Anthropic PBC

’s latest

artificial intelligence

release has put the financial world on its toes, mere months after its specialized AI tools for the legal sector rattled markets and helped sink software stocks. Following the San Francisco-based company’s announcement that it had developed a powerful general-purpose AI model called Mythos that excels at uncovering and exploiting software vulnerabilities — a tool so powerful Anthropic has declined to release it to the general public — financial regulators and banking executives in some countries, including Canada, gathered to discuss the implications for financial system resiliency. Here’s what you need to know about Mythos and why it has the financial world in a panic.

What is Mythos and what can it do?

Mythos changes the game in terms of how fast

cyberattacks

can be carried out, according to those familiar with AI and cybersecurity.

“Up until now, the frontier AI models couldn’t find and exploit serious software vulnerabilities on their own. They would help a skilled human work faster, but the hard part was still taken on by the human,” Shamel Addas, associate dean and distinguished research fellow of digital technology at Queen’s University in Kingston, Ont., said.

“But Mythos is different. It’s not just that it is smarter, but it can run on its own. It can look at a piece of software, find a weakness, figure out how to exploit it and chain several of those together without a person walking through each step.”

Last week, Anthropic acknowledged that Mythos had discovered thousands of “high-severity vulnerabilities … in every major operating system and web browser.” Addas said some of those flaws had been present for decades.

To stem potential safety risks, the company announced it won’t be releasing Mythos to the general public. Instead, it has shared its new model with the likes of Apple Inc., Amazon Web Services Inc., Google LLC, Microsoft Corp., Nvidia Corp. and JPMorgan Chase & Co., as well as 40 other companies that build or maintain critical software to help the industry improve its cyber defences.

Dubbed Project Glasswing, Anthropic said this initiative is an effort to “put these capabilities to work for defensive purposes.” It has pledged to publicly release its findings.

How did the financial world react?

Last Tuesday, United States Treasury Secretary Scott Bessent and U.S. Federal Reserve chair Jerome Powell met with CEOs from Goldman Sachs Group Inc., Morgan Stanley, Citigroup Inc. and others in Washington to discuss the cybersecurity risks stemming from Mythos and other AI tools.

The United Kingdom’s financial regulators and cyber watchdog then met with the largest British banks, insurers and financial institutions to assess potential vulnerabilities in their technology systems.

The

Bank of Canada

followed in the same footsteps, saying it met with the chiefs of the top banks and financial institutions, including members of the Canadian Financial Sector Resiliency Group, on Friday, but did not comment further.

The Office of the Superintendent of Financial Institutions (OSFI), the Department of Finance and TMX Group Ltd., the parent company of the Toronto Stock Exchange, also joined the meeting, according to Bloomberg. OSFI did not respond to requests for comment.

Artificial Intelligence Minister Evan Solomon met with executives from Anthropic on Tuesday to engage in what his office called “constructive, ongoing discussions.”

In an email, Solomon praised Anthropic’s “proactive” approach in working with companies and governments to shore up cybersecurity, but did not specify whether Anthropic would provide Canadian companies with access to Mythos. Anthropic did not respond to requests for comment.

Why are regulators and banks worried about it?

Mythos has financial regulators and executives concerned that new and increasingly powerful AI capabilities that can identify software vulnerabilities faster and easier could lead to more sophisticated cyberattacks that could quickly cascade across multiple institutions.

“For example, if AI can rapidly scan banking or payment software and find weaknesses or flaws in a few hours, instead of weeks, that means multiple organizations using the same system could be exposed to the threat a lot faster,” said Hadis Karimipour, a professor at the University of Calgary. “It increases the risk of coordinated disruption.”

Canada’s concentrated financial system also means heightened risks, Addas said.

“The

Big Six

plus Desjardins carry most of the weight. That’s usually a strength because it’s easier to coordinate a small number of well-run institutions,” he said. “But in this environment, we also need to worry about mid-sized lenders, credit unions and smaller players (as) they often share technology vendors with the big guys, but don’t have the same security teams.”

Academics say risk mitigation will require global coordination and more proactiveness from Canadian regulators, which have already put existing rules and guidelines in place to protect against such risks, including focusing on third-party and vendor risk.

Canadian banks largely run on American software, which means their security is dependent on external vendors, Addas said.

“It will likely be Americans who will be fixing problems in software we use and we’ll be waiting to inherit those fixes,” he said. “The real test for Canadian regulators and Canadian banks over the next year is whether they can be both careful and fast.”

  • Toronto’s Cohere in ‘advanced discussions’ to merge with German AI company: report
  • Canadian quantum stock Xanadu jumps in first day of trading on Nasdaq

• Email: ylau@postmedia.com