Global regulatory authorities closely monitor Mythos as Germany strengthens bank IT security supervision.

Germany's banking regulatory authority warned on Tuesday that due to advancements in artificial intelligence (AI), cybersecurity risks are "continuously rising" and "very significant," and announced the establishment of a new department to conduct targeted inspections of financial institutions. Prior to the warning issued by Germany's banking regulatory authority on Tuesday, global regulatory bodies at the highest levels in many countries had expressed concerns about the cybersecurity risks posed to the banking industry by AI, particularly the cutting-edge AI model Mythos developed by Anthropic, and had intensified assessments of financial institutions' preparedness to address such risks. Some senior technology experts focused on the financial industry have suggested that this AI model may have the ability to be used for large-scale disruption of the stability of banking systems. Experts have pointed out that the powerful capabilities of Mythos in high-level Agent programming give it a potentially unprecedented ability to identify vulnerabilities in cybersecurity systems, prompting some of the most influential global policymakers, such as the Federal Reserve and Bank of England, along with financial system regulatory bodies, to closely scrutinize the development trajectory of Mythos. These regulatory bodies have already identified Mythos as a key new source of risk that could undermine the security of banking systems, payment clearing, and critical financial databases. Mark Branson, the chairman of the Federal Financial Supervisory Authority (BaFin) in Germany, stated: "These new AI models are able to identify a large number of vulnerabilities in both new and old IT systems at a staggering pace. They will also be able to exploit the vulnerabilities they discover at an increasingly rapid rate." Branson stated that the financial industry has the capability to strengthen cybersecurity measures and described it as a "pressing and necessary investment." He added that the newly established department will conduct targeted inspections of financial institutions and noted, "These 'IT-focused' inspections take far less time than comprehensive reviews. Therefore, we are able to carry out more of these inspections, thereby more effectively addressing current developments and events." Last month, the Australian Prudential Regulation Authority (APRA) stated that it will "continue to assess the impact of these advancements in AI technology to ensure the ongoing security and resilience of the financial system." A spokesperson for the Australian Securities and Investments Commission (ASIC) stated: "ASIC is closely monitoring these technological advancements along with peer regulatory bodies to assess their potential impact on the Australian financial markets." "ASIC maintains close communication with other financial regulators, government agencies, and financial industry executives to understand and respond to the evolving technological landscape." ASIC expects licensed financial services entities to "take the lead" in protecting their large clients and customers. The Financial Supervisory Service (FSS) in South Korea announced that it had held a meeting with information security officers of large domestic financial companies to review the risks associated with Mythos. It was reported that the Financial Services Commission (FSC) in South Korea had convened an emergency meeting with chief information security officers of banks and insurance companies to review the related risks. Cutting-edge AI models approaching the "security red line" of the banking industry The initial release of Mythos by Anthropic is not an ordinary AI chatbot, but a preview version of an advanced universal large model that has not been fully released. Its most prominent abilities focus on high-level code understanding, vulnerability discovery, and exploit generation. Anthropic has disclosed that Claude Mythos Preview is able to discover and exploit all types of "zero-day vulnerabilities" in mainstream operating systems and browsers in tests, and in some cases can autonomously generate complex exploit programs with minimal human intervention. "Zero-day vulnerabilities" refer to security flaws in software, hardware, or firmware that were previously unknown and therefore have no patch to fix them. Once discovered and immediately exploited, the defending party has almost no preparation time, making it the most dangerous aspect. The reason why global financial regulators, including the Federal Reserve, are nervous about Mythos is that its powerful capability to attack "zero-day vulnerabilities" means that IT risks to financial systems are no longer limited to individual institutions. If AI large models significantly lower the threshold for the discovery, weaponization, and widespread exploitation of "zero-day vulnerabilities," it could evolve into major issues such as account theft, payment disruptions, exposure of critical databases, and even the destruction of financial stability. Due to the widespread operation of complex legacy systems with a combination of new and old technologies in the banking industry, highly interconnected systems, and a broad attack surface, models like Mythos excel at identifying weaknesses in this complex code and protocol environment and deducing exploit paths. It is precisely because of this "destructive" powerful capability that Anthropic has not generally opened Mythos, but has first allowed some key infrastructure maintainers to use it for defensive security work through "Project Glasswing." Currently, multiple U.S. banks have been granted permission to use Mythos. The Federal Reserve, Bank of England, European Central Bank, and Australian financial regulatory bodies all view Mythos as a potentially significant new source of risk that could greatly enhance cyberattacks. Bank of England Governor Bailey even stated that such models could "unleash the entire world of network risks." The most pressing issue now is not just how individual banks or databases defend themselves, but whether global bank regulatory authorities, finance ministries, central banks, and operators of critical financial infrastructure can establish cross-border information sharing, unified threat assessments, model access management, and emergency coordination mechanisms.