Anthropic to Brief Global Finance Watchdog on Mythos AI Model's Cybersecurity Vulnerability Findings

Britain's bank regulator expects 'quite significant disruption' from latest AI models

LONDON, May 11 (Reuters) - The head of the Bank of England's regulatory arm on Wednesday said it was "reasonable to expect quite significant disruption" to financial services from the latest AI models such as Anthropic's Mythos and ChatGPT 5.5 Instant. Sam Woods, chief executive of the ⁠Prudential Regulation Authority, cited such models' growing ability to identify vulnerabilities, and the requirement for banks to patch these - "the main driver of outages" in the financial system - at speed. Woods said firms would need to step up basic cyber hygiene and respond faster, with ⁠AI-driven defences becoming more important. He was speaking at UK Finance's Growth Delivery Summit. Anthropic rolled out its latest AI model, Mythos, to a ⁠limited number of businesses in April. It is viewed by cybersecurity experts as posing challenges to ⁠the banking industry and its legacy technology systems, although a BoE co-led cyber ⁠group determined last month that the sector was prepared for those challenges. Reporting by Phoebe Seers; Editing by Kevin Liffey and Alex Richardson Our Standards: The Thomson Reuters Trust Principles., opens new tab

Anthropic is briefing the Financial Stability Board on what Mythos has been finding

Bank of England Governor Andrew Bailey, who chairs the global financial-risk watchdog, has invited the company to present to G20 finance ministries and central banks. The model that worried him is the model now being explained. Anthropic is preparing to brief the Financial Stability Board on the cybersecurity vulnerabilities its Mythos model has been identifying in the global financial system, the Financial Times reported on Monday, citing people familiar with the plan. The briefing has been requested by Andrew Bailey, the Bank of England governor and FSB chair, and will be delivered to G20 finance ministries and central banks under the board's umbrella. Bailey is the right person to have made the call. In an April 15 speech at Columbia University, he named Mythos by name, alongside the Gulf escalation, as one of the two events that had moved cyber up regulators' risk ranking 'faster than any other category in recent years'. 'It would be reasonable to think that the events in the Gulf are the most recent challenge to us in this world,' Bailey said, 'until, I think it was last Friday, you wake up to find that Anthropic may have found a way to crack the whole cyber risk world open.' Mythos was announced last month, but has not been released. Anthropic describes it as a cybersecurity model designed to surface long-standing vulnerabilities in browsers, infrastructure, and software, and has claimed it has already found thousands of high-severity flaws across major operating systems and browsers. When directed to develop working exploits against those flaws in internal testing, the model reportedly succeeded on the first attempt in more than 83% of cases. The dual-use implications were obvious to regulators before the model went on the road. The FSB briefing closes a regulatory arc that began with Bailey's speech and has since pulled in jurisdictions on three continents. UK banks were given their own Mythos briefing within days of the Columbia remarks. The Federal Reserve and US Treasury convened the chief executives of major American banks on the same risk shortly afterwards. Australia's securities regulator joined the watch-list in early May. Euro-area finance ministers raised access demands of their own, and Mythos has since been delivered into Japanese megabanks, as we reported last week. What the briefing will not resolve is the access question. Mythos is currently being made available under 'Project Glasswing', the controlled-access programme Anthropic has set up to limit who can run the model and against what. Roughly 40 to 50 organisations have early access, including AWS, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan. Bank supervisors outside that list have, on the public record, been pressing for either direct access or a regulator-mediated equivalent, and the FSB session will be the first time those requests are coordinated rather than nationally. The political subtext is harder than the technical one. The model being briefed to G20 financial regulators is a US-headquartered AI system whose distribution and military access have, separately, been the subject of an ongoing fight between Anthropic and the Trump administration. Regulators on the receiving end will be aware that the company appearing in front of them has, in parallel, been negotiating its export profile with Washington. Anthropic and the FSB had not responded to Reuters requests for comment by Monday afternoon, and the timing of the actual briefing has not been publicly disclosed. Mythos is the first publicly disclosed AI system that has, on its developer's own account, found exploitable vulnerabilities in 'every major operating system and web browser'. The FSB briefing is, in essence, the first time the global financial-supervision community will sit in a room together and ask what the practical implications of that finding are. The question Bailey raised at Columbia, of how much harder the model has made the attack side relative to the defence side, is still the central one.

