Skip to main content
Submit RFP

      The structural shift

      What is happening in cyber is no longer episodic. Capability disclosures from frontier AI laboratories, MAS engagement with financial institutions on AI-driven cyber threats, and CSA's advisory on frontier AI models all point to the same conclusion: a structural shift is underway. Singapore's regulators and government have made the position clear. This is a board and senior management matter, requiring enhanced threat exposure management driven from the top.

      Recent capability demonstrations from frontier AI laboratories, including the autonomous discovery of decades-old vulnerabilities in widely deployed software, have been independently assessed by national security agencies. They mark the point at which long-standing assumptions about cyber risk no longer hold. Frameworks, controls and policies calibrated to a slower, human-bounded threat economy are no longer fit for purpose. What we are seeing is not an isolated episode. It is the start of a new operating regime in which the speed, scale and sophistication of cyber-offensive capability are no longer bounded by the supply of skilled human attackers.

      The implications cut across governance, risk, controls and assurance. They are most immediate for financial institutions and Critical Information Infrastructure operators in Singapore, but the structural shift applies to enterprises across all sectors. The question for boards and senior management is no longer whether to respond, but how quickly and across which dimensions.

      Download summary

      Frontier AI and Cyber Risk: What Enterprises should do now

      Cyber Advisory
      Download summary

      THREE AREAS REQUIRING SENIOR ATTENTION

      What changes for the enterprise

      The response cuts cleanly across three dimensions. Each requires action from a different layer of the organisation, and none can be addressed in isolation.

      verified_user

      01

      Board and Senior Management Accountability

      Cyber risks in the age of frontier AI cannot sit primarily with technology teams. Boards and senior management set the tone that this is a leadership matter, mandate the recalibration of the organisation's risk posture in response to the shift in threat landscape, and change the questions they ask of management. Audit Committees in particular should expect a different shape of reporting, anchored on operational indicators rather than control attestations alone.

      fact_check

      02

      Recalibration of Risk and Control Frameworks

      Existing technology and operational risk assessments were calibrated to a threat economy in which exploit development was expensive, slow and concentrated in the hands of skilled human attackers. That assumption no longer holds. Risk taxonomies, materiality thresholds, third-party assessments and the metrics reaching the CRO require re-baselining to reflect AI-compressed attacker timelines and the chaining of previously low-severity vulnerabilities into materially exploitable paths.

      light_mode

      03

      Operational Velocity and Assurance

      The operational tempo expected of cyber functions is shifting. The window between vulnerability disclosure and active exploitation, once measured in months, is now routinely measured in days or hours, and a meaningful share of exploitation precedes the availability of any patch. CVSS-only prioritisation and quarterly attack-surface reviews are no longer sufficient. Internal Audit must now test what was not previously tested, and the assurance evidence flowing to the board must keep pace with the new operating tempo.

      The fundamentals of cyber security still hold. What changes is the tolerance for slowness, and the cost of accumulated neglect.
      Gerry Chng

      Partner, Head of Cyber, Advisory

      KPMG in Singapore

      HOW KPMG CAN SUPPORT

      Working through the shift,
      with you

      KPMG in Singapore brings together cyber advisory, strategy design and implementation services to help organisations move at the velocity this new regime demands, without losing the rigour their boards and regulators expect.

      • Board, Audit Committee and Senior Management briefings

        Private sessions on the structural shift, accountability expectations under the Singapore regulatory posture, and the questions directors and Audit Committee members should now be asking of management.

      • Recalibration of risk and control frameworks

        Targeted re-baselining of risk taxonomies, materiality thresholds and third-party risk views, including revalidation of prior assessment outcomes against the shift in threat landscape, to surface gaps that were not material under earlier assumptions.

      • Operating model uplift across the three lines

        Recalibration across all three lines: first-line operations (patch velocity, attack surface, security operating model), second-line oversight (control design, risk metrics, board reporting), and third-line assurance (audit scope, testing, evidence).

      • Targeted technical readiness

        External exposure audit, detection and response uplift with greater emphasis on behavioural and exposure-based defence, supply-chain and SBOM review, and platform architecture reviews aligned to the post-frontier-AI threat landscape.

      FREQUENTLY ASKED

      Common questions on frontier AI and cyber risk

      A short orientation for boards, senior management and risk leaders engaging with this topic for the first time.

      Frontier AI is making cyber-offensive capability faster, cheaper and more widely accessible. Capabilities that previously required scarce specialist expertise, such as discovering exploitable software vulnerabilities or chaining low-severity flaws into a working attack, can now be performed at scale by AI systems. The result is a shift in the underlying economics of cyber risk that affects nearly every enterprise, not only those traditionally seen as high-value targets.

