India's RBI joins global regulators to assess Mythos AI cybersecurity risks amid access concerns

India's central bank in talks with global regulators, banks to review Mythos risks, sources say

MUMBAI, April 22 (Reuters) - India's central bank is in talks with global regulators, Indian lenders and government officials to understand the potential risks posed by Anthropic's new artificial intelligence model Mythos, three sources said. The Reserve Bank of India's preliminary assessment - just like that of global regulators - suggests Mythos could pose cybersecurity risks by accelerating the discovery and exploitation of software vulnerabilities, the sources, all familiar with the central bank's thinking, said. Regulators in Asia, Europe and the United States have warned banks to review defences and preparedness. In Japan, the financial watchdog will meet banks this week, while the Australian central bank said it is monitoring Mythos-related developments. RBI officials have over the past ⁠fortnight held consultations on Mythos-related risks with counterparts at the U.S. Federal Reserve and the Bank of England in particular, according to one of the sources. The RBI may seek direct engagement with Anthropic, the sources said. "Globally, we are discussing with other countries and other regulators on what are the developments and what safeguards need to be taken," one of the sources said. India's payment authority, the National Payments Corporation of India (NPCI), is trying to secure early access to Mythos alongside a small number of banks, to identify vulnerabilities and "day‑zero" cyber risks ahead of any broader rollout, this source said. However, such access may not be forthcoming as Anthropic's Mythos systems is ⁠hosted on strictly-controlled servers in the U.S. and running tests on local data in foreign jurisdictions could prove challenging, said a fourth source aware of the matter. Access to Mythos has been limited to a small number of organisations involved in maintaining key digital infrastructure in the U.S. Anthropic plans to provide Mythos access to European banks soon, Reuters reported ⁠earlier this week. Email requests for comment sent to RBI and NPCI were not immediately answered. The RBI is preparing broader guidelines for banks entering enterprise partnerships with advanced AI models, including Mythos and Anthropic's Claude family, as part of a ⁠longer‑term strategy on AI adoption, according to two of the sources. The discussions are at an early stage but the central bank will insist that all analytics based on data of Indian customers complies with RBI's ⁠domestic data localisation, the sources said. The RBI data localization rule, issued in 2018, requires all payment system providers in India to store end-to-end transaction data, including user information and payment messages, exclusively on servers located within India. Reporting by Ashwin Manikandan and Gopika Gopakumar in Mumbai; Editing by Kim Coghill Our Standards: The Thomson Reuters Trust Principles., opens new tab

Australia and New Zealand central banks monitoring Anthropic's Mythos release

SYDNEY, April 22 (Reuters) - The central banks of Australia and New Zealand said on Wednesday they were monitoring the release of Anthropic's advanced Mythos artificial intelligence model, joining authorities around the world in expressing concerns about the new cybersecurity risks it poses. Designed for defensive cybersecurity tasks, Mythos' vast capabilities have sparked fears about the threat to traditional software security, after Anthropic said a preview had uncovered "thousands" of major vulnerabilities in "every major operating system ⁠and web browser." Experts have also warned that the model can identify and exploit previously unknown vulnerabilities faster than companies can fix them. The Reserve Bank of Australia said in a statement it was closely monitoring the development and was "engaging with peer regulators, government and regulated entities." The Reserve Bank of New Zealand said it was also in contact with other regulators both domestically and in Australia over what it called the "developing risk" ⁠from Mythos. On Tuesday, Bundesbank President Joachim Nagel called the model a double-edged sword, saying: "it could be used not only to improve digital security systems, but also to leverage their vulnerabilities for malicious purposes." Anthropic has introduced Claude Mythos ⁠Preview through a tightly controlled program called Project Glasswing. Access has been granted to major technology companies including Amazon (AMZN.O), opens new tab, Microsoft (MSFT.O), opens new tab, Nvidia (NVDA.O), opens new tab, and Apple (AAPL.O), opens new tab. The company has also ⁠expanded access to more than 40 additional organisations that build or maintain critical software infrastructure. Experts say Mythos' advanced coding and autonomous capabilities ⁠could significantly accelerate sophisticated cyberattacks, especially in sectors like banking, where complex, interconnected, and often decades-old systems remain common. Reporting by Stella Qiu in Sydney; Writing by Alasdair Pal; Editing by Edwina Gibbs Our Standards: The Thomson Reuters Trust Principles., opens new tab

RBI Said to Evaluate Cybersecurity Risks Linked to Anthropic's Mythos

Any deployment needs to comply with RBI's data localisation requirements The Reserve Bank of India (RBI) is said to be holding talks with global regulators, domestic lenders, and government officials to assess potential risks linked to Anthropic's new artificial intelligence (AI) model, Mythos. According to a report, RBI's preliminary assessment points towards Mythos potentially raising cybersecurity concerns by expediting the discovery and exploitation of software vulnerabilities. The development comes following reports of unauthorised personnel gaining access to Anthropic's Mythos, which is touted to be "so powerful that it could enable dangerous cyberattacks". RBI Evaluating Mythos-Linked Cybersecurity Risks Citing sources familiar with the matter, Reuters reports that the RBI, over the past two weeks, has held consultations with counterparts around the world. This reportedly includes the Federal Reserve and the Bank of England, intending to understand the emerging risks and safeguards. "Globally, we are discussing with other countries and other regulators on what are the developments and what safeguards need to be taken," the publication quoted one source as saying. The report states that the RBI may also pursue direct engagement with Anthropic. Further, regulators across Asia, Europe, and the US are said to have advised banks to review their cybersecurity preparedness. The National Payments Corporation of India (NPCI), which facilitates payment services like UPI in the country, is said to be exploring early access to Mythos alongside a small group of banks, too. Citing a source, Reuters reported that this is to identify potential "day-zero" vulnerabilities before any wider rollout, although any such access could be restricted. Mythos is said to be hosted on tightly controlled servers in the US. Consequently, running any tests on local datasets in foreign jurisdictions could pose regulatory and technical challenges. The RBI is also said to be working on broader guidelines for banks entering enterprise partnerships with advanced AI models, including Anthropic's Mythos and Claude family. However, any deployment involving Indian user data would need to comply with the RBI's data localisation requirements, the publication noted a source as saying. Concerns Over Unauthorised Access to Mythos The regulatory discussions come shortly after reports that a small group of unauthorised users had gained early access to Mythos. According to Bloomberg, the model, which Anthropic itself has described as highly powerful, was accessed via a private Discord group on the same day it was announced for limited testing. While the group reportedly did not use the model for malicious purposes, the incident has raised concerns about potential misuse. At the time, screenshots appearing to show a Mythos dashboard were shared by the group. These included user management panels, AI experiment interfaces, and detailed analytics for model performance and costs. Anthropic is currently probing the matter. We're investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments," the company said in a statement.

