TL;DR:

  • The Bank of England’s Cross Market Operational Resilience Group (CMORG) summoned UK banks, insurers and payments firms this week to discuss the cybersecurity risks posed by frontier AI models — named explicitly to include Anthropic’s Claude Mythos.
  • CMORG urged City firms to use AI defensively — fixing vulnerabilities and automating threat responses — and plans a broader meeting in May covering a wider range of UK companies.
  • The move pairs with NCSC chief Richard Horne’s “warning shots” framing, the £90 million SMB cyber-resilience commitment, and the UK government’s broader call to action — a coordinated regulatory pivot, not an ad-hoc response.

The Bank of England has instructed UK City firms to strengthen their cybersecurity against AI-enabled hacking, summoning banks, insurers and payments firms to a meeting of the Cross Market Operational Resilience Group (CMORG) on Wednesday. CMORG, established in 2019 to address systemic threats to UK finance, plans a broader meeting in May covering a wider range of UK firms.

What CMORG is asking for

The ask has two parts: strengthen defences against AI-enabled attacks, and use AI itself to identify and remediate vulnerabilities at speed. The framing is explicitly dual-use — AI as both the threat vector and the defensive tool. CMORG also encouraged firms to automate responses to emerging threats, echoing the NCSC’s advice that applying critical patches is “coming down to minutes” rather than days.

The meeting was triggered specifically by Anthropic’s Claude Mythos model, which Anthropic has held back from public release because its hacking abilities “surpass all but the most skilled humans at finding and exploiting software vulnerabilities”. A UK Artificial Intelligence Security Institute evaluation found that Mythos could autonomously complete advanced cyberattacks that would take human hackers days. US Treasury Secretary Scott Bessent and Fed Chair Jerome Powell called a parallel crisis meeting for Wall Street banks earlier this month.

The UK-specific angle

UK banks and selected technology firms, including Amazon, Apple and JP Morgan, have been given access to Mythos through Anthropic’s Project Glasswing scheme to stress-test their own defences. That access arrangement became more fragile on Tuesday when Anthropic confirmed it was investigating a report of unauthorised access to Mythos through a third-party vendor environment — a containment incident that CMORG’s meeting notably followed rather than preceded.

MI5 has separately been urging UK critical-infrastructure operators — water, energy, communications — to take Mythos-class capabilities seriously. Taken together, the Bank of England meeting is the financial-services-specific instance of a broader UK-government pattern: publicly naming the Mythos threat, expanding NCSC and AISI access regimes, and pushing UK firms to adopt defensive AI at least as quickly as attackers adopt offensive AI.

Looking forward

The May CMORG meeting is the near-term signal, as it will reveal whether the Bank of England expects firms to adopt specific defensive AI products or maintain tool-neutral expectations. Insurers are already adjusting cyber policy wording: Beazley and QBE have made AI-specific exposure changes in recent weeks. UK financial firms should expect the Prudential Regulation Authority’s joint AI supervisory expectations with the FCA — due this year — to incorporate CMORG’s practical asks, making today’s voluntary meeting a preview of what will shortly be expected.

Share this article