ECB warns eurozone banks to accelerate defenses against AI-powered cyberattacks from Mythos

ECB urges banks to quickly prepare for AI-assisted cyberattacks

FRANKFURT, May 13 (Reuters) - European Central Bank board member Frank Elderson on Wednesday urged banks in the euro area to quickly prepare for potential cyberattacks launched with the help of Anthropic's Mythos AI model or similar tools. Elderson, who is vice chair of the ECB's bank supervision arm, said in an interview in ECB publication Supervision Newsletter that euro area banks' lack of access to ⁠Mythos added to the severity of the issue. "Lack of access is not an excuse for inaction. On the contrary, it makes it even more critical that banks step up and act now," he said. Reuters reported this week that large U.S. banks, which have been granted early access to Mythos, are rushing to fix scores of data system weaknesses flagged by the tool. Mythos is viewed by cybersecurity experts as a significant challenge to the , prompting a series of warnings from regulators and policymakers. Elderson warned that banks ⁠need to brace for future AI models that enable even more aggressive cyberattacks. "We need to be able to deal with ever more capable future models that could be released in relatively quick succession," he said. The central bank's president, Christine Lagarde, said earlier this month the ECB is studying defences ⁠against Mythos-guided cyberattacks, while being at a disadvantage for lack of access to the model. Reuters reported in April that ECB supervisors would ask the banks that they monitor about their preparedness for the new source ⁠of risk. The global gap in access to the AI model could widen for Europe, with Japan's three largest banks likely to be cleared to start work with Mythos in ⁠about two weeks. Elderson said banks - and the contractors they rely on - need to quickly fix even minor vulnerabilities that have typically been patched only in longer software update cycles. Reporting by Ludwig Burger and Reinhard Becker, Editing by Linda Pasquini and Hugh Lawson Our Standards: The Thomson Reuters Trust Principles., opens new tab

ECB tells eurozone banks to tighten cyber-security as AI shifts the threat picture

Frank Elderson's message: lack of access to Anthropic's Mythos is not an excuse for slow patching. AI-led attacks are now the working assumption. The European Central Bank has formally told eurozone banks they must tighten their cyber-security posture in response to AI-led attack tools, in a follow-up statement issued on Wednesday that turns earlier private guidance into something closer to a supervisory expectation. The ECB's vice-chair of the Single Supervisory Mechanism, Frank Elderson, framed the shift in language that signals a hardening regulatory posture rather than a discussion document. The trigger remains Anthropic's Mythos, the restricted-access AI model that can autonomously discover and exploit cybersecurity vulnerabilities at machine speed. Mythos has been demonstrated to combine smaller weaknesses into more serious attacks and to reverse-engineer patches into exploitable flaws faster than older toolchains. Access has been limited by Anthropic to roughly 40 to 50 organisations including a handful of US banks; no eurozone institution sits on the list. The ECB's position, in Elderson's words earlier this month, is that "lack of access is not an excuse for inaction." Wednesday's statement extends that framing. Banks are now expected to assume that attackers will have access to AI tools of comparable capability whether or not the defenders do. The supervisory implication is that traditional, monthly software-patching cycles are no longer adequate, that contractor relationships need to be audited for the same exposure, and that the entire institutional posture around vulnerability management needs to compress to AI-attacker timeframes. The ECB has indicated it will incorporate AI-cyber readiness into supervisory dialogues with individual banks. The political and commercial backdrop has also moved. BNP Paribas is now publicly working with Mistral on a sovereign European answer to Mythos, in what is functionally a continent-wide hedge. Brussels has been in stalled talks with Anthropic for several weeks over expanding Mythos access to European institutions; Spain has described those talks as deadlocked. The ECB statement is, in effect, the supervisory side of the same problem: regulators cannot wait for the access question to resolve before insisting on a defensive posture. The harder question is what concrete change banks are actually expected to make. The ECB has not published a specific technical-controls list, partly because the threat surface is evolving faster than any static checklist would capture. The closest thing to a working playbook is the implicit expectation that banks now treat any unpatched vulnerability as a discoverable target, and that the meantime-to-patch for critical systems collapses from weeks to days or hours. Smaller eurozone banks, which have historically relied on outsourced infrastructure providers for the technical layer, are in a weaker position to deliver on that timeline than the big-three universal banks. The ECB also flagged contractor exposure as the asymmetric problem. Most eurozone banks have a long tail of third-party software providers whose patch discipline is uneven; an AI-led attacker discovering a vulnerability in a single widely deployed vendor product can pivot into multiple bank environments through that vendor relationship. The Solarwinds-style supply-chain exposure that defined the late 2010s is now being recast in AI-attacker form. Elderson's framing is that supervisors will hold banks accountable for their contractor security, not just their own. Eurozone banks have until end-2026 to demonstrate readiness against the ECB's new posture, with formal supervisory dialogues beginning over the summer. Mythos itself, on current public reporting, has not been demonstrated in the wild against a European institution.

