Bank of England’s Bailey Names Anthropic’s Mythos as Cyber Risk to Financial System
TL;DR: Bank of England Governor Andrew Bailey has publicly named Anthropic’s Mythos product as a major cybersecurity concern for central banks, urging regulators to quickly understand whether the model can identify exploitable weaknesses in banking systems. The intervention is a rare direct link between a specific frontier model and UK financial stability.
Speaking at Columbia University on Tuesday, Bailey said the Gulf conflict had been the most recent shock on regulators’ watch list until, as he put it, the realisation last Friday that “Anthropic may have found a way to crack the whole cyber risk world open”. The core regulatory question, he said, is the extent to which Mythos can find vulnerabilities in third-party systems that can then be exploited for attacks.
Why This Intervention Is Different
UK regulators have raised AI-related risks before, but typically in general terms. Naming a specific vendor model from a central bank Governor is unusual. The timing reinforces the signal: earlier this week, Trump administration officials urged JPMorgan Chase, Goldman Sachs and other major US banks to test Mythos directly, and the UK AI Security Institute published an independent evaluation finding Mythos broadly comparable to peer models on single cyber tasks but stronger at chaining multi-step attacks.
Bailey said cyber had climbed regulators’ risk lists faster than any other category in recent years, noting “you have to keep mitigating it, but the threat actors will move on, so we have to deal with it”.
The Financial Stability Frame
The Governor also used the event to argue that central bank independence on financial stability is “not as robust” as on monetary policy and should be strengthened. He placed the Mythos concern inside that broader case — that protecting trust in money sits alongside protecting the value of money, and that both deserve operational independence. The framing matters because UK finance minister Rachel Reeves has pushed regulators to weight economic growth more heavily, while Bailey is signalling that systemic cyber risk cannot be traded off against looser lending rules.
Looking Forward
For UK banks and insurers, Bailey’s remarks put AI-related cyber on the regulatory agenda in concrete terms. Expect Prudential Regulation Authority and Financial Conduct Authority engagement on three fronts over the coming months: third-party vendor assurance questions covering frontier-model access, red-team exercises testing chained-attack resilience, and board-level articulation of how firms have evaluated specific models against systems they protect. Firms that have not yet mapped their exposure to named frontier models should do so now — waiting for formal guidance is no longer the lower-risk option.