Anthropic to share Mythos cyber flaw findings with global finance watchdog

Startup has declined to release Claude Mythos AI model publicly amid fears it could be used by hackers Anthropic is to brief the global finance watchdog on the implications of its Claude Mythos AI model, whose potential threat to cyber defences has alarmed experts. The US startup will discuss Mythos with the Financial Stability Board, which is chaired by the governor of the Bank of England, Andrew Bailey. Anthropic has declined to release Mythos publicly, after announcing that it had advanced capabilities in highlighting previously unknown flaws in IT systems - which could be utilised by hackers. Instead, the company has given access to the model to a group of tech companies and banks, including Apple and JP Morgan, to help them identify any weaknesses that Mythos might locate. The FSB plan, which was first reported by the Financial Times, was confirmed by a source familiar with the discussions between the regulator and Anthropic. The UK's AI Security Institute (AISI), which assesses advanced AI models, issued an updated appraisal of Mythos last week after scrutinising the version that has been released to banks and tech companies. It said the latest iteration it had seen represented a "notable capability jump" even on the preview version it had tested the previous month. AISI said the latest version of Mythos had completed a previously unsolved cybersecurity test, dubbed "cooling tower", in three out of 10 attempts. This was a first for any model tested by AISI. "Frontier AI's autonomous cyber and software capability is advancing quickly: the length of cyber tasks that frontier models can complete autonomously has doubled on the order of months, not years," AISI said. AISI added that it was developing new, tougher hacking tests to keep track of AI models' progress. The FSB monitors and makes recommendations about the global financial system and includes officials from leading economies including the US, the UK, Australia and China. Its steering committee includes senior central bank and finance ministry officials. This month the International Monetary Fund warned that financial stability risks were rising due to "fast-moving" developments in AI and called for a coordinated response. "Cyber risk does not respect borders. As AI capabilities spread across countries, inconsistent oversight could weaken a globally interconnected system," the IMF said in a blog post. The chief executive of Goldman Sachs, David Solomon, said last month he was "hyper-aware" of the capabilities of Mythos. JP Morgan's CEO, Jamie Dimon, added last month that AI had made cyber defence "harder" although it could ultimately help companies defend themselves against hackers. Other experts have also sought to temper fears over Mythos, arguing that it represents an evolution in cyber threats rather than a revolution. Cybersecurity experts caution that most breaches still come from well-established risks such as weak authentication and already known vulnerabilities that have not been patched. The FSB and Anthropic have been approached for comment.

UK regulators warn of new threats from frontier AI models

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community. UK authorities are warning that frontier AI models represent a step-change in capability, with significant implications for cyber security and operational resilience. They note that the capabilities of current models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost. The UK banking industry is already grappling with the threats posed by Anthropic's Mythos model, which has uncovered thousands of zero-day exposures in Web browsers and operational systems. States the FCA: "As more advanced models become available, these risks are expected to increase. Firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed." Banks experimenting with Mythos have found that the model is adept at pinpointing several hundred to thousands of vulnerabilities that are ranked low to moderate. The banks have found that the tool is able to chain some of these lower-risk vulnerabilities together to create bigger threats. The model is also proving expert at finding vulnerabilities in proprietary and open-source code, putting banks under pressure to speed up the process of upgrading their aging technology. Regulators say it is "essential" that firms have effective protective, detective, threat containment and cyber response capabilities to address faster and more disruptive frontier AI-driven attacks. The Government and UK financial authorities judge that firms should be taking active steps across several domains, including governance and strategy from senior management, increased investment and resource decisioning, identification and risk management of vulnerabilitie, stronger access control, awareness of third party risks, and response and recovery procedures.

