What’s New in the Communications and Telecom Industry with AI Cyber Risks?
Meetings with boards and C-suites for communications and telecom have become, if they have not already, a regular item in our and our clients’ calendars. Their interest in issues around AI (artificial intelligence) risk, cybersecurity risk, and all the intersections is unsurprising. Telecommunications companies have core assets that are part of the definition of critical infrastructure (CI) in many countries and that touch nearly every industry and private citizen around the world through cell phones, cloud, 911 services, video signals, IoT, and much more. In short, no one can ignore telecom, or the role of AI in creating both risk and opportunity in how they think about cybersecurity, availability, and fraud.
The recent spate of high-visibility breaches and outages at communications and telecom providers in the U.S. and abroad has added to both internal and external interest in risk governance, security controls, and disclosure and reporting policies.
Artificial Intelligence (AI) / Machine Learning (ML) adoption by adversaries is reshaping risk for the Communications & Telecommunications World
Attacks on telecommunications providers recently have affected hundreds of thousands of customers and disrupted service for millions. Those breaches and outages have shown how attack vectors (SIM, phishing) and escalation vectors (SMS fraud, identity theft) can harm individuals and customers and also impact availability and operations for service providers.
The South Korean regulator has proposed record fines for SK Telecom in South Korea over a SIM database breach in 2025 and a delayed breach disclosure in March 2025 that compromised authentication information for over 23 million subscribers.
Orange Belgium suffered a cyberattack that was confirmed in early June 2025. The attackers accessed a database with SIM records and could potentially decrypt PUK codes that could be used to conduct SIM swap fraud.
The Salt Typhoon APT group has compromised the telecommunications infrastructure of multiple providers by exploiting unpatched vulnerabilities in networking hardware to exfiltrate sensitive call metadata, including dialed numbers and call locations.
BT and Three UK have also suffered major outages affecting many customers. Regulators are investigating to assess whether inadequate controls may have played a role.
Attacks on telecommunications providers in recent months have highlighted the convergence of cyber and operational risk. The threats and potential impact combine data privacy, critical infrastructure resilience, and high visibility both with customers and regulators.
AI is changing the threat and defense dynamic in profound ways
Attackers are using AI/ML models to automate reconnaissance, scanning exposed services and interfaces, network and protocol stacks, and APIs to identify targets for attack far faster and on a much larger scale than manual methods. AI/ML can also automate exploit generation, writing new code to take advantage of vulnerabilities.
AI/ML is also making social engineering attacks (vishing, phishing, SMS fraud) more convincing and personalized, generating communication patterns that more closely match the writing and speaking style of trusted and expected sources, like tech support staff or even individual executives at the target organization.
Deepfake voice cloning is also an emerging risk for network operations centers (NOCs) and help desks, for example, in which attackers impersonate senior leadership to trick them into making unauthorized changes or sharing privileged credentials and other sensitive information.
AI/ML can also be used to automate and optimize SIM swapping and account takeover attacks, in which attackers steal SIM authentication information (location, phone number, OTP) to control user accounts. That theft often is a result of a preceding breach, as with the one at SK Telecom discussed above.
Once they have that information, attackers can use it to intercept OTPs or access financial and online accounts linked to the user accounts they hijacked.
AI/ML models can also be used to test attack techniques against detection systems to identify and harden gaps and weak spots, or in adversarial testing to “poison” models and degrade their accuracy over time if proper model management and monitoring are not in place.
AI can be used for attacks that don’t trip alarms or capacity thresholds at the start, but slowly and intelligently degrade network performance over time and so are harder to detect before causing outages or service degradations. Recent probes by UK regulators in cases like BT and Three UK indicate rising concern about potential shortcomings in existing protections against service disruptions.
Supply Chain Issues Remain Important for Telecom Risk
Telecommunications infrastructure consists of hardware, software, and networks from many different vendors and service providers. Attacks that exploit vulnerabilities in these elements, from firmware to cloud service APIs and beyond, can provide a foothold into networks for further access and exfiltration.
AI/ML can also be used to automate scanning of supplier networks and services for misconfigurations and vulnerabilities to scale these threats as well.
What Should the Communications and Telecommunications Industry do Now to Manage Risk?
Communications and telecom leaders face a particular set of priorities for AI-driven cyber risk. In addition to the actions laid out in previous installments of this series, telecom-specific considerations include the following:
Identify and document assets, including AI and ML applications and services, network elements and connected services, cloud assets, and vendor interfaces with access to or control of systems or data with sensitivity, confidence, or reputational sensitivity. It is hard to build a defensible risk program without visibility and understanding of what is in scope.
Identity, access, and privilege controls and management are especially important because both human users and machines act as access vectors and potential insider threats, including at network operations centers and with API access.
Network segmentation and logical separation of trusted and untrusted inputs also create barriers to lateral movement that can protect core resources and high-value data.
