Global regulators sound alarm as Anthropic's Mythos AI threatens to accelerate cyberattacks

India orders infosec red alert in case Mythos sparks crime

Securities regulator urges market players to develop new strategies and nail cyber-basics before AI models fuel mass attacks India's Securities and Exchange Board has advised participants in the nation's equities industry to immediately revisit their information security systems and practices, in case Anthropic's Mythos bug-finding AI sparks a cyberattack spree. The Board is India's equivalent of the USA's Securities and Exchange Commission, or the UK's Financial Conduct Authority. On Tuesday, the Indian regulator issued an advisory that opens with the following observation: In response to those threats, the Board has established a taskforce that will examine the risks posed by models like Mythos, share threat intelligence, report incidents, and initiate a review of cybersecurity at third-party software vendors who supply the regulator and the entities it oversees. The advisory then offers some basic infosec advice: ensure patches are up to date, conduct audits of potential vulnerabilities, conduct inventories of APIs and secure them, run a serious SOC and take its advice, and harden systems by adopting principles such as zero-trust networking and running only essential services. The regulator also told participants in India's equities markets to have their IT committees issue guidance on how to mitigate risks created by AI-led vulnerability detection models, then develop a plan to use AI as part of their infosec armoury. "Also, undertake other measures including recalibration of risks for AI accelerated threats, AI-augmented SOC transformation, and continuous vulnerability management using AI tools," the advisory states. The Board directed the above advice at 19 different classes of company, ranging from venture capitalists to merchant bankers, mutual funds, stock exchanges, and even niche suppliers such as agencies that store know your customer information. Other regulators around the world have also acknowledged the risks Mythos poses. US Treasury Secretary Scott Bessent convened an emergency meeting with the nation's banks a few weeks back. Singaporean regulators did likewise, yesterday. Australian regulators sent local banks a strongly worded reminder that they must develop AI strategies that consider risks the technology creates. Hong Kong's Monetary Authority is working on new infosec guidance for the age of Mythos. India's approach stands out for effectively putting entities it regulates on alert to an imminent threat and ordering them to take action to prevent problems. ®

Australia regulator calls for urgent cybersecurity action to counter Mythos

SYDNEY, May 8 (Reuters) - Australia's corporate regulator has urged the country's financial sector to take urgent action on tackling potential cyber risks from frontier AI systems such as Mythos. The Australian Securities and Investments Commission on Friday published a letter sent to the financial services industry saying greater action needed to be taken on ensuring cybersecurity practices are as strong as possible. "Cyber risk has entered a new era, the advent of frontier AI models creates opportunity but also materially increases risk, with the ability to expose vulnerabilities faster than ⁠many realise," Simone Constant, ASIC commissioner, said. "Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business." Potential risks posed by Mythos, which has high-level coding capabilities, have given it a potentially unprecedented ability to identify cybersecurity vulnerabilities, experts have warned. Anthropic, which developed Mythos, did not immediately respond to a request for comment on ASIC's letter. The ASIC warning follows Australia's banking regulator last month saying the domestic financial services industry's ⁠information security practices were struggling to match the rate of change in AI. "The clock is at a minute to midnight - if you aren't on top of your cyber resilience already, the time to act and prepare is right now," Constant said. Anthropic has launched Claude Mythos Preview under Project ⁠Glasswing, a tightly restricted access programme that includes major technology firms such as Amazon (AMZN.O), opens new tab, Microsoft (MSFT.O), opens new tab, Nvidia (NVDA.O), opens new tab and Apple (AAPL.O), opens new tab. The ability of central banks and financial regulators to monitor and combat the risks posed ⁠by AI models has been called into question after a survey found authorities significantly lag financial firms in AI adoption and lack data on emerging harms. Financial institutions are adopting ⁠AI at more than twice the rate of their supervisors, with just two in 10 regulators reporting "advanced AI adoption," research published in April by the Cambridge Centre for Alternative Finance showed. Reporting by Scott Murdoch; Editing by Jacqueline Wong and Chris Reese Our Standards: The Thomson Reuters Trust Principles., opens new tab * Suggested Topics: * Cybersecurity * Securities Enforcement * Regulatory Oversight Scott Murdoch Thomson Reuters Scott Murdoch has been a journalist for more than two decades working for Thomson Reuters and News Corp in Australia. He has specialised in financial journalism for most of his career and covers the Australian financial services sector and superannuation. He is based in Sydney.