Anthropic Will Update Regulators on Mythos' Cyber Vulnerability Findings | PYMNTS.com

The AI startup agreed to meet with members of the Financial Stability Board (FSB) to discuss Anthropic's Mythos model, the Financial Times reported Monday (May 18). The meeting was requested by Bank of England Governor Andrew Bailey, who is also a member of the FSB, a watchdog group of finance ministry officials, central bankers and securities regulators from G20 countries, the report said. Many FSB members have grown concerned that Mythos and AI models from other tech companies in the United States could expose weaknesses in banks' cyber defenses, according to the report. Anthropic said last month that Mythos had "found thousands of high-severity vulnerabilities, including some in every major operating system and web browser," adding that the fallout "for economies, public safety and national security -- could be severe," per the report. Only a handful of companies, most in the U.S., have gotten access to Mythos due to security concerns. This has left many organizations and regulators concerned about uneven protection levels, the report said. Among the companies that have been granted access are Amazon, Microsoft and JPMorgan Chase, according to the report. Anthropic has agreed to keep distribution limited per a request from the White House. The FSB is putting together a report on "sound practices" for adopting AI in the financial system, which it aims to release for consultation in June, the report said. Other regulators are also expressing concerns. The International Monetary Fund warned this month that AI-driven cyber risk should be considered a financial stability issue because attacks can impact payment systems, confidence and liquidity at the same time. AI is "compressing the cost and skill required to turn hacking into a scale business," PYMNTS reported last week. Google researchers described May 11 what they believe to be the first observed case of an AI-developed zero-day exploit tied to a planned mass exploitation campaign. It's an event that security analysts inside and outside Google see as a sign of a larger transition toward an industrial-scale cyber threat landscape.

BoE regulator warns of disruption from latest AI models By Investing.com

Investing.com -- The Bank of England's regulatory arm warned Wednesday that the latest artificial intelligence models could cause significant disruption to financial services. Sam Woods, chief executive of the Prudential Regulation Authority, said it was reasonable to expect considerable upheaval from AI systems such as Anthropic's Mythos and ChatGPT 5.5 Instant. Woods highlighted the growing capability of these models to identify system vulnerabilities. He noted that banks must patch these weaknesses quickly, describing patching as the main driver of outages in the financial system. The regulatory chief said financial firms would need to improve basic cyber hygiene and respond more rapidly to threats. He added that AI-driven defenses were becoming increasingly important. Woods made the remarks at UK Finance's Growth Delivery Summit. Anthropic released its latest AI model, Mythos, to a limited number of businesses in April. Cybersecurity experts view the technology as presenting challenges to the banking industry and its legacy technology systems. A Bank of England co-led cyber group determined last month that the sector was prepared for those challenges. This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.

UK firms should take steps to limit risks from frontier AI models, UK says

LONDON, May 15 (Reuters) - British companies should take steps to plan for and mitigate risks from new artificial intelligence models, the country's finance ministry, the Bank of England and the Financial Conduct Authority regulator said on Friday. "The cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost," they said in a joint statement. "These capabilities, if used maliciously, amplify cyber threats to firms' safety and soundness, customers, market integrity, and financial stability." Last month BoE governor Andrew Bailey said he saw major cybersecurity risks from Anthropic's Mythos product. Mythos has drawn warnings from cyber experts about its potential to supercharge complex cyberattacks which could challenge the banking industry and its existing technology. (Reporting by Muvija M; writing by Suban AbdullaEditing by William Schomberg)

Britain's bank regulator expects 'quite significant disruption' from latest AI models

LONDON, May 11 (Reuters) - The head of the Bank of England's regulatory arm on Wednesday said it was "reasonable to expect quite significant disruption" to financial services from the latest AI models such as Anthropic's Mythos and ChatGPT 5.5 Instant. Sam Woods, chief executive of the Prudential Regulation Authority, cited such models' growing ability to identify vulnerabilities, and the requirement for banks to patch these - "the main driver of outages" in the financial system - at speed. Woods said firms would need to step up basic cyber hygiene and respond faster, with AI-driven defences becoming more important. He was speaking at UK Finance's Growth Delivery Summit. Anthropic rolled out its latest AI model, Mythos, to a limited number of businesses in April. It is viewed by cybersecurity experts as posing challenges to the banking industry and its legacy technology systems, although a BoE co-led cyber group determined last month that the sector was prepared for those challenges. (Reporting by Phoebe Seers; Editing by Kevin Liffey and Alex Richardson)