AI applications, services, and associated data sets and pipelines also must be hardened and secured. Validating data inputs, understanding and validating model behavior, and securing model update mechanisms and training processes all are important because AI systems are operational production systems in their own right.
Detection and monitoring, particularly for anomalous behavior and other potential indicators of compromise (IoCs), should be layered and designed with the expectation that attackers will try to test and evade such systems. So detection controls should not be viewed as a replacement for human review and escalation.
Response and recovery planning that includes testing, communications, and roles for key functions like IT, security, legal, and compliance teams should be “lived,” not just documented. Telecom incidents, even more than other types, get attention from regulators, media, and customers quickly.
Supply chain security and third-party risk management also remain core priorities, and no single provider has visibility or control of the complete network, so supplier compromise can quickly become your incident.
Scenario planning and tabletop exercises that build cross-functional response muscle memory for complex situations (for example, combining AI, fraud, and service availability disruption scenarios) are important for telecom, just as for other high-profile sectors, to rehearse decision paths under pressure.
How to Prioritize Your Security Budget
Controls that reduce the risk of major outages or disruption to emergency services have highest value. Identity, access, and supplier connections are both high-value attack vectors and usually places where some returns on investment are easy to find.
Invest in early detection and rapid restoration or remediation. Responding to the right signals earlier can be more effective than prevention for lower-severity risks, so find the signals.
Simplify and modernize. Controls around legacy systems and protocols are probably part of your risk landscape but so is the time and money you are spending to protect those resources. Simple efforts to modernize or sunset those assets may yield better returns on investment.
Demands Boards and Executives should make in Terms of RISK
Boards and executives also can ask and should expect the following from CISOs and risk teams.
Risk inventory: The leaders of these teams should be able to provide a data-driven and defensible list of the most significant assets for the business, including network infrastructure elements, systems, data, contracts, and vendors; a similarly robust understanding of network and AI risks; and a supply chain mapping to the highest priority suppliers.
Risk-reduction plans: Tests of incident response, outage recovery, and communication plans that involve senior leaders and cross-functional teams should be “lived,” not just documented.
Risk, performance, and business links: Evidence of metrics or tracking that can connect cybersecurity and fraud risks to availability, and both to customer trust, retention, or other business or financial metrics, would also be valuable.
Regulatory compliance and disclosure: CISOs and risk executives should also be able to show evidence that the organization has researched applicable regulations and legal requirements in various jurisdictions, knows their implications, and is practicing what is required (for example, through disclosure playbooks or exercises).
AI management: CISOs and risk executives should have a documented, defensible approach to managing AI risk, especially regarding cyber risk that reflects duty of care.
What are the upcoming Cybersecurity Requirements that will impact the Communications or Telecommunications Industry?
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) for mid-2026 on the latest reporting requirements.
Data breach reporting obligations continue under existing FCC rules pending resolution of the updated breach rule litigation.
Communicating the Risk and How to Manage
Communications and telecom are central to modern digital life and so to individuals, other businesses, and whole economies. AI is both an enabler and a multiplier of both the opportunities and risks inherent in how communications and telecoms provide the underlying services. AI/ML can improve operational efficiency and new capabilities for communications companies. Attackers use AI/ML to scale and enhance attacks. Regulators and stakeholders expect organizations to demonstrate reasonable security by doing more than ticking compliance checklists. They want to see documented, risk-based decisions behind cybersecurity and data privacy controls that are defensible if challenged.
Because boards and C-suites are asking questions and want to see answers and evidence, having and using a reasonable security approach will make the job of demonstrating due diligence on AI-driven cyber risk easier. Duty of Care Risk Analysis (DoCRA) is a roadmap for a reasonable security strategy. This supports companies to identify, prioritize, and address cyber risk across your organization. Incorporating your mission, objectives, and obligations will help build your legally-defensible risk program.
To successfully approach managing risk in the age of AI, the communications and telecom industry should incorporate reasonable security into its risk strategy.
Establish reasonable security through duty of care.
With HALOCK, organizations can establish a legally defensible security and risk program through Duty of Care Risk Analysis (DoCRA). This balanced approach provides a methodology to achieve reasonable security as the regulations require.
Review Your Security and Risk Posture
Be Our Guest at FutureCon Chicago 2026
Enjoy breakfast and lunch while connecting with colleagues and industry executives.
Session: Why AI Can’t Fix Your Cyber Risk (and Might Be Making It Worse)
Speaker: Chris Cronin, ISO 27001 Auditor | Partner, HALOCK and Reasonable Risk | Board Chair, The DoCRA Council
DATE: Thursday, January 29, 2026
WHERE: Live In Person | Virtual | Hybrid @ Chicago Marriott Oak Brook
CREDITS: Earn up to 10 CPE Credits
