{"id":7978,"date":"2026-04-30T23:36:42","date_gmt":"2026-04-30T23:36:42","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7978"},"modified":"2026-04-30T23:36:42","modified_gmt":"2026-04-30T23:36:42","slug":"bank-regulator-sounds-warning-over-cybersecurity-threat-posed-by-ai-models","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7978","title":{"rendered":"Bank regulator sounds warning over cybersecurity threat posed by AI models"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Frontier AI models inspired by Anthropic\u2019s Claude Mythos could arm attackers with advanced capabilities that the banking sector is ill equipped to cope with, Australia\u2019s financial regulator, the Australian Prudential Regulation Authority (APRA), has warned.<\/p>\n

In a letter<\/a> addressed to the country\u2019s financial sector this week, the body lays out how the arrival of Claude Mythos has upended decades-long assumptions about the cybersecurity risk associated with regulated financial services.<\/p>\n

APRA raises multiple concerns. The biggest is simply that the industry has been caught in the headlights of an unknown risk factor brought about by a model, Claude Mythos, that they have still not been able to examine for themselves.<\/p>\n

As the technology spreads, threat actors will use similar models to uncover flaws more quickly and easily, potentially overwhelming the speed with which these can be addressed by today\u2019s patching and remediation programs.<\/p>\n

Governance not keeping up<\/h2>\n

Before drawing its conclusions, APRA had engaged with the industry, finding that governance was failing to keep up with the change in risk that AI is signaling. During that research, the letter said, \u201cAPRA observed a tendency to treat AI risk as \u2018just another technology\u2019. This misses key differences such as the distinct characteristics of predictive systems, adaptive behaviour in models, ethical considerations such as inherent bias, and privacy and data risks.\u201d<\/p>\n

The body identifies several areas for improvement. The biggest is the urgent need to more rapidly identify and remediate vulnerabilities, something that would require a major overhaul of current processes. Organizations also needed \u201crobust security testing across AI\u2011generated code, software components, and libraries,\u201d coupled with deeper assessment of major AI platforms and services.<\/p>\n

\u201cAI can shorten the attack cycle and increase speed, coordination and impact. At the same time, entities are using AI to improve threat hunting and vulnerability identification, with the challenge being remediating at the speed with which vulnerabilities are identified,\u201d APRA said.<\/p>\n

Accessing Mythos<\/h2>\n

It\u2019s barely three weeks since Anthropic made Claude Mythos public on April 7<\/a> and it\u2019s hard to recall a development that\u2019s caused as much cybersecurity alarm in such a short space of time.<\/p>\n

Earlier this week, Michael Theurer<\/a>, the chief supervisor of Bundesbank, Germany\u2019s financial regulator, echoed APRA\u2019s concern, telling Reuters<\/a> that European banks need access to Claude Mythos to defend themselves against the sort of cyberattacks this type of model could make possible.<\/p>\n

\u201cI consider \u200bit necessary that the European Commission and governments in Europe now also approach the company, or rather the United States, to request that the technology be shared. There has to \u200bbe an official request so that we in Europe can also benefit from the insights,\u201d Theurer said.<\/p>\n

Anthropic has reportedly privately indicated that it will soon give banks outside the US access to Claude Mythos<\/a>. However, the reference to the US in Theurer\u2019s remarks alludes to the possibility that the timing of this access might be affected by the political relationship between the EU and the Trump administration.<\/p>\n

Given the interdependence of global banks, it seems unlikely that the US administration would delay wider access to Claude Mythos, even as it negotiates to resolve its recent public spat with Anthropic over the company\u2019s designation as a supply chain risk<\/a>. However, given recent complaints<\/a> that only US tech companies have so far been given access via the Claude Mythos industry program, Project Glasswing, it\u2019s clear there is some unease.<\/p>\n

Targeting will \u2018skyrocket\u2019<\/h2>\n

The underlying worry, of course, is institutional interconnectedness; an attack on one financial organization could easily turn into a wider systemic problem if the flaw is severe enough.<\/p>\n

According to Joe Brinkley<\/a> of penetration testing firm Cobalt, \u201cthe barrier to entry for state-level cyber capabilities has now been lowered to the cost of an API key.\u201d And given that banks currently take weeks to fix high-severity vulnerabilities, this underscores the need for change, he pointed out.<\/p>\n

\u201cOrganizations that continue to treat offensive security as a periodic check-box exercise rather than a continuous, AI-integrated function are effectively waiting for the inevitable,\u201d Brinkley said. \u201cIf the banking sector doesn\u2019t automate its defense to match the speed of the attack, the targeting of financial services will skyrocket as the easy wins become fully automated.\u201d<\/p>\n

Additionally, according to Steve Tait<\/a>, CTO at cloud security company Skyhigh Security, AI models such as Claude Mythos represent an opportunity as well as a threat. <\/p>\n

\u201cCybersecurity has always been an arms race, and pairing security expertise with advanced AI solutions will help teams fight AI with AI,\u201d he said. \u201cIf both attacker and defender have access to the same models, then the playing field will be the same as it is today: broadly equal but moving at a thousand miles an hour.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Frontier AI models inspired by Anthropic\u2019s Claude Mythos could arm attackers with advanced capabilities that the banking sector is ill equipped to cope with, Australia\u2019s financial regulator, the Australian Prudential Regulation Authority (APRA), has warned. In a letter addressed to the country\u2019s financial sector this week, the body lays out how the arrival of Claude […]<\/p>\n","protected":false},"author":0,"featured_media":7979,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7978"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7978"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7978\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7979"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}