Pull to refresh
Logo
Daily Brief
Following Why Sign Up
Global financial regulators scramble to assess cybersecurity risks from Anthropic's Mythos AI model

Global financial regulators scramble to assess cybersecurity risks from Anthropic's Mythos AI model

New Capabilities
By Newzino Staff |

Central banks in the US, UK, and Canada convene emergency meetings with financial institutions after Anthropic reveals an AI model capable of finding thousands of previously unknown software vulnerabilities

Today: Bank of England schedules Mythos discussions with UK banks

Overview

An AI model that can find software flaws no human has caught in nearly three decades has triggered a coordinated response from central banks across the Western world. Anthropic's Claude Mythos Preview, which the company says discovered thousands of previously unknown vulnerabilities in every major operating system and web browser, prompted the US Treasury and Federal Reserve to summon Wall Street chief executives to Washington on April 8. By April 11, the Bank of England, the Bank of Canada, and their respective financial regulators had convened or scheduled their own emergency sessions with banks.

Why it matters

If AI can find software vulnerabilities faster than banks can fix them, every digital financial transaction becomes less secure overnight.

Key Indicators

Thousands
Zero-day vulnerabilities discovered
Mythos Preview identified thousands of previously unknown critical flaws across major operating systems, browsers, and other software
27 years
Oldest vulnerability found
A vulnerability in OpenBSD, an operating system known for its security, that went undetected for nearly three decades
$100M
Anthropic's Project Glasswing commitment
Usage credits committed to partner organizations for defensive vulnerability scanning
12
Project Glasswing launch partners
Including Amazon Web Services, Apple, Google, Microsoft, JPMorgan Chase, and CrowdStrike
3
Central banks that convened discussions
The Federal Reserve, Bank of England, and Bank of Canada all held or scheduled emergency meetings with financial institutions within days of each other

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Sign Up

Debate Arena

Two rounds, two personas, one winner. You set the crossfire.

People Involved

Dario Amodei
Dario Amodei
Leading Anthropic's response to Mythos disclosure while managing ongoing Pentagon litigation
 Scott Bessent
Scott Bessent
Co-convened emergency meeting with bank chief executives over Mythos risks
 Jerome Powell
Jerome Powell
Co-convened emergency meeting with bank chief executives

Organizations Involved

Anthropic
Anthropic
AI Company
Developer of Mythos; restricting model access through Project Glasswing while managing Pentagon litigation

A San Francisco-based AI safety company that builds the Claude family of AI models, now at the center of an unprecedented regulatory response after revealing that its latest model can autonomously discover and exploit software vulnerabilities at a scale no human team has matched.
Bank of England
Bank of England
Central Bank
Scheduling emergency CMORG meetings on Mythos risks with UK financial sector

The United Kingdom's central bank and prudential regulator, now coordinating a multi-agency response to AI-driven cybersecurity risks through its Cross-Market Operational Resilience Group.
Project Glasswing
Project Glasswing
Cybersecurity Initiative
Active; partner organizations scanning critical software

Anthropic's restricted-access initiative giving 12 major technology and financial firms early access to Mythos Preview for defensive vulnerability scanning, backed by $100 million in usage credits and $4 million in direct donations to open-source security organizations.

Timeline

  1. Bank of England schedules Mythos discussions with UK banks

    Regulatory

    The Bank of England announces that Mythos will be on the agenda for upcoming Cross-Market Operational Resilience Group (CMORG) and CMORG AI Working Group meetings, to include the Treasury, the Financial Conduct Authority, and the National Cyber Security Centre.

  2. Bank of Canada convenes financial sector meeting

    Regulatory

    The Bank of Canada and the Canadian Financial Sector Resilience Group—including the country's six largest banks, the Office of the Superintendent of Financial Institutions (OSFI), and the federal Ministry of Finance—meet to discuss Mythos cybersecurity risks.

  3. Bessent and Powell summon Wall Street chief executives

    Regulatory

    Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convene an emergency meeting at Treasury headquarters with the chief executives of Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, and Wells Fargo. JPMorgan's Jamie Dimon was the only major banking chief executive unable to attend.

  4. Appeals court upholds Pentagon designation on narrow grounds

    Legal

    A federal appeals court denies Anthropic's request to fully block the Pentagon's supply-chain risk designation, creating a split outcome: Anthropic is excluded from Defense Department contracts but can continue working with other government agencies.

  5. Anthropic launches Mythos Preview and Project Glasswing

    Release

    Anthropic publicly reveals Mythos Preview's capabilities—thousands of zero-day vulnerabilities found across every major operating system and browser—and announces Project Glasswing, restricting access to 12 partner organizations for defensive security work. The company commits $100 million in usage credits.

  6. Data leak reveals Mythos model

    Disclosure

    Fortune reports that a misconfigured content management system exposed nearly 3,000 unpublished assets from Anthropic's blog, including descriptions of an unreleased model called Claude Mythos that Anthropic calls a "step change" in capabilities with "meaningful advances in reasoning, coding, and cybersecurity."

  7. Judge blocks Pentagon's supply-chain designation

    Legal

    A federal judge in California grants a preliminary injunction, calling the Pentagon's designation of Anthropic "classic illegal First Amendment retaliation."

  8. Anthropic sues the Pentagon

    Legal

    Anthropic files two federal lawsuits challenging the Pentagon's supply-chain risk designation as unconstitutional retaliation for the company's public disagreements with the Defense Department.