India seeks fair access to Anthropic's Mythos for critical infrastructure security

India is actively pursuing access to Anthropic's powerful Mythos AI model. Discussions with the US administration aim to ensure equitable access for Indian companies. The government is prioritizing the protection of critical infrastructure like power grids and banking systems. This move is crucial as advanced AI models can identify vulnerabilities rapidly. The Centre is "looking for mechanisms" and working out "logistics" on Indian companies gaining access to Anthropic's Mythos AI model in bilateral talks being held with the US administration, a senior official involved in the discussions told ET. India wants to make sure access is "equitable" and the country's critical infrastructure is not compromised. While speaking at the 26th ET Awards for Corporate Excellence on Saturday, finance minister Nirmala Sitharaman had said the ministry of electronics was fully seized of the challenge. "They are engaging with the US administration, Anthropic and with the vendors who have been given a chance to test (Mythos)," she had said. "The cyber challenge we have because of the Mythos, is going to be a big one." Sitharaman held a meeting with banks and key cyber agencies along with IT minister Ashwini Vaishnaw last week on the matter. Officials underlined that the government doesn't want to favour any particular company by enabling access to some while leaving out others. Conversations with the US authorities are in addition to talks with Anthropic's officials at the company's US headquarters. Anthropic didn't respond to ET's queries till the time of going to press. The Centre has also asked the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC) and the financial sector to ensure they move fast to protect critical infrastructure such as power grids, telecom networks and banking channels among others that could be vulnerable. The government is also considering a policy response to more AI companies launching such models in the future. "Currently, Anthropic has held off the wider release, but tomorrow more companies can launch such models," said the official cited above. "They may release them without advance notice. The government needs to build its capacity as of yesterday." China has reportedly already developed its own version of Mythos. Claude Mythos is the newest AI model from Anthropic that's said to be so advanced that it can identify and exploit zero-day vulnerabilities rapidly. Anthropic's Project Glasswing gave early access to 40 companies, mostly from the US, to help them use Mythos to catch and patch flaws before it's released to the public. No Indian company was included in the list. "The government of India should formally and urgently seek participation in Project Glasswing that achieves an equivalent outcome for India's critical infrastructure," said Kazim Rizvi, founding director of the policy think tank The Dialogue. "India's digital public infrastructure serves a population potentially larger than the user base of most Glasswing partners' consumer platforms, and its exclusion from the programme is a gap in global critical infrastructure security, not merely an Indian national concern." Companies that tested Mythos said it could find tens of thousands of vulnerabilities, compared with roughly 500 found by Anthropic's previous model, Opus 4.6, a 20-fold jump in one generation. ET reported last week that Nasscom, representing India's technology companies, wrote to Anthropic, asking that they be included in Project Glasswing and be given access to Mythos to build cyber resilience since their code is used by entities across the globe.

Reserve Bank of Australia monitoring Anthropic's Mythos AI over cyberattack fears

The Reserve Bank of Australia is closely monitoring developments around Anthropic PBC's new Mythos AI model, which the company says is powerful enough to enable sophisticated cyberattacks. The central bank is "engaging with peer regulators, government and regulated entities," it said in a statement. "The RBA, along with peer regulators and government agencies will continue to assess the implications of these technological advancements to ensure the ongoing safety and resilience of the financial system." The RBA chairs Australia's Council of Financial Regulators, which includes the corporate watchdog, the prudential regulator and the Treasury. Its engagement comes as regulators around the world step up discussions with financial firms on how they are managing cybersecurity risks linked to Mythos. It was reported on Wednesday that a small group of unauthorized users in a private online forum gained access to Mythos on the same day Anthropic announced plans to release the model to a limited number of companies for testing. Anthropic has said Mythos can identify and exploit vulnerabilities "in every major operating system and every major web browser when directed by a user." The company has restricted access to a select group of software providers under an initiative called Project Glasswing, aimed at helping firms test and strengthen their defenses against potential cyberattacks. In recent days, a growing number of financial institutions and government agencies on both sides of the Atlantic have been seeking to be added to the list of early testers to safeguard their own systems against malicious actors.

Anthropic Mythos: Firms with access to model say speed of response, not uncovering flaws, is key

