ECB Convenes Banks Over AI Cybersecurity Risks as Mythos Exploits Flaws in Minutes

ECB convenes banks over AI cybersecurity risks from Mythos

Executive board member Frank Elderson says banks must patch vulnerabilities faster because AI can exploit them within minutes of a fix's release The European Central Bank is calling banks in for a meeting on Tuesday to address the cybersecurity risks created by a new generation of AI models that can find and exploit software vulnerabilities faster than any human team. The meeting follows months of growing anxiety across European finance about Anthropic's Claude Mythos Preview, the frontier AI model that has identified thousands of zero-day flaws across major operating systems and browsers. ECB Executive Board member Frank Elderson told the Financial Times that banks need to accelerate work that has been under way for years. "There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster," he said. The central bank plans to warn lenders about the specific threats posed by Mythos and similar AI systems. It will also ask US banks that have access to the technology, through Anthropic's controlled distribution programme called Project Glasswing, to share what they have learned with European peers who remain locked out. That access gap is the core problem. Only about 40 to 50 organisations have been granted access to Mythos so far, including Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase. No European bank is on the list. In controlled testing, the model produced working exploits on its first attempt more than 83 per cent of the time, often outperforming human cybersecurity specialists. Anthropic has warned that adversaries could replicate the capability within six to twelve months. Elderson's message to banks is blunt: patch faster. AI models can now reverse-engineer software fixes within minutes of their release, meaning that the window between a vulnerability being patched and being exploited has collapsed. Banks and their IT contractors can no longer afford to leave even minor vulnerabilities for longer update cycles. European banks cannot use their lack of access to Mythos as an excuse for inaction, Elderson said, because malicious actors could soon gain access to equivalent technology. The ECB's intervention follows a broader regulatory scramble across Europe. Euro-area finance ministers have demanded Mythos access, and European Commissioner Valdis Dombrovskis confirmed on 4 May that the EU is in talks with Anthropic about having companies and banks tested for the vulnerabilities the model uncovers. Those talks have made little progress. Reports from Spanish officials in mid-May indicated the negotiations had effectively stalled. The impasse has created an opening for rivals. French AI startup Mistral AI is in discussions with European banks about deploying its own cybersecurity model, designed to identify vulnerabilities in the same way Mythos does. CEO Arthur Mensch has framed the effort as a question of technological sovereignty, leveraging existing banking clients including HSBC and BNP Paribas. The model is still under development and has no confirmed release date. Anthropic has chosen a different path from a public release. Rather than making Mythos generally available, it launched Project Glasswing, an industry consortium in which partner organisations use the model to find and fix flaws in their own systems. Glasswing partners can now share their findings beyond the programme, which may help address the information gap that European regulators are worried about. The stakes are not theoretical. Anthropic briefed the Financial Stability Board on what Mythos has been finding, at the request of Bank of England governor Andrew Bailey, who chairs the board. The Federal Reserve and the US Treasury separately convened bank CEOs to discuss the cyber risks. Real-world data from Palo Alto Networks shows that advanced AI models are discovering vulnerabilities at seven times the usual rate, and the firm has warned the industry has only three to five months of defensive buffer remaining. The ECB's meeting on Tuesday will push banks to act under the Digital Operational Resilience Act, the EU's cybersecurity law for financial services. DORA requires banks to manage IT risk, test resilience, and report incidents. The question is whether the regulation's framework can keep pace with AI models that are finding decades-old vulnerabilities faster than the institutions responsible for fixing them. For European banks, the situation is uncomfortable. The most powerful tool for finding the flaws in their systems exists, they are not allowed to use it, and the regulator is telling them to fix the problems it reveals anyway. The political pressure to resolve the access question is mounting, but until it is, European lenders are being asked to defend against threats they cannot fully see.

ECB urging action on AI from lenders' IT departments

The emergence of Anthropic's Mythos has sparked wide-ranging concern about potential threats posed by it and other similar AI models. The European Central Bank (ECB) is to urge quicker action on improving the IT security of lending organisations amid evolving AI threats when it summons representatives to a meeting tomorrow (26 May), according to the Financial Times (FT). "This is something that is game-changing. We want banks to look into this seriously. The clock is ticking," Frank Elderson, vice-chair of the ECB supervisory board that oversees banks, told the FT. The emergence in April of Anthropic's Mythos AI model, with its high levels of capability in finding and exploiting cybersecurity weaknesses in browsers and operating systems, has sparked wide-ranging concern about potential threats posed by it and other similar models. "There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster," Elderson told the FT. US banks such as JP Morgan Chase, Goldman Sachs, Citigroup, Bank of America and Morgan Stanley have been allowed controlled preview access to Mythos, and according to the FT, the ECB hopes for collaboration between US and European lenders on the issue. Although restricted by a current lack of access to Mythos, European banks still need to be prepared for the threats it, and others, could pose, Elderson told the publication. "The fact that you don't have access to this model is not an excuse for inaction," he said. "Malicious actors might have access to this technology soon." Last month, it was reported that a private Discord group had gained unauthorised access to Mythos soon after its launch, although had not used it for malicious purposes. Meanwhile, a new survey of compliance professionals in Ireland has found that more than one-third of participants believe AI is making it more challenging for financial institutions to safeguard customer and other sensitive data, while just 7pc feel it has made data protection easier. The study by the Compliance Institute, Ireland's professional body for compliance practitioners, gathered responses from approximately 150 compliance professionals working primarily across Irish financial services organisations to explore views on the impact of AI on data protection, as well as the steps companies are taking to comply with new EU rules which require them to ensure that staff have an appropriate level of AI literacy. Michael Kavanagh, CEO of the Compliance Institute, said: "AI is increasingly being used in day-to-day operations across the sector, and that is changing how organisations think about governance, oversight and capability. "What the results really show is a period of adjustment, where firms are actively building and strengthening the frameworks needed to support the safe and effective use of these technologies alongside their existing regulatory responsibilities." Don't miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic's digest of need-to-know sci-tech news.