Anthropic's new AI model pushes banks to shore up cyber defenses

Anthropic PBC's Claude Mythos Preview model, which can rapidly uncover and exploit latent IT system flaws, is forcing banks to tighten up their cybersecurity defenses.

Anthropic said in early April that the new model has found "thousands of high-severity vulnerabilities, including some in every major operating system and web browser". Experts see banks as susceptible to Mythos-enabled exploits because many institutions still rely on fragmented and sometimes decades-old IT systems, whereas the new model can detect so-called zero-day vulnerabilities, which can be exploited on the day they are found.

For banks, Mythos should be a wake-up call to accelerate the modernization of their platforms and shift from static cybersecurity models to dynamic monitoring, automated response mechanisms and technology infrastructure capable of adapting to changes at speed, said Radi El Haj, CEO of RS2, a provider of payment processing infrastructure and technology services.

"The most important thing is the reaction time. You will always have hackers attack, but [it matters] how quickly you will be able to react," El Haj said in an interview.

Mythos has revealed that "existing approaches to coordinated vulnerability disclosure and patch deployment are in question and can potentially become structurally inadequate," a spokesperson for the European Union Agency for Cybersecurity (ENISA) told S&P Global Market Intelligence.

Institutions need to run a gap analysis of their existing platforms to identify potential weaknesses in light of the new model, El Haj said. Information exchange and cooperation with peers, companies in other sectors and authorities will also be critical to "stay ahead of the curve" as AI-linked cyber threats increase, El Haj said.

Banks vigilant

Regulators in the US, the UK and the EU have held discussions with bank bosses to assess the model's capabilities and possible cybersecurity enhancements. Still, access to Mythos remains limited as Anthropic initially released the model to 40 select companies part of the Glasswing project, with JPMorgan Chase & Co. being the only bank included.

Executives at Morgan Stanley, Goldman Sachs Group Inc. and Bank of New York Mellon Corp. confirmed on their latest earnings calls that they have since gained access to the model too. As of May 8, eurozone banks still did not have access, a source with knowledge of the matter told Market Intelligence. A Bank of England spokesperson declined to comment on whether any UK banks have access to the model.

ING Groep NV is "closely monitoring market developments in AI-enabled offensive and defensive cyber capabilities" and is engaging with select vendors within the Glasswing consortium of companies with access to the model "to implement immediate compensating controls," a spokesperson told Market Intelligence.

The Netherlands' largest bank is also reviewing its "security posture across third-party and software supply chain dependencies" and its "vulnerability management lifecycle to further compress the time between discovery and remediation," the spokesperson said.

UBS Group AG is in a similar position, staying in close contact with technology partners involved in testing the model, and the bank will be "able to implement all the necessary steps to protect our assets," CEO Sergio Ermotti said during an April 29 earnings call. This will remain a major issue that requires "a lot of investments and resources," both in terms of technology and people, he said.

"Cyberrisk is as important as credit and market risk nowadays," Ermotti noted.

The Association of German Banks (BdB) is in "continuous dialogue" with the cybersecurity experts of its member banks, the Federal Ministry of Finance, the financial supervisory authority BaFin, the German central bank, as well as European and international institutions regarding Mythos, a BdB spokesperson told Market Intelligence.

"Banks already operate at a high level of cyber security preparedness and are continuously working to strengthen their defenses further," the BdB spokesperson said.

A spokesperson for Germany's largest lender, Deutsche Bank AG, declined to comment on "individual suppliers or specific AI models" but told Market Intelligence the group follows developments in the AI market and regularly assesses emerging technology.

Among major European banks, Market Intelligence contacted regarding Mythos, Standard Chartered PLC and UBS declined to comment, while Barclays PLC, Banco Santander SA, BNP Paribas SA, HSBC Holdings PLC, Lloyds Banking Group PLC, NatWest Group PLC, Société Générale SA and Santander UK PLC did not respond to requests for comment.

'Entirely predictable'

The developments around Mythos are an "entirely predictable evolution of the technology," BNY Mellon CEO Robin Vince said during an April 16 earnings call.

This is not the first time people have thought about the way generative AI tools can make it easier to expose cyber vulnerabilities and also be deployed by bad actors, JP Morgan CFO Jeremy Barnum said during an April 14 earnings call.

"Obviously, now you've got an even higher level of attention as a result of the apparently much greater capabilities of the latest models, but that is still happening on a continuum that we've been engaged with for really quite a long time," Barnum said.

The model "may be a new tool for the attackers, but it's also a new tool for the defenders. So I'm sure that everybody will accelerate the use of this new technology [for] defense," Jacobo Diaz Garcia, CFO of Spain's Bankinter SA, said during an April 23 earnings call.

Anthropic said April 7 it will report publicly within 90 days on the findings from the Glasswing consortium. "We will also collaborate with leading security organizations to produce a set of practical recommendations for how security practices should evolve in the AI era," the firm said.

The pace of change is a "real threat" as more powerful models will follow Mythos, said Phil Cotter, CEO of UK anti-money laundering software provider SmartSearch.

Given the "very difficult geopolitical environment," there is heightened risk of cyberattacks on critical infrastructure, Cotter said in an interview. The capabilities that Mythos and other AI models will bring to bear mean these risks are likely to remain high for a long time, Cotter said.