Treasury Convenes Bank Executives Over AI Vulnerability Risks
US Treasury Secretary Scott Bessent met this week with chief executives from Bank of America, Citigroup, Goldman Sachs, Morgan Stanley and Wells Fargo, alongside Federal Reserve Chair Jerome Powell, to discuss cybersecurity threats posed by advanced artificial intelligence models. The closed-door meeting followed concerns about Anthropic's newly released Mythos model and its ability to identify software vulnerabilities at scale.
The implications reach directly into insurance underwriting and cyber risk assessment. Mythos can systematically scan code and surface exploitable issues far faster than traditional vulnerability discovery methods, compressing the window between when a flaw is introduced, discovered and weaponised.
The Discovery Problem Gets Worse
For decades, organisations relied on a basic assumption: software contains vulnerabilities, but most remain obscure or require prohibitive effort to uncover. Mythos invalidates that comfort.
Cyber leaders at the NetDiligence conference in Toronto said the model represents a genuine shift, not an abstract research exercise. John O'Brien of Microsoft Canada told delegates that existing remediation processes, change-control cycles and staffing models were designed for an era of slow, uneven vulnerability discovery. If models like Mythos accelerate identification, defenders may find their familiar processes can no longer keep pace.
This directly affects how insurers assess cyber risk. Organisations already struggling with patches and upgrades now face a faster threat tempo than their existing controls were built to handle.
Social Engineering Remains the Visible Threat
Both O'Brien and Guillaume ClΓ©ment of KPMG in Canada cautioned that the most measurable AI-driven threat today is not zero-day exploitation-it's social engineering. A new generation of phishing and impersonation schemes uses polished language and context to guide victims into harmful actions themselves, such as changing payment details or sharing credentials.
These campaigns lack the crude hallmarks of older attacks, making them harder for employees to spot and raising the likelihood of successful compromise.
Fundamental Controls Remain Incomplete
Many organisations claim to have multi-factor authentication and endpoint protection in place, yet closer inspection reveals gaps. Senior staff, legacy systems and third-party accounts often fall outside coverage.
Cyber insurance practices reinforce this problem. Insurers typically ask binary questions-do controls exist?-rather than examining how completely they are implemented across an organisation. This approach leaves blind spots that attackers, whether human or AI-assisted, can exploit.
What Changes for Risk Management
Both speakers concluded that organisations can no longer treat vulnerability obscurity or slow discovery as a safety layer. Boards, CISOs and insurers must assume vulnerabilities will be found and breaches will occur.
The shift means prioritising rapid detection, containment and operational resilience over prevention alone. For insurers, this affects how policies are priced, what coverage is offered and what controls are actually required-not just documented.
Learn more about AI for Insurance and how artificial intelligence is reshaping risk assessment and underwriting practices across the sector.
Your membership also unlocks:
