TL;DR

British financial regulators are holding emergency discussions with the National Cyber Security Centre and major banks to assess risks posed by Anthropic’s Claude Mythos Preview model. The AI system has identified thousands of previously undetected high-severity vulnerabilities across major operating systems and browsers, prompting coordinated responses from regulators on both sides of the Atlantic.

Transatlantic regulatory alarm

The Bank of England, Financial Conduct Authority and HM Treasury are working with the NCSC to evaluate potential weaknesses in critical financial IT systems highlighted by Anthropic’s latest model, according to the Financial Times.

Representatives from leading UK banks, insurers and exchanges will be briefed on the cyber risks at a meeting of the Cross Market Operational Resilience Group (CMORG) within the next fortnight. The group, co-chaired by the BoE’s executive director for supervisory risk Duncan Mackinnon and UK Finance head David Postings, brings together eight of the UK’s largest banks, four financial infrastructure providers, two insurers and multiple regulators.

The UK response follows a parallel move in the United States, where Treasury Secretary Scott Bessent summoned leaders of major Wall Street banks to discuss the model’s cyber risk potential, as reported separately by Reuters and Bloomberg. The Guardian reported that bank bosses were called in to assess the AI system’s ability to identify exploitable vulnerabilities at scale.

What Mythos has found

When Anthropic released Mythos to select customers as part of its “Project Glasswing” initiative, the company disclosed the model had already “found thousands of high-severity vulnerabilities, including some in every major operating system and web browser” — some of which had gone undetected for decades.

The $380 billion San Francisco startup warned it would “not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely,” adding that the fallout for “economies, public safety, and national security could be severe.”

Measured but serious response

David Raw, managing director for resilience at UK Finance, confirmed awareness of “the press reports on the Anthropic AI development and the risks highlighted,” noting the trade body was engaging with members through its public-private partnerships.

The BoE retains the ability to convene its separate Cross Market Business Continuity Group within one to two hours for urgent sector threats, though it has not yet taken this step. The measured pace suggests regulators view this as a serious but manageable risk requiring coordinated assessment rather than crisis-level intervention.

Looking forward

The CMORG meetings will set the tone for how UK regulators approach frontier AI capabilities that double as potential attack tools. For UK financial institutions still recovering from last year’s wave of cyber attacks — including incidents at M&S, the Co-op Group and Harrods — Mythos represents both a defensive opportunity and a wake-up call about the pace of AI-driven vulnerability discovery.