NEW YORK, May 12 : U.S. banks are rushing to fix scores of IT system weaknesses flagged by Anthropic’s powerful but costly Mythos AI tool, prompting urgent repairs, software upgrades and raising the possibility of disruption for customers.
A handful of the country’s largest lenders currently have access to Mythos, Reuters has previously reported, and are now uncovering issues the program is revealing, several sources familiar with the matter said. As they comb through the vulnerabilities, the larger banks are also helping inform smaller banks who do not have direct access to the tool so they can prepare their systems, those sources said. Mythos is viewed by cybersecurity experts as posing significant challenges to the banking industry and its legacy technology systems, prompting a series of warnings from regulators and policymakers.
“This is a wake-up call because cyber risk is moving to machine speed, while much of bank defense still operates at human speed,” said Nitin Seth, co-founder & CEO of Incedo, a data, digital, and AI services firm. “It also breaks a long-standing assumption in banking security — that vulnerabilities can remain hidden for extended periods before they are discovered and weaponized.”
As Wall Street banks test Mythos, they are discovering that the model is expert at chaining together lower-risk vulnerabilities – or weaknesses – into a high-risk vulnerability, several of the sources said. That is triggering a rush to check that software is upgraded, said one of the sources at a major bank, and another person with knowledge of the findings.
Mythos is particularly expert at finding vulnerabilities in proprietary and open-source code, putting banks under pressure to upgrade aging tech that is at the end of its software support, the source at one of the major banks said.
Mythos is uncovering several hundred to thousands of vulnerabilities ranked low to moderate, which need to get fixed, the source with knowledge of the findings said, adding that the model is disruptive for banks because they have to perform the fixes at speeds never previously contemplated – in some cases patching in days vulnerabilities they may have previously waited weeks to patch.
The increased workload could result in banks having to take systems offline more frequently, said one of the people and another source. However, banks would look to do this in a way that causes minimal disruption, the second source said.
One of the sources said that such rapid testing of AI products including Mythos is now the new normal which they expect to be doing continually.
HIGH BARRIERS
One of the barriers to entry for smaller banks is the cost of the technology. Smaller banks also do not have the processing power to use the model, one of the people said, adding that the big banks have however been sharing data on their findings.
Like other AI models, Claude Mythos Preview is priced by how many tokens, or pieces of data, it must consume to answer a user’s prompt. It costs $25 per million tokens that a customer inputs into the AI model, and $125 per million tokens that the AI outputs – exactly five times more expensive than Anthropic’s more widely available top AI model, Opus 4.7, Anthropic has said.
Anthropic, however, has said it would provide $100 million worth of credits to Glasswing partners and other Mythos customers, saying this would “cover substantial usage throughout this research preview.” Anthropic has also released recommendations for companies to shore up defenses even if they do not have access to Mythos while it said in a recent post that another program, Claude Security, which can be used to scan for vulnerabilities, is available to a wider set of organizations.
Anthropic leader Mike Krieger told Reuters last week the AI lab considered both safety and business needs when setting prices. Its pricing should be low enough to encourage usage of its AI while high enough to be “funding the business”, Krieger said. “We want to maximize the amount of aligned tokens flowing into the world,” he said.
Anthropic declined comment on the banks’ findings of Mythos.
‘OH BOY’ MOMENT
Anthropic initially restricted access to the model to partners in its Project Glasswing initiative and about 40 additional organizations. JPMorgan Chase was a publicly named launch partner, while Goldman Sachs, Citigroup, Bank of America and Morgan Stanley, have access, Reuters reported, citing sources and company executives.
Adam Meyers, who leads counter adversary operations at CrowdStrike, a cybersecurity company that is part of Project Glasswing, said that within days of gaining access, he and his team spent “a solid entire weekend trying to figure out how to best use this thing before we even started looking for bugs.” The model required building “a whole methodology and a whole set of capabilities” to harness it effectively, he added. Meyers said when he first found out about Mythos his words were “oh boy”.
A senior bank regulatory official said Mythos has been as powerful as anticipated, and is extremely adept at quickly connecting the dots to highlight vulnerabilities that may have taken humans much longer to tie together.
For banks without access, consultants caution that they should protect their systems.
Bernard Montel, Tenable’s EMEA Technical Director and Security Strategist, said while other sectors are vulnerable, “the backbone of the banking sector is technology, that is the difference,” meaning disruptions hit at the core of the business.
(Additional reporting by Pete Schroeder and Jeffrey Dastin; editing by Megan Davies and Nick Zieminski)