A new AI model, Mythos, drastically shrinks the time between discovering and exploiting software vulnerabilities, creating a critical "kill zone" for companies. Indian firms, with slow patching cycles, face significant risk as AI-driven attacks become faster and more accessible, necessitating a shift to continuous, machine-speed security. Companies given early access to Anthropic's Mythos model under Project Glasswing told ET that the biggest cybersecurity risk is now speed of response, not just uncovering software flaws as the window between finding a vulnerability and exploiting it is shrinking so rapidly that most enterprises may not have enough time to patch systems before attackers strike. "Historically, the security industry has relied on the time and skill required to turn a discovered bug into a working exploit to give defenders a meaningful grace period," said Philippa Cogswell, managing partner, JAPAC, Palo Alto Networks Unit 42. "Mythos proves that assumption no longer holds." This is critical for Indian companies that typically take as many as three months to put up their defences. Mythos can turn a flaw into a working attack in minutes; most Indian companies still take 60-90 days to fix systems, creating what experts call a "kill zone." No Indian companies were included in Project Glasswing, which gave 40 US companies early access to the model to test their systems for flaws and protect them. Global security firms, including Palo Alto Networks and Check Point Software Technologies, tested Mythos as part of Project Glasswing. These companies told ET that they have been forced to change how they think about cybersecurity. Companies that tested Mythos said it could find tens of thousands of vulnerabilities, compared with roughly 500 found by Anthropic's previous model, Opus 4.6, a 20-fold jump in one generation. It built working exploits for more than half of what it found and succeeded in breaching defences at the first attempt in 83 out of 100 cases. The problem goes beyond volume, said Sundar Balasubramanian, managing director, India and South Asia, Check Point Software Technologies. "Issues that appear statistically insignificant in testing become operationally unavoidable once systems process millions of transactions," he said. "The goal is not to patch everything but to reduce exposure fast." The nature of attacks is also changing. "Attacks are becoming democratised and industrialised, moving from bespoke operations to repeatable, automated pipelines," he said. The access gap will not last long, but that is not good news. "Within six months, these capabilities will be commonplace across other major AI labs, Chinese models, and open source," noted Cogswell. "Organisations still thinking of vulnerability management as a discrete programme rather than a continuous operational function are already behind." The cost of mounting an attack has also fallen. Converting a vulnerability into a working exploit once took skilled researchers weeks. It now takes under a day and costs less than $2,000. "The patch cycle is no longer a process of inefficiency--it is a strategic vulnerability," said Arjun Nagulapally, CTO, AionOS. "Adversaries close the loop in hours. Indian IT teams close it in months. The gap isn't just a risk, it's a kill zone." Mythos turns a discovered flaw into a working attack in minutes, he added. Many companies are still building cyber defences around the assumption that they will have days or weeks to respond. Banking and telecom carry the most risk, Nagulapally said. Both run on old systems that are hard to patch without disrupting services. Mythos, said to be the most powerful AI model developed to date, is expected to expose deep-seated vulnerabilities in the infrastructure of companies globally. Anthropic has held back a wider launch due to this fear while giving early access to the group cited above. ET reported last week that Nasscom, representing India's technology companies, has written to Anthropic, asking that they be included in Project Glasswing and be given access to Mythos to build cyber resilience since their code is used by companies across the globe. The Ministry of Electronics and Information Technology (MeitY) is also reportedly in discussions with Anthropic executives in the US on giving early access to Indian companies. Tech policy analyst Subimal Bhattacharjee said India's security frameworks were not built for such speed of response. "When frontier AI models can autonomously discover and chain zero-day vulnerabilities within hours, India's CERT-In advisory cycles and manual patch-response workflows become fundamentally mismatched to the threat environment," he said. He said the larger risk is a coordinated attack across power, railways, telecom, and banking, all of which run on ageing infrastructure. CERT-In on April 27 issued a high-severity advisory on the Mythos AI model, warning that its advanced capabilities could enable automated, rapid and large-scale cyberattacks, particularly putting Indian MSMEs and banking systems at risk. The agency urged organisations to strengthen defences against AI-driven reconnaissance, vulnerability exploitation and social engineering attacks. CERT-In or Indian Computer Emergency Response Team is the cybersecurity nodal agency. The emerging gap will be between organisations that still treat security as a pre-deployment checkpoint and those that treat it as a continuous feedback loop operating at machine speed, said Balasubramanian. "AI can multiply the output of the talent that exists," said Nagulapally. "The window to use AI as a force multiplier rather than face it as an adversarial force is measured in quarters, not years."

Nirmala Sitharaman Calls High Alert Meeting on Bank Security Threat from Anthropic Mythos AI

This dual use nature has made Mythos one of the most closely watched AI systems in cybersecurity circles. The Finance Minister instructed banks to engage top cybersecurity professionals and specialised agencies to continuously enhance defensive and monitoring capabilities. Institutions were also advised to take immediate preventive steps to secure IT infrastructure, protect customer information, and safeguard financial resources. Any suspicious activity or cyber incident must be reported quickly to CERT-In and relevant authorities. The message from the government was clear: prevention, speed, and coordination are now essential. Real Time Intelligence Sharing Framework Planned One of the major outcomes of the meeting was the push for a robust real time threat intelligence sharing mechanism connecting banks, CERT-In, and other agencies. Such a framework would allow emerging cyber threats to be detected early and communicated rapidly across the banking network, helping institutions respond before attacks spread. The Indian Banks' Association has also been asked to create a coordinated institutional mechanism that can deliver swift and effective sector wide responses during emergencies.

India Closely Watching Claude Mythos Issue Amidst Reports of Rogue Group Breaking In

A wire agency reported that some Discord users gained access to a preview version of Mythos but with no criminal intent Just as the United States was cozying up to Anthropic for testing loopholes in their legacy codes to tighten cybersecurity, a new report suggests that the much-hyped Claude Mythos frontier AI model that was considered too dangerous for a public release could have already found its way into the wrong hands. While governments across the world are jostling to find out more, Finance Minister Nirmala Sitharaman said Indian banks are adequately prepared to deal with any such emerging technology challenges, However, she also noted that India was closely monitoring the potential threats of Mythos. Meanwhile, coming back to the break-in, it was reported by Bloomberg News where a small group of Discord users had gained access to a preview version of Mythos. To this, a spokesperson at Anthropic responded that the report of unauthorised access to Claude Mythos Preview was being investigated via a third-party vendor environments. They claimed that till that point they had found no evidence of any break-in. The report also claimed that the group had no nefarious intentions with the break-in and had been using Mythos since gaining access, though largely for non-cybersecurity related work. Bloomberg quoted an unnamed source as saying that the group liked "playing around" with new AI models. While all of this may be fine, but it does leave us with more concerns about what non-state actors or cybercriminals could do if unauthorised access were to happen without Anthropic not being aware of it. The report claimed that the private users gained access to Mythos on the very same day that Anthropic had announced its plan to release the AI model to a limited number of enterprises to test out its efficacy. Bloomberg claimed that the person who informed the wire agency of the break-in also shared screenshots and gave a live demo of the model. The report said that users of a private Discord server dedicated to gathering information on unreleased AI models got access through guess work about Mythos and juxtaposing it with how Anthropic had stored their earlier AI models. Some of these details had been recently revealed through a data breach from an AI startup. The finance minister said the Ministry of Electronics and Information Technology had engaged with international governments and authorities to better understand the risks associated with the model and assess its possible impact on India's banking ecosystem. She noted that the existing regulatory and security frameworks may need to be updated to effectively tackle newer and more sophisticated threats emerging from advanced AI systems. Additionally, the Indian Banks' Association will lead consultations among lenders to address concerns and strengthen sector-wide preparedness.

