European Central Bank summons lenders over AI security threat to banking infrastructure
Financial chiefs rush to address the risk of automated exploits and accelerated cyber attacks following the release of Anthropic’s Mythos.
The launch of Anthropic's Mythos was a grim portent of a world in which vulnerabilities are discovered and exploited in minutes - without the need for human intervention.
Now the European Central Bank has called an urgent summit to address the growing risks Mythos-style AI models pose to financial systems and critical infrastructure.
After releasing Mythos Preview to selected partners last month, Anthropic claimed the AI had found "thousands of high-severity vulnerabilities," including bugs in "every major operating system and web browser". Anthropic said its new model could "reshape cybersecurity".
Anthropic has hinted at plans for a limited public release in the future, which means the world needs to prepare for automated attacks and exploits (although there is always a chance that the model's capabilities have been overstated by doomfishing marketing departments).
So, even though Mythos is not yet available in the heavily regulated European market, the ECB has decided to get ahead of the threat.
Frank Elderson, vice-chair of the ECB supervisory board that oversees banks, told the FT that banks needed to go "faster" to address the risk, warning that "the clock is ticking".
"It seems if one of the big software providers comes with a patch it is possible to reverse-engineer the vulnerability that the patch is supposed to patch, not in weeks but maybe in 30 minutes,” he said.
"That means that once the patch is out, a bank needs to have processes in place to actually make sure that it applies these patches much faster than what is now seen as market practice."
He added: "The fact that you don’t have access to this model is not an excuse for inaction. Malicious actors might have access to this technology soon."
Cascading failures
The fear for banks is not simply that AI will help criminals write better phishing emails or generate malware faster. It is that frontier models will cross a threshold at which they can systematically identify hidden weaknesses within the software foundations of modern finance itself.
Financial institutions now sit atop tightly interconnected layers of shared infrastructure: cloud providers, operating systems, browsers, authentication systems, third-party software libraries and outsourced IT platforms. A flaw discovered once can potentially be reused across dozens or hundreds of institutions simultaneously.
The ECB itself has previously warned that European banks face growing operational dependence on a small number of foreign AI and cloud providers, creating dangerous "systemic dependencies".
That creates the conditions for what regulators increasingly describe as correlated cyber risk: the possibility that a single exploit chain could ripple across multiple banks, payment systems or market utilities at once.
READ MORE: The second coming of Shai-Hulud: Worm returns in massive supply chain campaign
The Financial Stability Board, an international body, has already warned that AI could amplify systemic vulnerabilities through cyber risk, concentration risk and dependency on common third-party providers.
Meanwhile, the Bank of England, the FCA and HM Treasury said that frontier AI models had already demonstrated cyber capabilities "exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost".
In a joint statement, the financial organisations warned: "These capabilities, if used maliciously, amplify cyber threats to firms’ safety and soundness, customers, market integrity, and financial stability.
"As more advanced models become available, these risks are expected to increase. Firms that have underinvested in core cybersecurity fundamentals are likely to become progressively more exposed.
Europe exposed
One of the most alarming aspects of the Mythos situation is that many European banks lack access to the same frontier models now used to identify advanced vulnerabilities.
This creates an asymmetric security environment in which institutions may be exposed to AI-discovered attack paths without possessing the tools needed to understand or simulate those threats themselves.
In effect, banks may be defending twenty-first-century infrastructure with twentieth-century visibility.
A sophisticated exploit targeting one widely used dependency could spread across institutions with extreme speed, particularly if attackers automate reconnaissance and exploitation using AI systems.
READ MORE: Coinbase hit by cascading systems failure after "thermal event" in AWS data centre
That is the nightmare scenario regulators are trying to prevent: cascading technological failure moving through the nervous system of global finance.
With the stakes so high, AI firms have been urged to act responsibly.
Jamie Moles, Senior Technical Manager at ExtraHop, told Machine: "Anthropic, and any company developing powerful AI models for mass deployment, must deploy these innovations responsibly to ensure its technology does not compromise the stability of systems the public relies on every day.
"Close collaboration with financial regulators must be a priority in order to align its advancements with the stringent safety standards necessary to protect global financial security."
