Financial regulators across at least four continents have issued urgent warnings about cybersecurity threats posed by Anthropic’s Claude Mythos AI model, calling on banks and financial institutions to overhaul their defenses against a new generation of AI-driven attacks.
A Wave of Regulatory Alarm
Australia’s corporate regulator, the Australian Securities and Investments Commission, published an open letter on May 8 addressed to all financial licensees and market participants, warning that the misuse of frontier AI models like Mythos “could expose cyber security vulnerabilities at an unprecedented speed, scale, and sophistication”. ASIC Commissioner Simone Constant said “the clock is at a minute to midnight — if you aren’t on top of your cyber resilience already, the time to act and prepare is right now”. The letter directs regulated entities to table the warning at their board and risk governance committees and to patch systems promptly, given how rapidly AI is accelerating vulnerability discovery.
The same week, the International Monetary Fund published analysis warning that extreme AI-enabled cyber incidents “could trigger funding strains, raise solvency concerns, and disrupt broader markets”. The IMF said advanced AI models dramatically reduce the time and cost needed to identify and exploit weaknesses in widely used software, raising the likelihood of correlated failures across financial institutions that share the same digital infrastructure.
On Saturday, European Central Bank Governing Council member José Luis Escrivá, who also serves as Bank of Spain governor, said at an event in Tarragona that “recent developments in artificial intelligence force us to reassess the robustness of our financial infrastructure and our cybersecurity”. The U.S. Federal Reserve’s Spring 2026 Financial Stability Report, released on May 8, elevated artificial intelligence from fifth to third among most-cited risks to financial stability.
India and Australia Lead Defensive Efforts
India moved early. Finance Minister Nirmala Sitharaman and IT Minister Ashwini Vaishnaw convened a high-level meeting with heads of scheduled commercial banks on April 24 to assess threats linked to Mythos. Sitharaman described the threat as “unprecedented” and directed the Indian Banks’ Association to develop a coordinated institutional mechanism for rapid response, while instructing banks to engage specialized cybersecurity professionals and establish real-time threat intelligence sharing with CERT-In.
Australia’s banking regulator, the Australian Prudential Regulation Authority, had already warned in late April that the domestic financial sector’s information security practices were struggling to match the pace of AI change. APRA urged banks to seek rapid access to Mythos itself to understand the threat, while Germany’s Bundesbank chief supervisor Michael Theurer echoed that call for European banks.
The Mythos Threat
Anthropic announced Mythos Preview on April 7, 2026, and chose not to release the model publicly. In controlled evaluations, the UK’s AI Security Institute found Mythos could execute multi-stage cyberattacks autonomously, succeeding 73 percent of the time on expert-level tasks that no model could complete before April 2025. The model identified vulnerabilities in every major operating system and web browser, including flaws that had gone undetected for decades. Anthropic launched Project Glasswing, giving early access to companies including Google, Apple, Microsoft, and CrowdStrike to patch critical weaknesses before similar capabilities spread.
Federal Reserve Governor Michelle Bowman noted in a May 1 speech that “Anthropic’s Mythos highlights the dynamic nature of this technology and the rapid pace that its capability can evolve,” while stressing that the same tools could also enhance cybersecurity defenses.