Australia regulator calls for urgent cybersecurity action to counter Mythos

Australia's corporate regulator warns financial firms about new cyber threats from advanced AI systems. These powerful AI models can find security weaknesses quickly. Regulators stress the need for immediate action to strengthen cybersecurity. Financial institutions are adopting AI faster than supervisors, creating a growing risk gap. Australia's corporate regulator has urged the country's financial sector to take urgent action on tackling potential cyber risks from frontier AI systems such as Mythos. The Australian Securities and Investments Commission on Friday published a letter sent to the financial services industry saying greater action needed to be taken on ensuring cybersecurity practices are as strong ⁠as possible. "Cyber ⁠risk has entered a new era, the advent of frontier AI models creates opportunity but also materially increases risk, with the ability to expose vulnerabilities faster than many realise," Simone Constant, ASIC commissioner, said. "Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin ⁠your business." Potential risks posed by Mythos, which has high-level coding capabilities, have given it a potentially unprecedented ability to identify cybersecurity vulnerabilities, experts have ⁠warned. Anthropic, which developed Mythos, did not immediately respond to a request for comment on ASIC's letter. The ASIC warning follows Australia's banking regulator last month saying the domestic financial services industry's information security practices were struggling to match the rate of change in AI. "The clock is at a minute to midnight - if you aren't on top of your cyber resilience already, the time to act and prepare is right now," Constant said. Anthropic has launched Claude Mythos Preview under Project Glasswing, a tightly restricted access programme that includes major technology firms such as Amazon, Microsoft, Nvidia and ⁠Apple. The ability of central banks and financial regulators to monitor and combat the risks posed by AI models has been called into question after a survey found authorities significantly lag financial firms in AI adoption and lack data on emerging harms. Financial institutions are adopting AI at more than twice the rate of their supervisors, with just two in 10 regulators reporting "advanced AI adoption," research published in April by the Cambridge Centre for Alternative Finance showed.

