Deepfakes Are Now a Board-Level Risk & Regulators Are Watching

Deepfakes are crossing new risk thresholds: from online curiosities to enterprise-scale fraud, market-moving disinformation and executive impersonation on live video calls. In recent public cases, attackers cloned the faces and voices of senior leaders to induce fund transfers, resulting in massive losses.

Other potential vectors include altering vendor details or seeding reputational crises. The tools are cheap, the attacks fast and the impact material. However, regulators are stepping in. The UK’s Economic Crime and Corporate Transparency Act (ECCTA) and updates to the corporate governance code (Provision 29) are driving fresh expectations around controls, disclosure and accountability. 

The evolution of deepfakes

While image manipulation dates back centuries, the digital deepfake story really took off in 2014, with academic breakthroughs in generative adversarial networks (GANs). Since then, catalyzed by social media and election manipulation, open-source tools and “deepfake-as-a-service” platforms have democratized access, enabling increasingly realistic face and voice synthesis. 

Attackers now deploy these tools live on video calls or call-forwarding apps, turning technology into a real-time weapon.

Over just the past few years, this risk has proliferated:

• In 2024, a Hong Kong finance employee participated in a realistic video meeting featuring a deep-faked CFO and colleagues, ultimately paying around $25 million before the fraud was detected. The scale of the loss and the use of a multi-person video conference demonstrate the sophistication of the fraud. 
• In 2025, a finance director of a Singaporean corporation was duped by an AI-generated CFO impersonation, executed primarily via WhatsApp and a Zoom call. Authorities recovered most of the $499,000 wired in the incident.

These illustrate how deepfakes are increasingly effective. They often amplify trust exploitation, using reconnaissance, phishing, urgency and pushing for rapid payments.

Cybersecurity

Can You Spot a Deepfake? Are You Sure?

by Perry Carpenter

March 10, 2025

With synthetic media losses projected to triple by 2027, detection techniques must evolve beyond visual verification alone

Read moreDetails

Rising regulatory pressure: ECCTA & Provision 29

In the UK, the regulatory and governance landscape has been evolving to counter a range of corporate threats, including the rise of deepfakes. Two of the most relevant developments are the Economic Crime and Corporate Transparency Act (ECCTA) and the corporate governance code’s Provision 29.

Economic Crime and Corporate Transparency Act

From September 2025, this landmark UK legislation introduces a raft of provisions that could mean inadequate deepfake risk management could have significant impacts on a business. The provisions include: 

• “Failure to prevent fraud” offense for large firms, requiring preventive procedures, including for fraud via deepfakes. Large companies could face unlimited fines if they cannot prove taking “reasonable steps” to prevent fraud.
• Wider corporate liability extended to senior manager behavior during frauds. This demonstrates an underlining of top-down oversight.
• Enhanced powers for Companies House verification, making identity integrity a compliance requirement. 

Corporate governance code: Provision 29

From January 2026, board-level reporting and disclosures must cover social-engineering, business email compromise and deepfake schemes; in addition, they must:

• Include a formal declaration on the effectiveness of material internal controls covering cyber and fraud channels.
• Disclose any control failures and remediation actions.
• Show continuous monitoring of risk frameworks and internal controls.

Mitigation tactics for compliance and resilience

No single control will defeat a threat evolving as rapidly as deepfake technology. What is required is a layered architecture of governance, detection and culture.

• Strengthening governance: Policies should reflect that seeing or hearing is no longer sufficient for verification, embedding callback procedures and multi-person approval requirements for financial transactions or vendor changes. Risk mapping should be aligned to Provision 29, with board oversight extending explicitly to fraud, deepfake, cyber and third-party risk frameworks.
• Controls and detection: Tiered verification thresholds should be established so that material transactions, news releases or identity changes require robust sign-off and documentation checks. Tools should be deployed across security operations centers and conferencing gateways, supported by clear escalation protocols.
• Processes and culture: Scenario-based training should be introduced for finance and HR teams, incorporating voice and video deepfake drills alongside tabletop exercises for boards. Organization-wide adoption of the “VOICE” checklist — verify callbacks, observe anomalies, involve peers, confirm details, escalate — provides a practical framework for day-to-day vigilance.
• Crisis readiness: Boards should approve playbooks aligned to Provision 29 covering both operational and reputational response, with detection and takedown workflows ensuring content can be traced, attributed and responded to swiftly. Organizations should also confirm that cyber insurance coverage is appropriate and that external advisors have sufficient experience to support effectively in the event of an attack.
• Third-party governance: Supplier contracts should stipulate clear verification protocols and notification obligations in the event of deepfake fraud attempts, ensuring third-party exposure is governed with the same rigor applied internally.

Why engagement matters

Regulators increasingly expect deepfake risk management to be embedded in corporate governance. The ECCTA demands procedures to prevent fraud, while Provision 29 requires board-level declarations of control effectiveness and transparency regarding failures.

Failure to prepare is now not just poor risk management; it can trigger regulatory sanctions, reputational damage and even criminal liability.

Deepfakes have converted perception into a proven attack vector, a challenge that must be governed as fraud, cyber and operational risk. Regulators in the UK are setting the bar high: ECCTA and Provision 29 are carving paths toward corporate liability based on controls and disclosure, not just failure. A layered approach — comprising governance, detection, training, controls, cross-functional crisis playbooks and investigative readiness — is a legal and strategic imperative. Companies that move first will treat deepfakes not as a future threat but as a pillar of contemporary governance.