Financial services companies can find it hard to keep pace with fast-advancing technology, but digital change and risk management have become part of the industry’s DNA. What happens, though, when breakthroughs in capabilities are seismic and sudden, threatening the industry’s technology status quo and the potential safety and soundness of the banking business model?
Anthropic’s announcement of its code-busting Claude Mythos model—capable of finding and breaking faulty code at previously unseen scale and sophistication—threw the cybersecurity community into upheaval. With banks already shifting to “trust no one and nothing” defenses as technology stacks grow increasingly complex, Mythos was an unexpected development to pile on to an already sizeable cybersecurity challenge for the industry.
Anthropic’s CEO Jack Clark says “get ready” for more to come. At a Semafor World Economy event in mid-April, he said Mythos wasn’t “special” as models go—there will be others available in the months to come, so the world needs to prepare.
Agencies and institutions are scrambling to quantify the risks and plan responses. For some, it’s a stark reminder that assessing cybersecurity readiness and oncoming risks is a continuous process that includes adaptation and renewal.
Federal Reserve Chairman Jerome Powell and Treasury Secretary Scott Bessent convened an urgent meeting in early April with top banks to warn of the potential risks of Mythos. Agencies such as the Commerce Department’s Center for AI Standards are actively reviewing the model. The Cybersecurity and Infrastructure Security Agency (CISA) does not yet have access, according to published reports.
The UK’s Artificial Intelligence Security Institute, meanwhile, found the model “could execute multi-stage attacks on vulnerable networks and discover exploit vulnerabilities autonomously—tasks that would take human professionals days of work.”
Recognizing its dangerous potential in the wrong hands, Anthropic launched Project Glasswing, offering pre-launch access to select institutions, including money center banks such as J.P. Morgan, Citigroup, and Bank of America, for Mythos internal testing. Some non-U.S.-based banks will soon have access as well.
An industry’s response
While all banks are generally cautious when it comes to adopting and taking new technologies into production, the biggest institutions tend to be sophisticated first movers in, and testers of, cutting-edge tech.
“They have their own systems and resources to take on the issue,” a senior credit official at one Midwest-based community bank told ProSight. “Approaches community banks take to managing the threats [from Mythos and other models] will likely diverge,” and reflect smaller institutions’ greater dependence on vendor services.
In these early days of Mythos, some community bank leaders contacted by ProSight have said they will rely on industry groups and big banks to act as “canaries in the coal mine” for uncovering issues and surfacing approaches and best practices for managing the threat—“a really big topic” already on the minds of leaders at regional and small banks, these community bank executives said.
For these smaller banks, understanding Mythos is just the beginning. As technology enters a new phase of rapid advancement, accounting for the “unknown unknowns” in technical risk assessment and management becomes an increasingly daunting task.
“This [Mythos] announcement is one that really needs to be treated as a call to action, because AI does present an enormous and growing cybersecurity risk,” said Lynne Johnston, Senior Director at consulting firm Huron. “It is important for financial institutions to treat it not just as a technology cybersecurity risk but treat it as a business risk and invest and focus on it at board level.”
Back to the fundamentals
Rather than defer to others to decipher the impacts of Mythos, banks of all sizes can use the announcement as a catalyst for reassessing their risk thresholds and cybersecurity readiness, Johnston said. That’s because an attack with a remote possibility of success now might morph in speed and frequency into a new and different type of assault on cyber defenses.
“For a bad actor, they have many more ways for conducting a cyber-attack, and the cost of conducting it is going down fast because of AI,” she said. “While banks may have had appropriate resources in place in the past for what they considered a low-probability breach, AI is increasing cybersecurity risk throughout the organization and requiring an appropriate response in resourcing.”
Re-examining current cybersecurity posture and spending is the starting point. Institutions can be too programmatic about their cybersecurity spending, setting a budget and increasing it marginally and incrementally year over year regardless of changes in the threat landscape, Johnston suggested. “Now is when you take a really hard look at your program, evaluate it, and be honest about areas where you may have under-invested.”
That means getting back to the fundamentals of any core cybersecurity program, including areas such as
- Access Controls: These need to be as robust as the risk the institution is protecting against. Modern environments demand consistently strong, layered controls. Poor access controls are among the most common causes of breaches.
- Network Segmentation: This enforces least-privilege access to parts of the infrastructure, helps contain breaches, and reduces the potential attack surface. For a capability like Mythos that can chain attacks autonomously, preventing lateral movement within systems is critical.
- Automated Patching: Closing known vulnerabilities quickly, consistently, and at scale reduces potential attack points. Automation eliminates human error.
- Anomaly Detection: As the speed and scale of attacks increases, the ability to detect unusual system activity can alert systems defenses to potential threats.
- Zero-Trust Architecture: Instead of protecting their perimeter, those using a zero-trust architecture assume that those inside and outside the network are capable of a breach. It eliminates implicit trust by continuously verifying access privileges—limiting lateral system movement and the impact of potential breaches.
Success depends on elevating the cybersecurity conversation within the organization to the board level and reminding leadership that technology risk these days is business risk, plain and simple. “Institutions must ask themselves, ‘Are we ready?’” Johnston said. “For the institutions where the scope of risk seemed limited, that’s changing very quickly. Unless you do that risk assessment and you know that you’re investing the right level of resources in it, you won’t really know.”