CERT-In flags 'high-severity risks' from AI-driven cyber threats amid Mythos concerns - The Economic Times

Cyber security agency CERT-In has issued a high-severity warning on the rise of artificial intelligence (AI)-driven cyber threats. It said new AI tools are making attacks faster, cheaper and easier to execute. In its latest advisory titled 'Defending Against Frontier AI Driven Cyber Risks', released on April 26, CERT-In said advanced AI systems can independently identify vulnerabilities in widely used software and analyse large volumes of source code. It added that these tools are capable of executing complex, multi-stage cyberattacks with minimal human intervention. The agency said attackers can combine multiple exploits to break into entire enterprise networks. The development follows a high-level meeting chaired by Finance Minister Nirmala Sitharaman on Thursday, with commercial banks and other key stakeholders to assess potential cybersecurity risks linked to AI. The government is now stepping up engagement with AI firm Anthropic and the US administration about Mythos to better understand the issue, the Finance minister told ET. AI accelerating cyberattacks The agency highlighted that the speed and automation offered by AI are lowering the barrier for cybercriminals. Even less skilled actors can now launch sophisticated attacks. These include credential theft, privilege escalation and movement across systems. In some cases, vulnerabilities can be identified and exploited within hours, it said. CERT-In also flagged the rise of phishing and impersonation attempts, driven by AI-generated content across languages. What organisations need to do? To reduce risk, the agency has asked organisations to closely monitor systems and watch for unusual or rapid activity. CERT-In has also stressed stronger access controls. It has advised adopting a Zero Trust approach, where every access request is treated as unverified. Multi-factor authentication should be used across critical systems, along with strict access limits, it suggested. The advisory also emphasised the need for faster patch management, recommending that critical vulnerabilities especially in internet-facing systems be addressed within 24 hours. Alongside this, CERT-In has emphasised employee awareness. It has asked organisations to train staff to identify AI-driven phishing and scams. Regular cyber drills and updated response plans are also essential, the agency said. Also Read: Nervous Indian fintechs push Anthropic for access to Mythos MSMEs to monitor threats The advisory places special focus on micro, small and medium enterprises (MSMEs), which often lack strong cybersecurity infrastructure. CERT-In urged these businesses to strengthen their threat detection systems and maintain detailed logs of system activity to support investigations. Organisations have been asked to maintain updated inventories of their IT assets, regularly review third-party and open-source software dependencies, and ensure that supply chain risks are actively managed. Individual users, meanwhile, have been urged to exercise caution when dealing with unsolicited messages, links and attachments, verify the authenticity of urgent requests including voice and video calls, and remain alert to deepfake-enabled fraud. Also Read: Before Mythos goes public, Indian IT also wants access

Mythos causes CERT-In, telcos & banks to assess cyber risks

Bharti Airtel and Vodafone Idea are reviewing the security practices of their network software vendors after Claude Mythos Preview, an artificial intelligence (AI) model released by US-based Anthropic on April 7, autonomously found and exploited software vulnerabilities that had survived decades of human review, Moneycontrol reported. India's nodal cybersecurity agency, the Indian Computer Emergency Response Team (CERT-In), issued a High-severity rating advisory on April 26, directly citing the AI model, warning organisations to treat every newly disclosed vulnerability as exploitable within hours, not weeks. Why this matters for ordinary users: Airtel and Vodafone Idea (Vi) hold the call records, location data, and payment information of hundreds of millions of Indians. Their core network software runs on systems built and maintained by vendors like Nokia, Ericsson, and Samsung, meaning the operators themselves cannot patch vulnerabilities. An AI that finds those vulnerabilities faster than any human team compresses the window for attackers to exploit them before a fix arrives. What Claude Mythos is, and why it matters: Every app, website, and telecom network runs on software. That software has bugs, some hidden for years, even decades, that attackers can exploit to break in and steal data. Finding those bugs has always required rare, expensive human expertise and months of painstaking work. That is the only reason most of them stayed hidden for so long. Claude Mythos Preview changes that. It is an AI model that can read software code, identify hidden flaws, and figure out how to exploit them, entirely on its own, in hours, across thousands of programmes simultaneously. It does not get tired, does not need a salary, and does not need a decade of security training. Anyone with access to it gets, effectively, an army of expert hackers available at the push of a button. To understand the scale of what it found during testing: Claude Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. A zero-day vulnerability is a flaw that even the software's own developers did not know existed; there is no fix available the moment it is discovered, so whoever finds it first, defender or attacker, holds a complete advantage. Confirmed examples from Anthropic's red team blog: Why Anthropic restricted it: Anthropic acknowledged that the same capabilities that can bolster cyber defences can also be weaponised by attackers, and privately warned top government officials that Mythos makes large-scale cyberattacks significantly more likely this year. Rather than a public release, Anthropic launched Project Glasswing, a $100 million initiative giving access to critical industry partners, including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and Nvidia, to use Claude Mythos Preview for defensive security work. No Indian company features among the named partners. What CERT-In said: The April 26 CERT-In advisory, issued under the Ministry of Electronics and Information Technology (MeitY), tells organisations to: What Airtel said: Airtel's chief technology officer, Randeep Sekhon, speaking at a Cellular Operators Association of India (COAI) event, confirmed the company is in active discussions with its suppliers, saying "we don't do this, the software is owned by them." Sekhon said vulnerabilities flagged so far are incremental software bugs rather than systemic infrastructure threats and that the government had not yet directly approached telecom operators on the issue. What Vi said: Vodafone Idea's chief executive, Abhijit Kishore acknowledged the growing focus on advanced AI systems and their ability to detect vulnerabilities and potential data security risks, without confirming specific partnerships or fix timelines. What the Finance Ministry and banks are doing: Finance Minister Nirmala Sitharaman, on April 23, chaired a meeting with bank chiefs, Reserve Bank of India (RBI) officials, and MeitY representatives to assess the risks Claude Mythos poses to India's financial systems. Sitharaman described the risks as "unprecedented" and called for a real-time threat intelligence sharing system across banks, CERT-In, and other agencies. Key outcomes of the meeting: The National Payments Corporation of India (NPCI) wants early access to Claude Mythos to identify zero-day vulnerabilities in India's payment systems before the AI model deploys more widely. However, India's 2018 data localisation rules require payment system providers to store all transaction data exclusively on servers within India, while Mythos runs on strictly controlled servers in the United States, creating a direct compliance conflict that NPCI has not publicly resolved. Furthermore, Bloomberg reported on April 21 that a small group of unauthorised users gained access to Mythos through a third-party vendor environment on the same day the model was announced, raising questions about whether restricted access controls are as airtight as Anthropic claims. CERT-In's compliance track record: The April 26 advisory is not CERT-In's first attempt to enforce tight cybersecurity timelines. Its 2022 cybersecurity directions required all organisations to report incidents within six hours of detection, a mandate MediaNama reported at the time that cybersecurity experts called "a complete joke" and "not feasible at all". The directions faced such pushback that CERT-In extended the compliance deadline for micro, small, and medium enterprises (MSMEs). CERT-In's 2022 annual report, which revealed it handled nearly 14 lakh cyber incidents that year, contained no statistics on how many entities actually complied with the directions. The new 24-hour patch requirement raises the same enforcement question. The data protection angle: Airtel, Vi, and banks all qualify as data fiduciaries under the Digital Personal Data Protection Act, 2023 (DPDPA). As MediaNama has reported, a successful AI-driven breach of systems owned by their software vendors would constitute a personal data breach under the DPDP Rules, 2025, requiring data fiduciaries to notify affected users without delay and submit a detailed report to the Data Protection Board within 72 hours. Failure to report a breach carries a fine of up to Rs 200 crore. Neither Airtel nor Vi has clarified whether their current vendor contracts include mandatory patch timelines consistent with CERT-In's 24-hour requirement. A note of caution: Security researcher Bruce Schneier argued that a separate firm replicated some findings using older, cheaper models and that Project Glasswing is partly a PR exercise. Anthropic itself acknowledged that the long-run outcome is likely to favour defenders but warned that the transitional period will be fraught.