  9. Pentagon designates Anthropic a supply-chain risk

    Legal

    Defense Secretary Pete Hegseth designates Anthropic a "supply-chain risk to national security" after the company refuses to allow Claude for autonomous weapons or mass domestic surveillance. It is the first time the designation has been applied to an American company.

Scenarios

1

Regulators mandate AI vulnerability scanning for critical financial software

Discussed by: Financial Times, American Banker, cybersecurity analysts at Arctic Wolf and Picus Security

Central banks and financial regulators incorporate AI-powered vulnerability scanning into existing operational resilience requirements, effectively making tools like Mythos a compliance necessity. The Bank of England's operational resilience framework (already requiring full compliance by March 2025) and the Federal Reserve's model risk management guidance get updated to address AI-discovered vulnerabilities. Financial institutions that rely on legacy software face pressure to accelerate patching cycles or risk supervisory action.

2

Copycat models emerge, outpacing defensive efforts

Discussed by: Fortune, Axios, Platformer, cybersecurity researchers

Other AI labs develop models with comparable vulnerability-discovery capabilities, but without Anthropic's restricted-access approach. Open-weight models or less cautious competitors make similar tools broadly available, giving attackers the same advantage Mythos demonstrated. The defensive window that Project Glasswing was designed to create closes before critical software is patched, triggering a wave of exploitation against financial infrastructure.

3

Project Glasswing patches critical infrastructure before widespread exploitation

Discussed by: Anthropic, CrowdStrike, Linux Foundation, Futurum Group analysis

The 12 Glasswing partners and 40-plus additional organizations successfully identify and remediate the most critical vulnerabilities before adversaries can exploit them at scale. The coordinated disclosure and patching effort becomes a template for how AI capabilities can be channeled into defensive security, and the regulatory emergency meetings transition into standing working groups that institutionalize AI-assisted cyber defense.

4

International coordination fragments over AI model access and control

Discussed by: Defense One, Bloomberg, Globe and Mail analysis of divergent regulatory responses

The US, UK, Canadian, and EU regulatory responses diverge as governments disagree on whether to restrict AI model capabilities, mandate access for national security purposes, or let market-driven initiatives like Glasswing lead. The Anthropic-Pentagon dispute complicates US policy, while the EU pushes for AI Act enforcement that could restrict Mythos-class models entirely. Financial institutions operating across borders face conflicting compliance requirements.

Historical Context

Y2K Financial Sector Preparations (1997-2000)

1997-2000

What Happened

Regulators discovered that a date-formatting limitation embedded across decades of financial software could cause widespread system failures on January 1, 2000. The Federal Financial Institutions Examination Council required banks to submit remediation plans, the Bank of England created a dedicated task force, and the Basel Committee established the Joint Year 2000 Council to coordinate the global financial sector response.

Outcome

Short Term

An estimated $300-600 billion was spent globally on remediation. The transition to 2000 passed without major financial system disruption.

Long Term

Established the template for coordinated multi-regulator, multi-country responses to technology risks in the financial system. Led to the creation of standing operational resilience frameworks that regulators are now activating for Mythos.

Why It's Relevant Today

Y2K was the last time regulators simultaneously discovered that the entire financial system ran on software containing deeply embedded, decades-old flaws. The Mythos situation is structurally similar—except the flaws are security vulnerabilities rather than date bugs, and they can be actively exploited by adversaries.

SolarWinds Supply-Chain Compromise (2020)

December 2020 - March 2021

What Happened

Attackers compromised the software update mechanism of SolarWinds' Orion network management platform, distributing malicious code to approximately 18,000 organizations including the US Treasury, the Office of the Comptroller of the Currency, and numerous financial institutions. The breach went undetected for months.

Outcome

Short Term

The Cyber Unified Coordination Group was established across FBI, CISA, ODNI, and NSA. Congressional hearings followed. Financial regulators issued heightened monitoring advisories.

Long Term

Drove Executive Order 14028 on cybersecurity (May 2021), which mandated software supply-chain security improvements for federal contractors and established new incident reporting requirements.

Why It's Relevant Today

SolarWinds demonstrated that a single point of compromise in widely used software could threaten the entire financial system. Mythos raises the same systemic concern but at far greater scale—it found vulnerabilities not in one product but across every major operating system and browser.

Dual-Use Export Controls on Surveillance Technology (2013-2017)

2013-2017

What Happened

After revelations that companies like Hacking Team and FinFisher sold exploit tools and surveillance software to authoritarian governments, the 41-nation Wassenaar Arrangement added "intrusion software" to its dual-use export control list in December 2013. The US Commerce Department proposed implementing rules in 2015 that cybersecurity researchers warned would criminalize legitimate defensive security work.

Outcome

Short Term

The initial US implementation was withdrawn after receiving over 300 negative public comments, largely from security researchers arguing it would hamper vulnerability research.

Long Term

Revised rules adopted in 2017 narrowed the scope, but the episode demonstrated the difficulty of regulating dual-use cyber capabilities without undermining defensive security.

Why It's Relevant Today

Mythos embodies the same dual-use tension: the model that can find vulnerabilities for defenders can also find them for attackers. Regulators face the same challenge of restricting offensive use without crippling the defensive applications that Project Glasswing represents.

Sources

(12)
+6
Bloomberg GuruFocus CNBC Fortune TechCrunch Anthropic Axios Bloomberg Fortune Bloomberg Fortune CNBC