Nextwebworlds

ECB convenes banks over AI cybersecurity risks from Mythos

TL;DR

The ECB is convening banks on Tuesday to address cybersecurity risks from AI models like Anthropic's Mythos, which has found thousands of zero-day vulnerabilities. Executive board member Frank Elderson says banks must patch faster because AI can exploit flaws within minutes of a fix's release.

The European Central Bank is calling banks in for a meeting on Tuesday to address the cybersecurity risks created by a new generation of AI models that can find and exploit software vulnerabilities faster than any human team. The meeting follows months of growing anxiety across European finance about Anthropic's Claude Mythos Preview, the frontier AI model that has identified thousands of zero-day flaws across major operating systems and browsers.

ECB Executive Board member Frank Elderson told the Financial Times that banks need to accelerate work that has been under way for years. “There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster,” he said.

The central bank plans to warn lenders about the specific threats posed by Mythos and similar AI systems. It will also ask US banks that have access to the technology, through Anthropic's controlled distribution programme called Project Glasswing, to share what they have learned with European peers who remain locked out.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

That access gap is the core problem. Only about 40 to 50 organisations have been granted access to Mythos so far, including Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase. No European bank is on the list. In controlled testing, the model produced working exploits on its first attempt more than 83 per cent of the time, often outperforming human cybersecurity specialists. Anthropic has warned that adversaries could replicate the capability within six to twelve months.

Elderson's message to banks is blunt: patch faster. AI models can now reverse-engineer software fixes within minutes of their release, meaning that the window between a vulnerability being patched and being exploited has collapsed. Banks and their IT contractors can no longer afford to leave even minor vulnerabilities for longer update cycles. European banks cannot use their lack of access to Mythos as an excuse for inaction, Elderson said, because malicious actors could soon gain access to equivalent technology.

The ECB's intervention follows a broader regulatory scramble across Europe. Euro-area finance ministers have demanded Mythos access, and European Commissioner Valdis Dombrovskis confirmed on 4 May that the EU is in talks with Anthropic about having companies and banks tested for the vulnerabilities the model uncovers. Those talks have made little progress. Reports from Spanish officials in mid-May indicated the negotiations had effectively stalled.

The impasse has created an opening for rivals. French AI startup Mistral AI is in discussions with European banks about deploying its own cybersecurity model, designed to identify vulnerabilities in the same way Mythos does. CEO Arthur Mensch has framed the effort as a question of technological sovereignty, leveraging existing banking clients including HSBC and BNP Paribas. The model is still under development and has no confirmed release date.

Anthropic has chosen a different path from a public release. Rather than making Mythos generally available, it launched Project Glasswing, an industry consortium in which partner organisations use the model to find and fix flaws in their own systems. Glasswing partners can now share their findings beyond the programme, which may help address the information gap that European regulators are worried about.

The stakes are not theoretical. Anthropic briefed the Financial Stability Board on what Mythos has been finding, at the request of Bank of England governor Andrew Bailey, who chairs the board. The Federal Reserve and the US Treasury separately convened bank CEOs to discuss the cyber risks. Real-world data from Palo Alto Networks shows that advanced AI models are discovering vulnerabilities at seven times the usual rate, and the firm has warned the industry has only three to five months of defensive buffer remaining.

The ECB's meeting on Tuesday will push banks to act under the Digital Operational Resilience Act, the EU's cybersecurity law for financial services. DORA requires banks to manage IT risk, test resilience, and report incidents. The question is whether the regulation's framework can keep pace with AI models that are finding decades-old vulnerabilities faster than the institutions responsible for fixing them.

For European banks, the situation is uncomfortable. The most powerful tool for finding the flaws in their systems exists, they are not allowed to use it, and the regulator is telling them to fix the problems it reveals anyway. The political pressure to resolve the access question is mounting, but until it is, European lenders are being asked to defend against threats they cannot fully see.

Story by Alina Maria Stan

Alina Maria Stan builds connections that people actually feel. As co-founder and COO of Tekpon, she turns product intuition into real moment (show all) Alina Maria Stan builds connections that people actually feel. As co-founder and COO of Tekpon, she turns product intuition into real moments of discovery, shaping how teams find and adopt SaaS every day. Since 2020, she has led Tekpon's brand voice, media strategy, and growth plays with a clear focus on human outcomes behind every metric. Before Tekpon, Alina followed curiosity across industries and countries. She was CEO of King Casino Bonus and led affiliate and brand strategy at Extremoo Media and Fable Media in Denmark, where she learned how to build partnerships that last. Early on, she sharpened her CRM and pricing instincts at K.H. ApS, always asking why customers choose what they choose. Her approach is rooted in more than a decade of international experience and two master's degrees, one in Sustainable Consumption from the Technical University of Munich and one in Consumer Affairs Management from Aarhus University.