Are RBI and NCPI Seeking Access to Claude Mythos?

For now, the report is highly speculative and only tells us that RBI is aware of how the Mythos story is playing out in the US Driven by the surround sound that has steadily grown around Anthropic's latest foundation model Claude Mythos and its possible impact in the hands of cybercriminals, India's monetary regulators led by the RBI are discussing possible fallouts with their global peers and might well seek early access to the frontier AI model. Per a report by wire agency Reuters quoting three unnamed sources, the apex bank is discussing ⁠the challenges and the safeguards of data protection with other regulators. Claude Mythos has been pitched as their smartest yet and designed to conduct multi-step cybersecurity tasks that includes discovering zero-day vulnerabilities in legacy computer codes. The report also claimed that the National Payments Corporation ⁠of India (NPCI) might be trying to secure early access to Mythos, which has only been previewed to about 40 customers including big tech giants such as Google and Microsoft, as part of an effort by Anthropic to identify vulnerabilities within their systems. However, access could be a tough ask as Anthropic has hosted Mythos in controlled environments in the United States for now. In fact, the frontier AI model made headlines after the White House first urged US banks to test it out and thereafter held a meeting with Anthropic co-founder Dario Amodei, in spite of the two fighting a lawsuit. Of course, experts are divided on the veracity of the claims made by Anthropic with arch rival OpenAI openly calling it as fear-based marketing. Appearing on a podcast, OpenAI CEO Sam Altman called out Anthropic's recent shenanigans around its "smartest" model Mythos as a case of using fear to make the new product sound more impressive than it actually is. The wire agency also noted that regulators in Asia, Europe and the US had already warned banks to review their cybersecurity as well as preparedness for possible zero-day vulnerabilities. It said authorities in Japan would be meeting banks this week while in Australia the central bank is monitoring developments around Mythos. The report also claimed that RBI officials had discussions around Mythos-related risks with their counterparts in the U.S. Federal Reserve and the Bank of England. They may even seek direct engagement with Anthropic, given that Amodei had been in India for the AI Summit two months ago and had met Prime Minister Narendra Modi and senior government officials. At this point, there are no regulations for banks to engage with AI providers as the RBI is currently working on guidelines for such enterprise-level partnerships. For now, it is learnt that the apex bank would have banks treat analytics based data of customers in India in conjunction with existing regulations around data localisation issued in 2018.

Threat from Anthropic's Mythos 'as big as war': Nirmala Sitharaman

Union Finance Minister Nirmala Sitharaman has warned of a new cyber threat from Anthropic's AI model Mythos, comparing its potential impact to that of war. Authorities are increasing engagement with Anthropic and the US administration to understand and counter these evolving digital risks, while also strengthening domestic capabilities and financial sector preparedness. Union Finance Minister Nirmala Sitharaman has flagged concerns over an emerging cyber challenge linked to Anthropic's AI model Mythos, and described it as a threat as big as war. Speaking at the ET Awards for Corporate Excellence on Saturday, Sitharaman said the scale and nature of the development had caught authorities off guard. "No one would have imagined a couple of weeks ago that there is a new threat which is as big as a threat of war, that is going to hit us in terms of the entire digital network," she said. The minister added that while digitisation has been a "fantastic force multiplier" for India, it has also exposed the ecosystem to rapidly evolving cyber risks. "We will just have to keep exceptionally vigilant," she emphasised. The government is now stepping up engagement with AI firm Anthropic and the US administration to better understand the issue, the minister said, adding that the Ministry of Electronics and Information Technology (MeitY) is "fully seized of the challenge" and is actively assessing the situation. As part of these efforts, authorities have begun reaching out to companies which have had access to the Mythos model seeking greater clarity on its capabilities and potential risks. The statement comes as industry body Nasscom has also written to Anthropic, requesting that Indian companies be granted access. Officials are working with banks and financial institutions to strengthen preparedness, including exploring how artificial intelligence can be deployed to respond to such challenges, she stated. Sitharaman noted that alongside international cooperation, India would need to build its own capabilities to address emerging threats. "We will have to work at our own level to come up with tools to face this challenge," she said. The government had called a meeting of top bankers with ministers, including Sitharaman and IT minister Ashwini Vaishnav, in New Delhi on Thursday, where it announced the formation of a dedicated panel under SBI chairman C S Setty for this purpose. Announced on April 7, Mythos is being deployed as part of Anthropic's 'Project Glasswing', a controlled initiative under which select organisations are permitted to use the unreleased Claude Mythos preview model for defensive cybersecurity.

