Frontier AI models inspired by Anthropic’s Claude Mythos could arm attackers with advanced capabilities that the banking sector is ill equipped to cope with, Australia’s financial regulator, the Australian Prudential Regulation Authority (APRA), has warned.
In a letter addressed to the country’s financial sector this week, the body lays out how the arrival of Claude Mythos has upended decades-long assumptions about the cybersecurity risk associated with regulated financial services.
APRA raises multiple concerns. The biggest is simply that the industry has been caught in the headlights of an unknown risk factor brought about by a model, Claude Mythos, that they have still not been able to examine for themselves.
As the technology spreads, threat actors will use similar models to uncover flaws more quickly and easily, potentially overwhelming the speed with which these can be addressed by today’s patching and remediation programs.
Governance not keeping up
Before drawing its conclusions, APRA had engaged with the industry, finding that governance was failing to keep up with the change in risk that AI is signaling. During that research, the letter said, “APRA observed a tendency to treat AI risk as ‘just another technology’. This misses key differences such as the distinct characteristics of predictive systems, adaptive behaviour in models, ethical considerations such as inherent bias, and privacy and data risks.”
The body identifies several areas for improvement. The biggest is the urgent need to more rapidly identify and remediate vulnerabilities, something that would require a major overhaul of current processes. Organizations also needed “robust security testing across AI‑generated code, software components, and libraries,” coupled with deeper assessment of major AI platforms and services.
“AI can shorten the attack cycle and increase speed, coordination and impact. At the same time, entities are using AI to improve threat hunting and vulnerability identification, with the challenge being remediating at the speed with which vulnerabilities are identified,” APRA said.
Accessing Mythos
It’s barely three weeks since Anthropic made Claude Mythos public on April 7 and it’s hard to recall a development that’s caused as much cybersecurity alarm in such a short space of time.
Earlier this week, Michael Theurer, the chief supervisor of Bundesbank, Germany’s financial regulator, echoed APRA’s concern, telling Reuters that European banks need access to Claude Mythos to defend themselves against the sort of cyberattacks this type of model could make possible.
“I consider it necessary that the European Commission and governments in Europe now also approach the company, or rather the United States, to request that the technology be shared. There has to be an official request so that we in Europe can also benefit from the insights,” Theurer said.
Anthropic has reportedly privately indicated that it will soon give banks outside the US access to Claude Mythos. However, the reference to the US in Theurer’s remarks alludes to the possibility that the timing of this access might be affected by the political relationship between the EU and the Trump administration.
Given the interdependence of global banks, it seems unlikely that the US administration would delay wider access to Claude Mythos, even as it negotiates to resolve its recent public spat with Anthropic over the company’s designation as a supply chain risk. However, given recent complaints that only US tech companies have so far been given access via the Claude Mythos industry program, Project Glasswing, it’s clear there is some unease.
Targeting will ‘skyrocket’
The underlying worry, of course, is institutional interconnectedness; an attack on one financial organization could easily turn into a wider systemic problem if the flaw is severe enough.
According to Joe Brinkley of penetration testing firm Cobalt, “the barrier to entry for state-level cyber capabilities has now been lowered to the cost of an API key.” And given that banks currently take weeks to fix high-severity vulnerabilities, this underscores the need for change, he pointed out.
“Organizations that continue to treat offensive security as a periodic check-box exercise rather than a continuous, AI-integrated function are effectively waiting for the inevitable,” Brinkley said. “If the banking sector doesn’t automate its defense to match the speed of the attack, the targeting of financial services will skyrocket as the easy wins become fully automated.”
Additionally, according to Steve Tait, CTO at cloud security company Skyhigh Security, AI models such as Claude Mythos represent an opportunity as well as a threat.
“Cybersecurity has always been an arms race, and pairing security expertise with advanced AI solutions will help teams fight AI with AI,” he said. “If both attacker and defender have access to the same models, then the playing field will be the same as it is today: broadly equal but moving at a thousand miles an hour.”
No Responses