Frank Elderson, a member of the European Central Bank's board and vice chair of its bank supervision function, has urged banks in the euro area to accelerate preparations for cyberattacks that could be launched with the help of Anthropic's Mythos model or comparable AI systems.
In an interview published in the ECB's Supervision Newsletter, Elderson stressed that the absence of direct access to Mythos among many euro-area lenders should not be seen as a reason to delay action. "Lack of access is not an excuse for inaction. On the contrary, it makes it even more critical that banks step up and act now," he said.
Recent reporting has indicated that some large U.S. banks which obtained early access to Mythos are racing to correct numerous weaknesses in their data systems that the tool highlighted. Cybersecurity specialists view Mythos as a major challenge to the banking sector and to data technology infrastructures more broadly, and its emergence has prompted warnings from regulators and policymakers.
Elderson cautioned that the industry must prepare not only for the current capabilities of AI tools but also for successors that may enable more aggressive attacks. "We need to be able to deal with ever more capable future models that could be released in relatively quick succession," he said.
ECB president Christine Lagarde has said the central bank is examining potential defences against cyberattacks guided by Mythos, while also noting that the ECB is at a disadvantage because it does not have access to the model. It has also been reported that in April ECB supervisory teams planned to ask the banks they oversee about their readiness for this new risk source.
The uneven global distribution of access to Mythos may become more pronounced: reporting suggests Japan's three largest banks could soon be cleared to begin working with Mythos, potentially within about two weeks. Elderson warned that banks and the third-party contractors they depend on must act quickly to remedy even minor vulnerabilities - issues that have often been addressed only within longer software update cycles.
The message from the ECB supervisor was clear: limited regional access to an AI tool that can both identify and potentially help exploit system weaknesses increases the onus on financial institutions and their service providers to accelerate patching and tighten operational security. While specifics of any coordinated defensive measures were not detailed in the interview, the call to expedite remediation underscores a regulatory focus on operational resilience in the face of rapidly evolving AI capabilities.
Contextual note: The interview and subsequent comments reflect supervisory concern about emerging AI-driven cyber risks and the need for swift technical responses by banks and their vendors.