Anthropic's Mythos: What Investors Should Watch

Anthropic built a model it decided was too dangerous to release. What happened next is a case study in how fast AI risk has become a financial stability problem. On April 7, 2026, Anthropic announced an AI model it refused to sell. That decision alone was unusual. What followed was not. Within 24 hours, the Federal Reserve Chair and the Treasury Secretary sat in a room with the CEOs of America's biggest banks. Within weeks, the International Monetary Fund issued a formal warning about AI-driven cyberattacks threatening the global financial system. All of it traces back to Anthropic's Mythos. What Mythos Actually Does Mythos is not a hacking tool. Anthropic did not build it to find vulnerabilities. Instead, it is a general-purpose AI model trained to reason and write code. However, during internal testing, something unexpected happened. The model turned out to be extraordinarily good at finding security flaws that human researchers had missed for decades. The numbers are striking. An earlier Anthropic model found about 20 vulnerabilities in the Firefox browser. Mythos, by contrast, found nearly 300. Furthermore, across every major operating system and web browser, the total now runs into the tens of thousands. Many of the flaws are 10, 20, even 27 years old. Anthropic CEO Dario Amodei explained why his team has not disclosed most of them publicly. "If we announce something without it being fixed, then the bad guys will exploit it." Why Access Is Restricted Anthropic chose not to release Mythos to the public. Instead, the company launched Project Glasswing, giving roughly 40 organizations monitored access to find and fix vulnerabilities before attackers can exploit them. Partners include Amazon Web Services (AMZN), Apple (AAPL), Microsoft (MSFT), Alphabet (GOOGL), Nvidia (NVDA), Cisco (CSCO), CrowdStrike (CRWD), JPMorgan Chase (JPM), and Palo Alto Networks (PANW). In addition, Anthropic committed up to $100 million in usage credits and $4 million in donations to open-source security organizations to support the effort. The Emergency Meeting and the IMF Warning On April 7, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell called an unannounced meeting at Treasury headquarters in Washington. In the room sat the CEOs of Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman Sachs. The subject was Mythos and the cyber risks it represents. JPMorgan Chase CEO Jamie Dimon was invited but could not attend. The International Monetary Fund echoed that urgency shortly after. It cited Mythos by name, warning that advanced AI discovers and exploits vulnerabilities faster than organizations can patch them. Moreover, the IMF raised a systemic concern that extends beyond any single institution. Banks, payment networks, and energy firms all share the same cloud providers and software platforms. Consequently, one successfully exploited vulnerability can cascade across the entire financial system at once. The IMF called this concentration risk and called it urgent. The Window Is Closing Anthropic CEO Dario Amodei put a clear deadline on the threat. Chinese AI models sit roughly six to twelve months behind Mythos. Other frontier labs are closer, about one to three months behind. As a result, the gap is closing on two fronts simultaneously. The problem, however, is not just who catches up. It is what happens in the meantime. Security teams are already losing the race against time. Specifically, the average organization takes 60 days to patch a critical vulnerability after disclosure. Attackers, on the other hand, exploit those same vulnerabilities within an average of 4.5 days of a public proof of concept appearing. That leaves a 55-day window where systems sit exposed and attackers can walk right in. Furthermore, according to Mandiant's M-Trends 2026 report, the situation is deteriorating. Exploits now routinely arrive before patches. Nearly 28% of known vulnerabilities faced active exploitation within 24 hours of public disclosure. JPMorgan Chase CEO Jamie Dimon, who has repeatedly warned that cyberattacks represent the greatest long-term threat facing the banking system, agreed that the old response timelines no longer hold. "In the old days, you put out a patch, people had a week or two to fix it. Now you say it's got to be like minutes." Meanwhile, OpenAI moved quickly to respond, releasing GPT-5.5-Cyber in limited preview to vetted security teams. OpenAI CEO Sam Altman has called Anthropic's public warnings "fear-based marketing." Similarly, some researchers note that existing public models can replicate comparable capabilities. In other words, the risk predates Mythos. Mythos simply makes it faster and harder to ignore. What Investors Should Watch Three things matter most in the months ahead. First, watch for regulatory action. The Trump administration has discussed new oversight frameworks for frontier AI models. As a result, any formal guidance will directly affect costs and timelines across the entire sector. Second, watch the patch cycle. Most Mythos-discovered vulnerabilities remain unpatched and undisclosed. Therefore, as fixes roll out, a wave of new CVEs will hit enterprise security queues. Consequently, slow movers face real and measurable exposure. Third, watch the Glasswing advantage. Partners with early access hold a meaningful security edge right now. Nevertheless, that advantage is temporary. Within a year, comparable capabilities will likely reach both defenders and adversaries alike. Above all, Amodei summed it up plainly. "There are only so many bugs to find. If we handle this right in six to twelve months, we could be in a better position than we started." The window is open. The question is whether institutions move fast enough to use it. Benzinga Disclaimer: This article is from an unpaid external contributor. It does not represent Benzinga's reporting and has not been edited for content or accuracy. Market News and Data brought to you by Benzinga APIs To add Benzinga News as your preferred source on Google, click here.

Banks Slash Patch Times as Anthropic's Mythos Exposes Security Gaps | PYMNTS.com

By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions. One thing the banks have learned is that Mythos can create a high-risk vulnerability by bringing together several lower risk weaknesses, according to the report. The number of low- to moderate-ranked vulnerabilities found in banks' tech by Mythos numbers between several hundred and thousands. In response, banks are patching vulnerabilities in days rather than the weeks they used to take and are upgrading technology that is at the end of its software support, per the report. Some banks may take their systems offline more often to handle the new workload but will do so in the least disruptive ways. The testing banks are now doing with Mythos is likely to be repeated with other new AI products on a continuous basis. For banks that don't have access to Mythos, Anthropic has released recommendations for improving their defenses and is offering another program called Claude Security that scans for vulnerabilities and is available to a greater number of organizations, per the report. Anthropic CEO Dario Amodei said May 5 that financial services companies and other organizations have six to 12 months to fix vulnerabilities in their software before Chinese AI models develop capabilities equal to those of Mythos. Amodei said that Mythos had uncovered tens of thousands of vulnerabilities and that if code is rewritten with models like Mythos, "we could be in a better position than we started in because we fixed all these bugs." On May 3, Treasury Secretary Scott Bessent said that American banks are working to safeguard against AI-related cyberthreats and that he told them that they should take the Mythos model seriously and use it to find holes in their defenses. "What we've had in the past month was a step change in the power of one large language model, but we're going to see it from the other AI companies, and it's important that the U.S. stays ahead here," Bessent said.

