Anthropic's Mythos AI Triggers Financial Regulators to Act on Cybersecurity Risks
Anthropic's new artificial intelligence model, called Mythos, can find and exploit software vulnerabilities on its own - a capability that has prompted financial regulators and banking executives across Canada, the U.S., and the U.K. to meet and discuss systemic risks to the financial system.
The company announced last week that Mythos discovered thousands of high-severity vulnerabilities in every major operating system and web browser, some dormant for decades. Anthropic has declined to release the model publicly, instead sharing it with companies like Apple, Amazon Web Services, Google, Microsoft, Nvidia, and JPMorgan Chase to strengthen defenses through an initiative called Project Glasswing.
What makes Mythos different
Previous AI models could help security experts work faster, but humans still had to identify and exploit vulnerabilities step by step. Mythos operates independently. It can examine software, identify weaknesses, determine how to exploit them, and chain multiple vulnerabilities together without human intervention at each stage.
This speed matters. If an AI system can scan banking or payment software and find flaws in hours instead of weeks, multiple organizations using the same system face exposure far sooner than before.
How regulators responded
U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell met with CEOs from Goldman Sachs, Morgan Stanley, Citigroup, and others in Washington to discuss the cybersecurity risks.
The Bank of Canada convened executives from the country's largest banks and financial institutions on Friday. The U.K.'s financial regulators met with major British banks and insurers. Canada's Artificial Intelligence Minister Evan Solomon met with Anthropic executives, calling their approach "proactive," though he did not confirm whether Canadian companies would gain access to Mythos.
Why banks are vulnerable
Canadian banks operate on American software, meaning their security depends on external vendors. When vulnerabilities are discovered, Canadian institutions wait for American companies to issue fixes.
Canada's financial system concentrates risk among the Big Six banks plus Desjardins. While this coordination helps in some scenarios, mid-sized lenders and credit unions often share technology vendors with larger institutions but lack equivalent security teams. A vulnerability affecting shared software could expose multiple players simultaneously.
Coordinated cyberattacks across institutions become more feasible when AI can identify and exploit weaknesses across entire software platforms in compressed timeframes.
What comes next
Regulators and academics say effective risk mitigation requires global coordination and faster responses from Canadian authorities. Current rules addressing third-party and vendor risk exist, but enforcement and speed will determine whether the financial system can adapt to AI-accelerated threats.
The test ahead involves balancing caution with speed. Canadian regulators and banks must identify vulnerabilities and patch systems faster than an AI can find and weaponize them.
Learn more about AI for cybersecurity professionals or explore AI applications in finance.
Your membership also unlocks:
