- Key insight: Anthropic's new Claude Mythos Preview model drastically collapses the timeline for finding cybersecurity vulnerabilities from months to mere seconds.
- What's at stake: If third-party AI vendors are compromised, they could expose a bank's nonpublic data and become a gateway for broader network attacks.
- Forward look: Federal agencies are urging financial institutions to strategically embed AI system assessments into their existing risk evaluation and monitoring frameworks.
Overview bullets generated by AI with editorial review
A week after artificial intelligence company Anthropic claimed its new model was too dangerous for the general public, the initial shock is wearing off for U.S. financial institutions.
The arrival of the Claude Mythos Preview model does not mean the sky is falling on the financial system, but it is an escalation in the cyber arms race between banks and threat actors.
For bank executives, the development underscores an urgent need to update data governance, join defensive security consortiums and prepare for a world where cyberattacks move much more quickly than they have in the past.
The hype surrounding Mythos prompted an immediate response in Washington. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell
"Those bankers were in town for meetings that day, and it was appropriate (for) the Secretary Bessent to do what he did," and the two officials "went through the cyber risks to make sure that they were aware of them," according to Kevin Hassett, the White House national economic adviser. Hassett spoke to Reuters, which first reported on the meeting.
Anthropic opted not to broadly release the Mythos model, citing concerns that the technology could expose previously unknown cybersecurity vulnerabilities. The company claims the model can identify and exploit weaknesses across every major operating system and web browser, according to Anthropic.
Outside cybersecurity experts urge institutions to view the development practically; the model's capabilities represent a broader, structural shift in how quickly threats emerge and get resolved.
"The timeline for finding and fixing vulnerabilities collapses to seconds, minutes and hours, rather than days, months or years," Ciaran Martin, the former head of the U.K.'s National Cyber Security Centre, told news wire AFP.
While this compression of time presents challenges, it also gives defenders a "real opportunity here to fix a lot of the internet's hidden bugs," Martin said.
Separating the hype from the threat
The regulators summoned Citigroup's Jane Fraser, Morgan Stanley's Ted Pick, Bank of America's Brian Moynihan, Wells Fargo's Charlie Scharf, and Goldman Sachs's David Solomon to discuss the cyber risks posed by the Mythos model. The meeting aimed to ensure the institutions take precautions to defend their networks.
Following the meeting, bank executives sought to reassure markets that they are preparing for the evolving threat. Solomon told analysts on a Monday earnings call that the bank is "hyper-aware" of the new model's enhanced capabilities.
"We are very focused on supplementing our cyber and infrastructure resilience," and the bank is "accelerating our investment in" these protections, according to Solomon.
Despite the high-level regulatory response, commentators have been more measured and skeptical about the model's danger.
Alex Stamos, an expert at the AI safety startup Corridor, dismissed Anthropic's apocalyptic framing as a "marketing schtick" in an interview with AFP.
Anthropic's approach is akin to "if the Manhattan Project announced the nuclear bomb within a cute little Calvin and Hobbes cartoon," Stamos said.
Similarly, tech investor Ramez Naam characterized the development on social media platform X as a "relatively normal LLM release, advancing capabilities but not bending the curve."
Independent testing indicates that these advanced cybersecurity capabilities are not entirely exclusive to Anthropic's proprietary technology. Cybersecurity firm Aisle tested the specific vulnerabilities Anthropic showcased using small, cheap, open-weights models and found that the cheaper alternatives "recovered much of the same analysis."
Rather than scaling smoothly with a model's size or price, AI cybersecurity capability forms a "jagged" frontier, according to Stanislav Fort, Aisle's founder and chief scientist.
Ultimately, the true defensive moat in AI cybersecurity "is the system, not the model," Fort wrote.
Project Glasswing offers a defender's advantage
Anthropic restricted access to the Mythos Preview model, sharing it instead with a consortium of more than 40 technology and critical infrastructure companies, according to a Tuesday announcement from the company.
The group, dubbed Project Glasswing, includes major tech companies like Amazon, Apple, and Microsoft, as well as Wall Street giant JPMorgan Chase.
JPMorgan Chase views the initiative as a way to collaborate on shared challenges facing the financial system.
"Project Glasswing provides a unique, early stage opportunity to evaluate next-generation AI tools for defensive cybersecurity across critical infrastructure both on our own terms and alongside respected technology leaders," Pat Opet, the bank's chief information security officer, said in Anthropic's announcement about the coalition.
The restricted release gives banks and other partners a head start to rewrite insecure legacy code and fix hidden bugs before malicious actors can exploit them.
"Over 99% of Mythos's findings are still unpatched by design, so the early-access partners supporting critical software can identify and fix things before disclosure runs its course," according to Jake Scheetz, a technical architect at the cybersecurity firm NetSPI. "That's a rare example of a capability reaching defenders meaningfully ahead of attackers, and it'd be a real shame to squander it by either panicking or shrugging."
This creates a "rare example of a capability reaching defenders meaningfully ahead of attackers," according to Scheetz.
Because Anthropic limited the release, "the early-access partners supporting critical software can identify and fix things before disclosure runs its course," Scheetz wrote.
Adapting bank risk and control frameworks
To safely harness these new AI tools, the Financial Services Information Sharing and Analysis Center recently published step-by-step guidance to help firms understand and mitigate the risks of implementing generative AI.
"GenAI presents enormous opportunities for financial firms to improve business operations, provide better customer service, and even improve their cybersecurity posture," according to Michael Silverman, chief strategy and innovation officer at the consortium.
But the technology also "increases security risks when it's not leveraged in a safe and compliant manner," Silverman said.
While AI can augment the cybersecurity workforce and increase efficiency, banks must train employees to mitigate internal risks.
"Blind acceptance of AI outputs" is unwise because the systems can produce errors and hallucinations, according to a recent FS-ISAC report.
The models can "fabricate a plausible, but false, response or data," which provides operators with incorrect information for decision-making, according to guidelines from the Cybersecurity and Infrastructure Security Agency.
To counteract this, experts recommend "human-in-the-loop" validation, ensuring AI outputs serve as recommendations rather than direct, autonomous actions.
The proliferation of AI also exacerbates supply chain vulnerabilities. AI-powered tools depend heavily on vast amounts of data, and the process of gathering that information frequently involves working with third-party vendors.
If a cyberattack compromises any of these outside suppliers, the breached vendor could expose a bank's nonpublic information and "become a gateway for broader attacks on that entity's network," according to guidance from the New York State Department of Financial Services.
Federal agencies and other experts encourage institutions to embed AI system assessments into their existing risk evaluation, mitigation, and monitoring processes. Specifically, agencies encourage companies to follow established standards to do this, such as the National Institute of Standards and Technology's new Cyber AI Profile.
NIST's framework provides guidelines that help organizations "strategically adopt AI while addressing and prioritizing cybersecurity risks," according to the agency. By integrating AI into existing control sets, banks can safeguard their networks against evolving threats.
