit code, anticipating a surge in vulnerabilities and patches. It asks financial institutions to implement nine short-term measures with top-executive and CISO involvement: treat frontier-AI risk as a company-wide priority; identify priority services and IT systems (prioritising externally accessible critical systems like internet banking); resolve technical debt; secure patching personnel and vendor capacity; verify vendor maintenance contracts and SLAs/SLOs; apply risk-based patching even for low-CVSS vulnerabilities; strengthen defences beyond patching (virtual patching, segmentation, MFA, EDR); prepare for proactive suspension of disrupted services; and maintain external collaboration via Financials ISAC Japan. It is a supervisory expectation, not a binding rule, with a roughly one-month guideline, and forms part of the government-wide Project YATA-Shield alongside the FSA's existing cybersecurity guidelines.