Five Eyes warning: AI turns cyber incidents into business crises — act now

On June 22, 2026, the heads of cybersecurity agencies from five countries — the US, UK, Australia, Canada, and New Zealand — signed a joint statement. Five of the world's most capable state intelligence agencies don't issue joint public statements often. When they do, it's worth reading carefully.

The message: cybersecurity is no longer an IT issue. It is a business responsibility — and AI is dramatically compressing the time you have to act.

What they actually said — and why this isn't a routine advisory

The joint statement is direct: "Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years — it is months."

Three specific statements from the primary text worth keeping:

• "Incidents that were once manageable can escalate into major operational and financial crises" — this is especially true for businesses without a recovery plan.
• "Cyber resilience is not an IT issue — it is central to operational continuity and market trust" — the framing has shifted: this is business responsibility, not just technical hardening.
• "Success will not come from having the most tools. It will come from getting the basics right" — this applies directly to SMBs that tend to buy point solutions rather than build resilience.

Why this matters for your business — not just large enterprises

The Five Eyes nominally address "leaders of large organizations." But the reality for small and medium businesses is the reverse: you are more exposed, not less. Fewer resources, older systems, less capacity to respond — and now facing the same AI-enhanced threat actors that previously focused on enterprise targets.

AI compresses the cost of attack. That means being "small" no longer protects you. When a model can automatically scan thousands of companies and surface vulnerabilities, you don't have to be a deliberate target — you just have to be exposed.

There is also a compliance dimension: if your business uses AI systems — chatbots, automations, decision-support tools — the EU AI Act already imposes governance and security obligations on you. A cybersecurity incident affecting those systems isn't just a technical problem — it's potentially a regulatory and liability issue. The Air Canada case established the principle clearly: a business is liable for what its AI does.

"Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk." — Five Eyes, June 2026

The five urgent actions they're calling for (and what they mean in practice)

The agencies give five specific steps, explicitly labeling them "not new — now urgent":

1. Reduce your attack surface

Which of your systems are exposed to the internet without good reason? Who has access to what? Isolate what doesn't need to be open. You can't protect what you don't know you have — and AI-powered reconnaissance makes inventory gaps dangerous.

2. Accelerate security updates

AI is shortening the time between vulnerability discovery and exploitation. Delays in patching are now far more dangerous than they used to be — especially for operational systems with long update cycles. Prioritize security updates accordingly.

3. Address legacy systems

Unsupported software isn't just technical debt. It's a strategic liability: an easy target for automated attacks. Every quarter you delay is a quarter of elevated, avoidable exposure.

4. Strengthen identity and access controls

MFA everywhere, minimum necessary permissions, regular review of who can access critical systems and data. This is the single highest-ROI step for most small businesses — and one of the most frequently skipped.

5. Prepare for incidents before they happen

"Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises." Do you have a response plan? Have you tested it? Does your team know what to do if something happens today?

Cybersecurity and EU AI Act: the dual obligation

If you use AI in your business, you face two parallel requirements: technical hardening against AI-enhanced cyberattacks, and compliance with the EU AI Act for your own AI systems. These aren't separate — a cybersecurity incident affecting a high-risk AI system triggers regulatory reporting obligations as well.

The bottom line: if you don't know where you stand on cybersecurity and AI compliance, you can't act effectively. And the window, as the Five Eyes make clear, is closing — in months, not years.