ECB convenes banks over AI cybersecurity risks from Mythos

Executive board member Frank Elderson says banks must patch vulnerabilities faster because AI can exploit them within minutes of a fix's release The European Central Bank is calling banks in for a meeting on Tuesday to address the cybersecurity risks created by a new generation of AI models that can find and exploit software vulnerabilities faster than any human team. The meeting follows months of growing anxiety across European finance about Anthropic's Claude Mythos Preview, the frontier AI model that has identified thousands of zero-day flaws across major operating systems and browsers. ECB Executive Board member Frank Elderson told the Financial Times that banks need to accelerate work that has been under way for years. "There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster," he said. The central bank plans to warn lenders about the specific threats posed by Mythos and similar AI systems. It will also ask US banks that have access to the technology, through Anthropic's controlled distribution programme called Project Glasswing, to share what they have learned with European peers who remain locked out. That access gap is the core problem. Only about 40 to 50 organisations have been granted access to Mythos so far, including Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase. No European bank is on the list. In controlled testing, the model produced working exploits on its first attempt more than 83 per cent of the time, often outperforming human cybersecurity specialists. Anthropic has warned that adversaries could replicate the capability within six to twelve months. Elderson's message to banks is blunt: patch faster. AI models can now reverse-engineer software fixes within minutes of their release, meaning that the window between a vulnerability being patched and being exploited has collapsed. Banks and their IT contractors can no longer afford to leave even minor vulnerabilities for longer update cycles. European banks cannot use their lack of access to Mythos as an excuse for inaction, Elderson said, because malicious actors could soon gain access to equivalent technology. The ECB's intervention follows a broader regulatory scramble across Europe. Euro-area finance ministers have demanded Mythos access, and European Commissioner Valdis Dombrovskis confirmed on 4 May that the EU is in talks with Anthropic about having companies and banks tested for the vulnerabilities the model uncovers. Those talks have made little progress. Reports from Spanish officials in mid-May indicated the negotiations had effectively stalled. The impasse has created an opening for rivals. French AI startup Mistral AI is in discussions with European banks about deploying its own cybersecurity model, designed to identify vulnerabilities in the same way Mythos does. CEO Arthur Mensch has framed the effort as a question of technological sovereignty, leveraging existing banking clients including HSBC and BNP Paribas. The model is still under development and has no confirmed release date. Anthropic has chosen a different path from a public release. Rather than making Mythos generally available, it launched Project Glasswing, an industry consortium in which partner organisations use the model to find and fix flaws in their own systems. Glasswing partners can now share their findings beyond the programme, which may help address the information gap that European regulators are worried about. The stakes are not theoretical. Anthropic briefed the Financial Stability Board on what Mythos has been finding, at the request of Bank of England governor Andrew Bailey, who chairs the board. The Federal Reserve and the US Treasury separately convened bank CEOs to discuss the cyber risks. Real-world data from Palo Alto Networks shows that advanced AI models are discovering vulnerabilities at seven times the usual rate, and the firm has warned the industry has only three to five months of defensive buffer remaining. The ECB's meeting on Tuesday will push banks to act under the Digital Operational Resilience Act, the EU's cybersecurity law for financial services. DORA requires banks to manage IT risk, test resilience, and report incidents. The question is whether the regulation's framework can keep pace with AI models that are finding decades-old vulnerabilities faster than the institutions responsible for fixing them. For European banks, the situation is uncomfortable. The most powerful tool for finding the flaws in their systems exists, they are not allowed to use it, and the regulator is telling them to fix the problems it reveals anyway. The political pressure to resolve the access question is mounting, but until it is, European lenders are being asked to defend against threats they cannot fully see.

ECB urging action on AI from lenders' IT departments

The emergence of Anthropic's Mythos has sparked wide-ranging concern about potential threats posed by it and other similar AI models. The European Central Bank (ECB) is to urge quicker action on improving the IT security of lending organisations amid evolving AI threats when it summons representatives to a meeting tomorrow (26 May), according to the Financial Times (FT). "This is something that is game-changing. We want banks to look into this seriously. The clock is ticking," Frank Elderson, vice-chair of the ECB supervisory board that oversees banks, told the FT. The emergence in April of Anthropic's Mythos AI model, with its high levels of capability in finding and exploiting cybersecurity weaknesses in browsers and operating systems, has sparked wide-ranging concern about potential threats posed by it and other similar models. "There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster," Elderson told the FT. US banks such as JP Morgan Chase, Goldman Sachs, Citigroup, Bank of America and Morgan Stanley have been allowed controlled preview access to Mythos, and according to the FT, the ECB hopes for collaboration between US and European lenders on the issue. Although restricted by a current lack of access to Mythos, European banks still need to be prepared for the threats it, and others, could pose, Elderson told the publication. "The fact that you don't have access to this model is not an excuse for inaction," he said. "Malicious actors might have access to this technology soon." Last month, it was reported that a private Discord group had gained unauthorised access to Mythos soon after its launch, although had not used it for malicious purposes. Meanwhile, a new survey of compliance professionals in Ireland has found that more than one-third of participants believe AI is making it more challenging for financial institutions to safeguard customer and other sensitive data, while just 7pc feel it has made data protection easier. The study by the Compliance Institute, Ireland's professional body for compliance practitioners, gathered responses from approximately 150 compliance professionals working primarily across Irish financial services organisations to explore views on the impact of AI on data protection, as well as the steps companies are taking to comply with new EU rules which require them to ensure that staff have an appropriate level of AI literacy. Michael Kavanagh, CEO of the Compliance Institute, said: "AI is increasingly being used in day-to-day operations across the sector, and that is changing how organisations think about governance, oversight and capability. "What the results really show is a period of adjustment, where firms are actively building and strengthening the frameworks needed to support the safe and effective use of these technologies alongside their existing regulatory responsibilities." Don't miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic's digest of need-to-know sci-tech news.

Euro zone banks need tighter cyber security amid AI risk, ECB says

FRANKFURT, May 27 (Reuters) - Euro zone banks need to invest more in cybersecurity if they are to get a grip on new AI models that can find flaws in software, the European Central Bank's outgoing Vice President Luis de Guindos said on Wednesday. "We have to understand much better the potential implications of these new models and to try to put in place the systems and cybersecurity patches that can address that situation," de Guindos told reporters. "And (we have) to try to start to enhance the awareness of the financial institutions of the banks about the need of additional cybersecurity investment, because it's going to be something that is going to be quite structural in the near future." (Reporting by Francesco Canepa; Editing by Toby Chopra)