SEBI Orders Cybersecurity Overhaul Over Mythos Concerns

The Securities and Exchange Board of India (SEBI) has named Anthropic's Claude Mythos in a circular dated May 5, ordering every regulated entity in Indian securities markets to immediately overhaul their cybersecurity infrastructure. SEBI is the first Indian financial markets regulator to name a specific AI model in a formal circular; CERT-In had first named Mythos across all sectors on April 26. The circular covers stock exchanges, depositories, mutual funds, brokers, credit rating agencies, custodians, merchant bankers, and portfolio managers, among others. SEBI's concern: Mythos can identify and exploit vulnerabilities "using speed and scale," threatening data confidentiality, application integrity, and reliability of outputs. Because all market participants are interconnected, one breach can trigger a domino effect across the entire ecosystem. SEBI has also constituted a task force called cyber-suraksha.ai, comprising representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), and other regulated entities, to examine AI-driven cybersecurity risks, share threat intelligence, report cyber incidents on priority, and review third-party vendor security posture. What the circular requires: 6. Overhaul SOC monitoring. A Security Operations Centre (SOC) monitors an organisation's systems for threats around the clock. The circular requires: 7. Include AI as a risk scenario. Periodic risk assessments must now explicitly model AI model capabilities as a threat scenario. 8. Harden systems. Entities must adopt secure configurations, disable unnecessary services and default accounts, and enforce Zero Trust Network Architecture (ZTNA), a security model that requires verification at every step, assuming no user or system is trustworthy by default. 9. Update software inventory. Entities must periodically update their Software Bill of Materials (SBOM), a complete list of all software components, including open-source code, for all critical applications. 10. Build long-term AI defence. All regulated entities must prepare a long-term plan for using AI in detection and autonomous agentic mitigation, where AI systems independently identify and respond to threats without waiting for human instruction, including AI-augmented SOC transformation. Why this matters: SEBI naming Mythos in a circular is a significant regulatory moment. As MediaNama has reported, no Indian company, bank, or government agency has secured access to Mythos under Project Glasswing, Anthropic's $100 million restricted access programme. MeitY Secretary S. Krishnan confirmed on April 28 that India is still working out logistics with US authorities. This creates a structural contradiction: SEBI is ordering Indian financial institutions to defend against a model they cannot access to defend themselves with. Claude Security, Anthropic's enterprise defensive tool, gives Indian firms an indirect path through Infosys as a named partner, but runs on Opus 4.7, which produces two working exploits on the Firefox 147 benchmark against Mythos's 181, a 90x capability gap. MediaNama founder Nikhil Pahwa identified the core problem: "A tool that compresses attack timelines without compressing defense timelines increases systemic risk before it improves security." The data localisation conflict also remains unresolved. India's 2018 rules require payment system providers to store all transaction data on servers within India, while Mythos is hosted on US-based servers. The National Payments Corporation of India (NPCI) has not publicly addressed this.