Digital defence in the age of Mythos, why Indian banks are on high alert

India is poised to become a global AI execution hub. Powerful AI models like Anthropic's Mythos present both opportunities and security risks for the banking sector. India's vast trained workforce and cost-effective infrastructure offer a significant advantage. The nation can harness these strengths to drive AI adoption and achieve tangible returns on investment. As the global financial sector grapples with the implications of Anthropic's AI model 'Mythos', which they claim to be the most powerful yet, the conversation has shifted from theoretical innovation to urgent national security. With a recently high level meeting chaired by Union Finance Minister Nirmala Sitharaman, along with Union Minister of Electronics and Information Technology (MeitY) Minister Ashwini Vaishnaw convening with banking leaders to address potential threats, the stakes for the digital economy have never been higher. In an exclusive interview with ANI, Atul Arya, Founder and CEO of Blackstraw, demystified the technology behind Mythos, its risks to the banking sector, and how India can leverage its unique position to become a global AI execution hub. At the heart of the current cybersecurity anxiety is Mythos's unique ability to bridge the gap between output and reasoning. "Anthropic Mythos goes the extra mile to provide information on why it produced a specific answer," explains Arya. Unlike traditional models that simply provide results, Mythos is designed with a core focus on explainability and reasoning. By granting exclusive, controlled access to approximately 15-20 major global technology and security providers (such as Microsoft, AWS, and CrowdStrike), they are using Anthropic's AI model as a diagnostic tool to identify critical software vulnerabilities. However, the same reasoning capabilities that make it a powerful defensive asset also make it a potent weapon. "Banks are the most vulnerable ecosystem," Arya asserts, emphasising that the financial sector remains the primary target for malicious actors. "When a model is this powerful, it is not just available to bankers to protect their systems--it is also available to hackers who intend to abuse it." Arya suggests that the recent government mandate for banks to adopt pre-emptive security measures is a necessary response to a rapidly shifting threat landscape. The challenge for institutions is twofold. Harnessing the model's defensive potential while erecting robust firewalls against those who would exploit its capabilities. Despite the global concerns, Arya remains bullish on India's role in the global AI architecture. He identifies two critical areas where India can cement its position as a strategic hub. "We have by far the most trained workforce, and the volume of talent needed to deploy these models into business use cases is immense," Arya notes. India's ability to turn AI capabilities into tangible Return on Investment (ROI) makes it an indispensable player in the global application ecosystem. Beyond code, the physical infrastructure of AI is labour-intensive. Arya highlights that the demand for skilled labour--from electricians to systems engineers--in data centre construction and management is an area where India's scale provides a decisive cost and efficiency advantage over developed economies. Discussing the maturity of enterprise AI, Arya pointed to a stark reality. Currently, only 3% of pilot projects successfully move into production. He attributes this to an institutional fear of integrating AI into "core" business processes. "Enterprises are choosing smaller, non-risky use cases. But the ROI is low because they aren't working on their main processes," Arya explains. He predicts a shift over the next three to five years toward "Agentic AI" systems capable of taking actions on behalf of a user without needing constant supervision. As enterprises move from simply viewing AI dashboards to trusting agents with core operations, the transition will require a new level of governance. For Arya, the future of AI is not just about smarter recommendations; it is about autonomous execution grounded in human-understandable reasoning.

India's central bank in talks with global regulators, banks to review Mythos risks, sources say

MUMBAI, April 22 (Reuters) - India's central bank is in talks with global regulators, Indian lenders and government officials to understand the potential risks posed by Anthropic's new artificial intelligence model Mythos, three sources said. The Reserve Bank of India's preliminary assessment - just like that of global regulators - suggests Mythos could pose cybersecurity risks by accelerating the discovery and exploitation of software vulnerabilities, the sources, all familiar with the central bank's thinking, said. Regulators in Asia, Europe and the United States have warned banks to review defences and preparedness. In Japan, the financial watchdog will meet banks this week, while the Australian central bank said it is monitoring Mythos-related developments. RBI officials have over the past fortnight held consultations on Mythos-related risks with counterparts at the U.S. Federal Reserve and the Bank of England in particular, according to one of the sources. The RBI may seek direct engagement with Anthropic, the sources said. "Globally, we are discussing with other countries and other regulators on what are the developments and what safeguards need to be taken," one of the sources said. India's payment authority, the National Payments Corporation of India (NPCI), is trying to secure early access to Mythos alongside a small number of banks, to identify vulnerabilities and "day-zero" cyber risks ahead of any broader rollout, this source said. However, such access may not be forthcoming as Anthropic's Mythos systems is hosted on strictly-controlled servers in the U.S. and running tests on local data in foreign jurisdictions could prove challenging, said a fourth source aware of the matter. Access to Mythos has been limited to a small number of organisations involved in maintaining key digital infrastructure in the U.S. Anthropic plans to provide Mythos access to European banks soon, Reuters reported earlier this week. Email requests for comment sent to RBI and NPCI were not immediately answered. The RBI is preparing broader guidelines for banks entering enterprise partnerships with advanced AI models, including Mythos and Anthropic's Claude family, as part of a longer-term strategy on AI adoption, according to two of the sources. The discussions are at an early stage but the central bank will insist that all analytics based on data of Indian customers complies with RBI's domestic data localisation, the sources said. The RBI data localization rule, issued in 2018, requires all payment system providers in India to store end-to-end transaction data, including user information and payment messages, exclusively on servers located within India. (Reporting by Ashwin Manikandan and Gopika Gopakumar in Mumbai; Editing by Kim Coghill)

