Anthropic to brief global finance watchdog on Mythos cyber risk

Reuters reports that Anthropic is set to brief the Financial Stability Board on cyber vulnerabilities in the global financial system identified by its new Mythos model. This is not a routine model story. It is a new kind of systemic risk story.

According to Reuters, the report is based on Financial Times reporting. Bank of England Governor Andrew Bailey requested the briefing, Reuters says. The FSB brings together finance ministries and central banks from G20 economies and coordinates global financial rules. When a frontier AI model lands on that table, the signal is blunt: AI security is no longer only a CISO issue. It is becoming a financial-stability issue.

Reuters also says it could not immediately verify the FT report. Anthropic and the FSB did not immediately respond to Reuters' requests for comment. That caveat matters. The story should be read as a reported briefing plan, not as an official FSB decision.

The substance is still strong. Mythos Preview is the Anthropic model the company has described as built to find old and severe vulnerabilities in browsers, infrastructure and software. It has been announced, but is not broadly released. Anthropic has previously said the model has found thousands of high-severity vulnerabilities, including flaws in major operating systems and web browsers.

Bailey warned in April that Mythos could open a new risk surface. Reuters quotes him saying Anthropic may have found a way to “crack the whole cyber risk world open.” The line is dramatic. The practical point is sharper: what happens when a model can identify weaknesses in other systems faster than normal security organizations can close them?

From security tool to financial-stability risk

Banks and financial infrastructure run on old core systems, long supplier chains and narrow change windows. That is a poor mix if AI models make vulnerability discovery and exploit development cheaper, faster and more widely available.

For banks, insurers, payment companies and critical suppliers in Norway and Europe, the key question is not whether Mythos is released tomorrow. The question is whether the economics of vulnerabilities have already changed. If the answer is yes, existing routines for patching, supplier notification and risk classification may be too slow.

The issue reaches beyond financial services. Most large organizations depend on payment flows, identity providers, cloud platforms and software components they do not fully control. If an AI model finds more flaws inside a supplier stack, the operational risk can quickly land in the customer’s own business.

This is where boards and executive teams need to engage. They should not ask for a Mythos demo. They should ask for answers to four questions:

• How fast can we close a critical vulnerability if exploit code can appear the same day?
• Which suppliers have binding notification deadlines, patch SLAs and documented consequences if they fail?
• Do we log the use of AI coding tools and security agents well enough to see who did what, with which data and which privileges?
• Do we have a crisis plan for a vulnerability in a component we do not own, but that sits inside a critical value chain?

The hard dual-use problem

Anthropic frames Mythos as a defensive tool. That is credible. The same kind of model can find flaws before attackers do, help open-source maintainers who lack security resources, and give large technology companies a better chance of cleaning up old codebases.

But that is also the core risk. A model strong enough to find and chain vulnerabilities is not just a better scanner. It can compress the time from weakness to working attack. Controls around access, logging, model use, export and human approval therefore matter as much as the benchmark result.

For leaders, this means AI cyber risk should not sit inside a separate innovation bucket. It belongs in the risk committee, internal audit, procurement and incident preparedness. Vulnerabilities are no longer only a technical backlog. They are a governance risk tied directly to uptime, regulatory trust and customer trust.

The most practical consequence is to tighten patch and supplier governance now. Critical systems need shorter closure windows. Exceptions need written ownership. Suppliers need to show how they use AI to find and fix flaws, and how they prevent the same tools from creating new attack surfaces.

Organizations should also separate three roles: models that find vulnerabilities, agents that propose or execute changes, and humans who accept risk. If those roles blur, companies get speed without accountability. Boards should dislike that combination intensely.

If the FSB briefing takes place as described by FT and Reuters, it is more than a meeting about one model. It marks a shift: AI models are now being assessed as potential drivers of systemic cyber risk. That is a higher bar.

The takeaway for hogby.ai readers is direct. Do not wait for the regulator. Map legacy systems, tighten patch SLAs, raise supplier requirements and treat AI-based security tools as privileged systems. They should not merely work. They must be auditable.

Sources and media

• Primary source: Reuters, “Anthropic to brief global financial watchdog on cyber flaws exposed by Mythos, FT reports”, published May 18, 2026: https://www.reuters.com/technology/anthropic-brief-financial-stability-board-cyber-flaws-exposed-by-mythos-ft-2026-05-18/
• Reuters notes that its story is based on Financial Times reporting, and that Reuters could not immediately verify the report itself.
• Background: Anthropic, Project Glasswing / Mythos Preview: https://www.anthropic.com/glasswing
• Media use: the Reuters image was used only as editorial reference/context and was not rehosted.
• Thumbnail: OpenAI Image 2 / hogby.ai.