Canada's banking regulator issued a warning to banks regarding Claude Mythos.

Canada's banking regulator issued a warning to banks regarding Claude Mythos.

      An email from April sent to bank technology leaders, released under access-to-information laws, reveals that OSFI identified Anthropic’s frontier model as a reason why the opportunity to address vulnerabilities is diminishing. Regulators typically refrain from naming specific products, opting instead to discuss "emerging technologies" and "advanced capabilities," leaving interpretations to the reader. Thus, it is notable that when Canada’s banking regulator communicated with the nation’s largest banks in April, it specifically mentioned one: Anthropic’s Claude Mythos.

      This email, dispatched on April 29 by the Office of the Superintendent of Financial Institutions to chief technology officers, chief information security officers, and chief risk officers across Canada’s banks and insurance companies, was obtained by Reuters through an access-to-information request. "Advanced artificial intelligence models, such as Anthropic Claude Mythos, greatly shorten the timeframe for effective risk mitigation," OSFI stated. The bulletin outlined "sound practices that institutions can adopt to improve the speed and efficiency of risk identification, mitigation, and response."

      Certain portions of the email were redacted under the Access to Information Act, leaving some of OSFI's recommendations unspecified. However, the assessment is clear. The conventional patching cycle assumes that defenders have days or weeks to address a vulnerability before it is exploited. Mythos, described by cybersecurity experts as exceptionally skilled in identifying and exploiting software vulnerabilities, disrupts this assumption, especially since banks often operate some of the oldest software in any industry.

      The timing is notable. In early April, Canadian bank executives met with regulators to discuss Mythos, shortly after US Treasury Secretary Scott Bessent and former Federal Reserve Chair Jerome Powell convened bank leaders to discuss the same model. Three weeks later, OSFI sent its email. This pattern has since been mirrored at the European Central Bank, the Bank of England, and in Australia, where ASIC confirmed it is monitoring the model as well.

      After Reuters posed questions to OSFI last week, the regulator issued a public bulletin on generative and agentic AI. The sequence of events is not subtle. OSFI maintains that it does not regulate models, stating, "Our focus is not on the technology itself, but rather on how federally regulated financial institutions govern and manage the risks associated with its use.” This is the standard technology-neutral stance, expressed in a document that references a specific technology from a specific company twice.

      OSFI's oversight extends to the six largest banks, pension funds, and insurers, and it is responsible for identifying risks from geopolitics, foreign interference, and new technology. It is unusual for all three categories to simultaneously address the same issue. Access to Mythos is limited; Eurozone banks seem to be excluded, with the model being distributed via Anthropic's controlled-access program, Project Glasswing. The Canadian government has indicated it has access.

      It remains unclear whether any Canadian bank does, as none of those asked provided a response. Several directed queries to the Canadian Bankers Association, which stated its members have invested significantly in safeguarding the financial system and comply with OSFI’s cyber risk management and incident reporting requirements, a statement that answers a different question.

      Canada’s major banks are not remaining passive. Royal Bank of Canada, TD Bank, and BMO have announced plans to capitalize on AI, transitioning from pilot projects to chatbots and internal tools while decreasing reliance on third-party vendors. Scotiabank, CIBC, and National Bank have also disclosed their own initiatives.

      Bruce Ross, RBC’s group head of AI, remarked in June that Mythos signifies a transformation in the attack landscape since exploits can now occur immediately after vulnerabilities are discovered. "Our approach is to develop our own AI defenses," he noted. "We will continue to do that.” Essentially, the defense consists of more of the very element causing the problem.

      The broader concern in Ottawa centers not on patches but on potential reliance on a limited number of frontier models. Prime Minister Mark Carney has likened the over-reliance on a few frontier models to the concentration risk that preceded the 2008 crisis, a significant assertion for a prime minister to make regarding a chatbot company. OSFI’s email indicates that regulators have ceased to view it merely as a metaphor.

Other articles

The Pentagon has halted the cyber audit regulation that was driving small suppliers away. The Pentagon has halted the cyber audit regulation that was driving small suppliers away. The Pentagon has halted CMMC Phase 2 cybersecurity audits, pointing to high costs and a lack of assessors as reasons that are pushing small contractors away. The forthcoming AI energy commitment from the White House focuses on utilities. The forthcoming AI energy commitment from the White House focuses on utilities. The White House intends to request utilities, data centre operators, and governors to commit to ensuring that the demand for AI power does not increase residential electricity costs. Canada’s banking regulator issued a warning to banks, identifying Claude Mythos. Canada’s banking regulator issued a warning to banks, identifying Claude Mythos. An email from April disclosed through access-to-information regulations reveals that Canada’s OSFI cautioned bank technology leaders regarding Anthropic’s Claude Mythos. The upcoming AI energy commitment from the White House focuses on utility companies. The upcoming AI energy commitment from the White House focuses on utility companies. The White House intends to request that utilities, data center operators, and governors commit to ensuring that the demand for AI power will not increase residential electricity costs. Nvidia creates a white list: over half of its Asian clients are excluded from it. Nvidia creates a white list: over half of its Asian clients are excluded from it. Nvidia has significantly reduced its roster of Asian clients authorized to purchase AI chips, implementing a white list and stricter screening processes in Singapore, Malaysia, and Japan. Nvidia has created a whitelist, and over fifty percent of its Asian clients have been excluded from it. Nvidia has created a whitelist, and over fifty percent of its Asian clients have been excluded from it. Nvidia has reduced its roster of Asian clients authorized to purchase AI chips by more than 50%, implementing a white list and stricter screening processes in Singapore, Malaysia, and Japan.

Canada's banking regulator issued a warning to banks regarding Claude Mythos.

An email from April, made public through access-to-information regulations, reveals that Canada’s OSFI has cautioned bank technology leaders regarding Anthropic’s Claude Mythos.