RBA Says It Is Vigilant Against Growing AI Threats

SYDNEY--The Reserve Bank of Australia has signaled its growing concerns about the risks posed by the rapid advancement of artificial intelligence and the potential for cyber attacks on the financial system, saying that it is monitoring developments associated with Anthropic and its developing capabilities. "The RBA has noted the recent announcement by Anthropic regarding its Claude Mythos release's coding and vulnerability identification capabilities and the community's response," an RBA spokesperson said Wednesday. "The RBA is closely monitoring this development including engaging with peer regulators, government and regulated entities," the statement added. "RBA, along with peer regulators and government agencies will continue to assess the implications of these technological advancements to ensure the ongoing safety and resilience of the financial system." The RBA chairs Australia's Council of Financial Regulators, which has oversight of the financial system and its regulation. Anthropic has claimed that Mythos can identify vulnerabilities in every major operating system, prompting calls for its use to be regulated and contained.

Govt forms panel under SBI chief C S Setty to assess Mythos-related risks

Union Finance Minister Nirmala Sitharaman on Friday said the government has formed a panel under SBI Chairman C S Setty, who also leads the industry grouping IBA, to assess risks emanating from AI platform Mythos and come up with mitigating measures. There will be a lot of interaction among banks over the next few weeks to understand the threats and also look at the areas where additional investments will be required, Sitharaman said on the sidelines of an event to inaugurate SBI's newly created local head office here. "In the coming weeks, there will be a lot of interaction within the banks, understanding where more investments will have to be made, what kind of technologies can come in, how AI itself can be used for countering this AI born challenge," Sitharaman said. The government had held a high-level meeting with banks on Thursday, that was also attended by IT Minister Ashwini Vaishnav, Sitharaman, and other top officials. Sitharaman said not much is known about Mythos yet and there are very few people who have tried the system, which is speculated to bring about radical changes in computing. She said all this while, the system has been able to protect customers but the same record may not be sufficient to guard against newer platforms. The Meity is speaking with various governments and also technology companies to understand the issue, the FM said. Anthropic's AI model Mythos has raised a global debate over vulnerability in the financial system as the model has the capability to find weaknesses in their operating system and launch a potential cyber attack. Mythos' advanced coding capabilities give it an unprecedented potential to detect cybersecurity weaknesses and develop methods to exploit them, sparking concerns that it could be used to disrupt banking systems. Regulators across Asia, Europe, and the US have already warned banks to review their defences and preparedness. Mythos has raised alarm bells among regulators, who see it as a significant challenge to the banking sector and its legacy technology systems. Banks and financial institutions are most vulnerable as there is high interconnected (payments, markets, clearing systems) and dependence on legacy IT systems operating in real-time. One successful cyberattack can cascade quickly across institutions and markets as one bank is linked to many domestic and global institution for inward and outward payment, forex trading, money market exposure, stock market linkage, depositories and payment gateway, etc.

FM Sitharaman, IT minister Vaishnaw meet bankers over looming Claude Mythos; push for faster intel sharing

India is building a strong system for banks and agencies to share threat information instantly. This aims to quickly identify new dangers from artificial intelligence. Finance Minister Nirmala Sitharaman met with banks and IT officials to discuss these risks. The focus is on vigilance and better coordination. New Delhi: India will look to establish a robust mechanism for real-time threat intelligence sharing among banks, Indian Computer Emergency Response Team (CERT-In) and other relevant agencies to identify emerging threats and disseminate it without delay across the ecosystem, the finance ministry said in a statement on Thursday after finance minister Nirmala Sitharaman chaired a meeting on threats involving artificial intelligence (AI) models. Sitharaman, along with Union electronics and information technology minister Ashwini Vaishnaw, held a discussion with representatives of scheduled commercial banks and other stakeholders to assess the potential impact of emerging threats linked to recent developments involving AI models, particularly the possibility of such technologies being misused to weaponise software vulnerabilities. Also Read | Microsoft to integrate Anthropic's Mythos into its security development programme The finance minister noted that the nature of the emerging threats from the latest AI models is unprecedented and requires a very high degree of vigilance, preparedness and better coordination across financial institutions and banks, the statement said. Sitharaman advised the Indian Banks' Association (IBA) to develop a coordinated institutional mechanism to respond swiftly and effectively to any such threats and directed banks to engage the best available cybersecurity professionals and specialised agencies to continuously strengthen defensive and monitoring capabilities of the banks. Emphasising the need for proactive action, Sitharaman urged banks to take all necessary pre-emptive measures to secure their IT systems, safeguard customer data and protect monetary resources, the statement said. Banks were further advised to immediately report any suspicious activity or cyber incident to the relevant authorities, including CERT-In, and to maintain close coordination with all agencies concerned. Besides senior finance ministry officials, the meeting was attended by officials from the RBI, National Payments Corporation of India and CERT-In. Also Read | Anthropic's Mythos model accessed by unauthorised users: Bloomberg Earlier this week, Anthropic said in a statement that it is investigating a report claiming unauthorised access to Claude Mythos Preview through one of its third-party vendor environments. The company had previously stated that it had been in "ongoing discussions" with US government officials about Claude Mythos Preview's cyber capabilities. The company has claimed that Claude can outperform humans at some hacking and cybersecurity tasks, raising concerns, including in the financial sector. Resilient and stable Speaking at the PICUP Fintech Conference, financial services secretary M Nagaraju said Mythos is both a threat and an opportunity for the fintech ecosystem, noting that technology will play an important role not only in driving innovation but also in strengthening supervision, risk management and fraud prevention. "We are moving from scale to complexity where expectations are higher, risks are sharper and systems will be tested far more rigorously," he said, adding that cybersecurity threats, data privacy concerns, credit and asset quality risk, and trust deficit are some challenges that need to be managed to sustain long-term growth. Nagaraju, in his address, said it is important to ensure that the financial system remains resilient and stable. "A strong financial system must be capable of supporting growth during favourable times while also withstanding shocks during periods of uncertainty," he said. (You can now subscribe to our Economic Times WhatsApp channel)