      Boards and senior management should treat this as a leadership matter rather than a technology matter. That means setting the tone that the organisation will recalibrate its risk posture, mandating a refresh of risk assessments and key risk metrics, and changing the questions asked of management in oversight forums. Audit Committees should expect a different shape of reporting, anchored on operational indicators rather than control attestations alone.

      The window between a vulnerability becoming known and being actively exploited has compressed from months to days or hours, and a meaningful share of exploitation now occurs before any patch is available. Patch cycles built around 30-day SLAs and CVSS-based prioritisation are no longer sufficient as primary controls. Effective response now relies on continuous attack-surface visibility, exposure-based prioritisation, and behavioural defence in addition to patching.

      CII operators face the strongest combination of regulatory expectation and operational exposure. CSA's advisory on frontier AI models signals that supervisory attention will follow, and the sectors covered under the Cybersecurity Act, including financial services, energy, healthcare, telecommunications and government, are likely to face elevated assurance requirements. Operators should begin the recalibration of risk frameworks, controls and assurance evidence ahead of, rather than in response to, supervisory follow-up.

      KPMG in Singapore offers private briefing sessions for boards, Audit Committees and senior management, alongside services covering risk assessment re-baselining, operating model uplift across the three lines of defence, and targeted technical readiness work. Sessions and engagements are scoped to the organisation's profile, sector and existing maturity. The starting point for most clients is a private session with their Line 1, 2 and 3 leadership.

      WHAT YOU WALK AWAY WITH

      A clearer view, a sharper conversation, a defensible plan.

      For the board and senior management

      A clear-eyed view of where the organisation stands against the new threat landscape, and the questions to put to management.

      For risk and compliance leadership

      A working position on which assessments require revalidation, and which metrics now belong in the CRO pack.

      For the cyber and assurance functions

      A defensible recalibration plan for operations, controls and audit testing, sequenced for the months ahead.

      SCHEDULE A BRIEFING

      A structured conversation with your three lines, on your terms.

      We are running private sessions for boards, Audit Committees and senior management across Singapore's financial services and Critical Information Infrastructure sectors. The session is offered without cost, and the discussion remains entirely yours.

      Discover What We’ll Explore in This 90-Minute Live Session at Your Office

      1. The structural shift — what is genuinely different about the current generation of AI-enabled offensive capability, evidenced rather than speculative, and what has been independently validated by the UK AI Security Institute and others. (10 min)

      2. The Singapore regulatory posture — what MAS, CSA and MDDI have signaled, the accountability framing for boards and senior management, and what supervisory follow-up is likely to look like. (10 min)

      3. What changes for each line of defense (35 min)

      • Line 1 (IT and CISO): the compressed time between vulnerability discovery to exploit, the breakdown of CVSS-only prioritisation when low-severity bugs become chained exploits and volume overwhelms capacity, external attack surface as a continuously-monitored discipline rather than a quarterly scan, and what an AI-speed SOC actually requires.

      • Line 2 (Risk and Compliance): the technology and operational risk assessments that need to be re-performed to surface gaps that were not material before, the metrics that should now appear in the CRO's pack (patch-to-exploit window by criticality tier, time-to-detect for autonomous multi-stage attacks, third-party CVE blast-radius) and how risk appetite statements need to be re-expressed when AI compresses attacker timelines.

      • Line 3 (Internal Audit): the assurance posture shift where existing TRM-based audit programmes have blind spots against AI-enabled threats, the changes to the risk universe, and the evidence boards and Audit Committees should be requesting on a quarterly cadence.

      4. KPMG's point of view — what we believe an FI of your profile should have completed, have in flight, and have on the roadmap as this new operating regime takes hold. (10 min)

      5. Open Discussions (25 min)

      For Line 1 (IT and CISO), a concrete picture of the operational shifts that need to land first — patch velocity, attack surface visibility, SOC operating model — and where existing controls need to be tightened. 

      For Line 2 (Risk and Compliance), the metrics that should be reaching the CRO and the types and coverage of risk assessments that need to be re-performed. 

      For Line 3 (Internal Audit), the questions Internal Audit should now be asking of management, the changes to the risk universe, and the evidence boards and Audit Committees should be requesting. 

      And across all three lines, a common understanding of the changes and ways of working to effectively uplift the risk management of the FI against the new threat landscape.

      This is a closed-door session, and the briefing is offered without cost as part of our ongoing relationship. If the discussion surfaces areas where you would value our help, we are happy to talk that through separately.

      Gerry Chng
      Gerry Chng

      Partner, Head of Cyber, Advisory

      KPMG in Singapore