The ECB gathers banks to discuss AI cybersecurity threats stemming from Mythos.

      **TL;DR** The European Central Bank (ECB) is meeting with banks on Tuesday to discuss cybersecurity risks posed by AI models such as Anthropic's Mythos, which has uncovered thousands of zero-day vulnerabilities. ECB Executive Board member Frank Elderson emphasizes the need for banks to implement patches more quickly, as AI can exploit vulnerabilities shortly after a fix is released.

      The ECB is bringing banks together for a session on Tuesday to tackle cybersecurity threats stemming from advanced AI models that can detect and take advantage of software flaws more rapidly than human teams. This meeting comes in light of rising concerns within European financial institutions regarding Anthropic's Claude Mythos Preview, a leading AI model that has identified numerous zero-day vulnerabilities in key operating systems and web browsers.

      Elderson stated to the Financial Times that banks must expedite their efforts, which have been ongoing for years. "We've been addressing a broad set of cybersecurity issues with banks for years, all of which are still relevant; however, due to advancements in AI, they must be resolved more swiftly," he remarked.

      The ECB intends to alert banks about the specific dangers posed by Mythos and comparable AI technologies. Additionally, it will encourage US banks with access to this technology via Anthropic’s Project Glasswing to share their insights with European counterparts who currently lack access.

      This gap in access poses a significant problem. So far, access to Mythos has been granted to only about 40 to 50 organizations, such as Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase, with no European banks included. In controlled trials, the model generated successful exploits on its first attempt over 83% of the time, often surpassing human cybersecurity experts. Anthropic has cautioned that adversaries could potentially replicate these capabilities within six to twelve months.

      Elderson's directive to banks is clear: they must patch vulnerabilities more quickly. AI models are now capable of reverse-engineering software fixes within minutes of their release, significantly shrinking the time frame between identifying a vulnerability and exploiting it. Banks and their IT contractors can no longer afford to delay updates even for minor vulnerabilities. Elderson stressed that European banks should not use their lack of access to Mythos as an excuse for inaction since malicious actors could soon acquire similar technology.

      The ECB's intervention comes amid a broader regulatory effort across Europe. Euro-area finance ministers have called for access to Mythos, and on May 4, European Commissioner Valdis Dombrovskis confirmed that the EU is in discussions with Anthropic to test companies and banks for the vulnerabilities identified by the model. However, progress in these negotiations has been slow, and mid-May reports from Spanish officials indicated that discussions had effectively stalled.

      This deadlock has allowed competitors to emerge. French AI startup Mistral AI is in talks with European banks about deploying its cybersecurity model, which aims to uncover vulnerabilities similarly to Mythos. CEO Arthur Mensch framed this effort as a matter of technological sovereignty, utilizing existing clients like HSBC and BNP Paribas. The model is still in development and lacks a confirmed release date.

      Rather than releasing Mythos to the public, Anthropic opted for Project Glasswing, an industry consortium where partner organizations utilize the model to identify and correct flaws within their systems. Glasswing partners can now disseminate their findings outside the program, potentially addressing the information gap that concerns European regulators.

      The implications are serious. At the request of Andrew Bailey, governor of the Bank of England, who chairs the Financial Stability Board, Anthropic updated the Board on Mythos's findings. Additionally, the Federal Reserve and the US Treasury separately gathered bank CEOs to discuss cyber risks. Data from Palo Alto Networks indicates that advanced AI models are discovering vulnerabilities at a rate seven times higher than usual, with the company warning that the industry has only three to five months of defensive buffer remaining.

      The ECB's Tuesday meeting will urge banks to comply with the Digital Operational Resilience Act (DORA), the EU's cybersecurity regulation for financial services. DORA mandates that banks manage IT risks, test their resilience, and report incidents. The critical question remains whether the regulatory framework can keep pace with AI models that are uncovering decades-old vulnerabilities faster than the organizations responsible for remediation.

      For European banks, the situation is precarious. They possess the most effective tool for identifying flaws in their systems but are prohibited from using it, while regulators insist they resolve the vulnerabilities it uncovers. Political pressure to address the access issue is increasing; however, until then, European lenders are tasked with defending against threats they cannot fully understand.