India finance ministry to meet bank CEOs on Anthropic 'Mythos' cyber risk

Indian bank leaders will meet the finance minister today. They will discuss protecting the nation's payment system. The focus is on cyber threats from a new AI model called Mythos. Banks are seen as vulnerable due to their interconnected IT platforms. This meeting follows reports of unauthorized access to the AI model. Global regulators are also discussing these potential risks. Bank chief executives are set to assure the finance minister they are taking steps to ring-fence India's payments system from potential cyberattacks linked to Anthropic's Mythos, a new AI model, people familiar with the matter said. The finance ministry called an urgent meeting with bankers today evening to assess how exposed banks could be to cyber threats emanating from the Mythos app, the people said. Also read: RBI in talks with global regulators, banks to review Mythos risks, sources say The meeting was convened within 24 hours of a Bloomberg report that a small group of unauthorised users had gained access to Anthropic's app, even as the company said last week it would not publicly release the model, citing cybersecurity risks. Banks are seen as especially vulnerable because their IT platforms connect multiple stakeholders -- corporates, retail users and other financial services providers -- for seamless transactions. A cyberattack on banks could threaten financial stability, particularly at a time when the government is not levying charges on UPI payments to encourage digital transactions. Government officials in at least three countries -- the U.S., Canada and Britain -- have met top banking officials to discuss the threats posed by Claude Mythos Preview, according to wire reports. Reuters reported on Wednesday that Indian banking regulator is in talks with global regulators, Indian lenders and government officials to understand the potential risks posed by Mythos.

RBI in talks with global regulators, banks to review Mythos risks, sources say

MUMBAI: India's central bank is in talks with global regulators, Indian lenders and government officials to understand the potential risks posed by Anthropic's new artificial intelligence model Mythos, three sources said. The Reserve Bank of India's preliminary assessment - just like that of global regulators - suggests Mythos could pose cybersecurity risks by accelerating the discovery and exploitation of software vulnerabilities, the sources, all familiar with the central bank's thinking, ⁠said. Also Read: Japan's financial watchdog to meet top banks to discuss Mythos AI model Regulators in ⁠Asia, Europe and the United States have warned banks to review defences and preparedness. In Japan, the financial watchdog will meet banks this week, while the Australian central bank said it is monitoring Mythos-related developments. RBI officials have over the past fortnight held consultations on Mythos-related risks with counterparts at the U.S. Federal Reserve and the Bank of England in particular, according to one of the sources. The RBI may seek direct engagement with Anthropic, the sources said. "Globally, we are discussing ⁠with other countries and other regulators on what are the developments and what safeguards need to be taken," one of the sources said. Also Read: Mythos a serious threat but more will follow, Barclays CEO says India's payment authority, the National Payments Corporation ⁠of India (NPCI), is trying to secure early access to Mythos alongside a small number of banks, to identify vulnerabilities and "day‑zero" cyber risks ahead of any broader rollout, this source said. However, such access may not be forthcoming as Anthropic's Mythos systems is hosted on strictly-controlled servers in the U.S. and running tests on local data in foreign jurisdictions could prove challenging, said a fourth source aware of the matter. Access to Mythos has been limited to a small number of organisations involved in maintaining key digital infrastructure in the U.S. Anthropic plans to provide Mythos access to European banks soon, Reuters reported earlier this week. Email requests for comment sent to RBI and NPCI were not immediately answered. The RBI is preparing ⁠broader guidelines for banks entering enterprise partnerships with advanced AI models, including Mythos and Anthropic's Claude family, as part of a longer‑term strategy on AI adoption, according to two of the sources. The discussions are at an early stage but the central bank will insist that all analytics based on data of Indian customers complies with RBI's domestic data localisation, the sources said. The RBI data localization rule, issued in 2018, requires all payment system providers in India to store end-to-end transaction data, including user information and payment messages, exclusively on servers located within India.

India warns banks after powerful AI model like Claude Mythos raises cybersecurity concerns

Banks have been advised to upgrade monitoring systems and report cyber threats quickly to authorities. Anthropic Mythos AI model has become the talk of the town for its capabilities. After a reported data breach, the entire world is preparing for all the possible outcomes. In the latest update, the Indian government and RBI have already called on banks to strengthen their cybersecurity frameworks in response to growing risks posed by advanced AI systems. In a high-level meeting, Finance Minister Nirmala Sitharaman stressed the need for stronger coordination and preparedness as AI tools become more capable of identifying and exploiting software vulnerabilities. The meeting included Ashwini Vaishnaw and officials from institutions such as the Reserve Bank of India, National Payments Corporation of India and Indian Computer Emergency Response Team, along with banking executives. The discussions focused on assessing emerging threats from next-generation AI models and evaluating the sector's readiness to respond. Also Read: Haier launches new Gravity AI Series AC with self-cleaning outdoor unit, AI-driven cooling features: Check price and features Sitharaman also acknowledged that banks have made progress in improving the digital security systems, but warned that the latest wave of AI-driven threats presents a new level of complexity. She urged the Indian Banks' Association to develop a unified response mechanism that enables faster action against cyber incidents. Banks were also advised to enhance monitoring systems, work closely with cybersecurity experts, and report suspicious activities promptly to relevant authorities. The concerns come amid rising global attention on how AI models can be misused. Recently, Anthropic introduced a cybersecurity initiative called Project Glasswing in collaboration with major tech firms. The company revealed that its experimental model, Claude Mythos Preview, has already identified thousands of critical vulnerabilities across widely used software, including operating systems and web browsers. According to Anthropic, some of these flaws had remained undiscovered for years and can be misused. On the other hand, global policy makers are taking these developments seriously and discussing them at the international forums.