Anthropic's Mythos sends US banks rushing to plug cyber holes

NEW YORK, May 12 (Reuters) - U.S. banks are rushing to fix scores of IT system weaknesses flagged by Anthropic's powerful but costly Mythos AI tool, prompting urgent repairs, software upgrades and raising the possibility of disruption for customers. A handful of the country's largest lenders currently have access to Mythos, Reuters has previously reported, and are now uncovering issues the program is revealing, several sources familiar with the matter said. As they comb through the vulnerabilities, the larger banks are also helping inform smaller banks who do not have direct access to the tool so they can prepare their systems, those sources said. Mythos is viewed by cybersecurity experts as posing significant challenges to the banking industry and its legacy technology systems, prompting a series of warnings from regulators and policymakers. "This is a wake-up call because cyber risk is moving to machine speed, while much of bank defense still operates at human speed," said Nitin Seth, co-founder & CEO of Incedo, a data, digital, and AI services firm. "It also breaks a long-standing assumption in banking security -- that vulnerabilities can remain hidden for extended periods before they are discovered and weaponized." As Wall Street banks test Mythos, they are discovering that the model is expert at chaining together lower-risk vulnerabilities - or weaknesses - into a high-risk vulnerability, several of the sources said. That is triggering a rush to check that software is upgraded, said one of the sources at a major bank, and another person with knowledge of the findings. Mythos is particularly expert at finding vulnerabilities in proprietary and open-source code, putting banks under pressure to upgrade aging tech that is at the end of its software support, the source at one of the major banks said. Mythos is uncovering several hundred to thousands of vulnerabilities ranked low to moderate, which need to get fixed, the source with knowledge of the findings said, adding that the model is disruptive for banks because they have to perform the fixes at speeds never previously contemplated - in some cases patching in days vulnerabilities they may have previously waited weeks to patch. The increased workload could result in banks having to take systems offline more frequently, said one of the people and another source. However, banks would look to do this in a way that causes minimal disruption, the second source said. One of the sources said that such rapid testing of AI products including Mythos is now the new normal which they expect to be doing continually. HIGH BARRIERS One of the barriers to entry for smaller banks is the cost of the technology. Smaller banks also do not have the processing power to use the model, one of the people said, adding that the big banks have however been sharing data on their findings. Like other AI models, Claude Mythos Preview is priced by how many tokens, or pieces of data, it must consume to answer a user's prompt. It costs $25 per million tokens that a customer inputs into the AI model, and $125 per million tokens that the AI outputs - exactly five times more expensive than Anthropic's more widely available top AI model, Opus 4.7, Anthropic has said. Anthropic, however, has said it would provide $100 million worth of credits to Glasswing partners and other Mythos customers, saying this would "cover substantial usage throughout this research preview." Anthropic has also released recommendations for companies to shore up defenses even if they do not have access to Mythos while it said in a recent post that another program, Claude Security, which can be used to scan for vulnerabilities, is available to a wider set of organizations. Anthropic leader Mike Krieger told Reuters last week the AI lab considered both safety and business needs when setting prices. Its pricing should be low enough to encourage usage of its AI while high enough to be "funding the business", Krieger said. "We want to maximize the amount of aligned tokens flowing into the world," he said. Anthropic declined comment on the banks' findings of Mythos. 'OH BOY' MOMENT Anthropic initially restricted access to the model to partners in its Project Glasswing initiative and about 40 additional organizations. JPMorgan Chase was a publicly named launch partner, while Goldman Sachs, Citigroup, Bank of America and Morgan Stanley, have access, Reuters reported, citing sources and company executives. Adam Meyers, who leads counter adversary operations at CrowdStrike, a cybersecurity company that is part of Project Glasswing, said that within days of gaining access, he and his team spent "a solid entire weekend trying to figure out how to best use this thing before we even started looking for bugs." The model required building "a whole methodology and a whole set of capabilities" to harness it effectively, he added. Meyers said when he first found out about Mythos his words were "oh boy". A senior bank regulatory official said Mythos has been as powerful as anticipated, and is extremely adept at quickly connecting the dots to highlight vulnerabilities that may have taken humans much longer to tie together. For banks without access, consultants caution that they should protect their systems. Bernard Montel, Tenable's EMEA Technical Director and Security Strategist, said while other sectors are vulnerable, "the backbone of the banking sector is technology, that is the difference," meaning disruptions hit at the core of the business. (Additional reporting by Pete Schroeder and Jeffrey Dastin; editing by Megan Davies and Nick Zieminski) By Saeed Azhar, Tatiana Bautzer, Michelle Price and Francesco Canepa

Australia regulator calls for urgent cybersecurity action to counter Mythos

SYDNEY, May 8 (Reuters) - Australia's corporate regulator has urged the country's financial sector to take urgent action on tackling potential cyber risks from frontier AI systems such as Mythos. The Australian Securities and Investments Commission on Friday published a letter sent to the financial services industry saying greater action needed to be taken on ensuring cybersecurity practices are as strong as possible. "Cyber risk has entered a new era, the advent of frontier AI models creates opportunity but also materially increases risk, with the ability to expose vulnerabilities faster than many realise," Simone Constant, ASIC commissioner, said. "Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business." Potential risks posed by Mythos, which has high-level coding capabilities, have given it a potentially unprecedented ability to identify cybersecurity vulnerabilities, experts have warned. Anthropic, which developed Mythos, did not immediately respond to a request for comment on ASIC's letter. The ASIC warning follows Australia's banking regulator last month saying the domestic financial services industry's information security practices were struggling to match the rate of change in AI. "The clock is at a minute to midnight - if you aren't on top of your cyber resilience already, the time to act and prepare is right now," Constant said. Anthropic has launched Claude Mythos Preview under Project Glasswing, a tightly restricted access programme that includes major ?technology firms such as Amazon, Microsoft, Nvidia and Apple. The ability of central banks and financial regulators ?to monitor and combat the risks posed by AI models has been called into question after a survey found authorities significantly lag financial firms in AI adoption and lack data on emerging harms. Financial institutions are adopting AI at more than twice the rate of their supervisors, with just two in 10 regulators reporting "advanced AI adoption," research published in April by the Cambridge Centre for Alternative Finance showed. (Reporting by Scott Murdoch; Editing by Jacqueline Wong and Chris Reese)