Canadian regulator warns banks that Anthropic's Claude Mythos compresses cyber defense window
Attack methods can emerge as soon as new vulnerabilities are identified.

The Anthropic Claude app in the Apple App Store. Gabby Jones/Bloomberg via Getty Images.
- The Office of the Superintendent of Financial Institutions told banks that Anthropic's Claude Mythos model significantly reduces time to identify and fix vulnerabilities.
- Access to the AI model, described as extremely capable at finding and exploiting security flaws, is currently blocked for eurozone banks.
- Royal Bank of Canada and other major banks are building their own AI security tools to respond rapidly to emerging attack methods.
- The warning follows urgent US meetings between Treasury officials, Federal Reserve, and bank CEOs about Mythos-related cyber risks to the financial sector.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Canada's federal banking regulator warned the country's largest financial institutions about the risks of Anthropic's Claude Mythos and other advanced AI models, saying the new technology could increase cyber threats and reduce the time institutions have to identify and fix vulnerabilities, according to an email sent in April.
The regulator, the Office of the Superintendent of Financial Institutions, sent the email to chief technology officers, chief information security officers, and chief risk officers across the financial industry, including the big banks and insurers, according to documents Reuters obtained through an access-to-information request.
Regulators globally are trying to assess cybersecurity risks such as Anthropic’s frontier AI model Mythos. Cybersecurity experts say Mythos, an AI model described as extremely capable at finding and exploiting cybersecurity vulnerabilities, poses significant challenges to the banking industry and its legacy technology systems.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
"Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation," OSFI said in the email.
"Accordingly, this bulletin is grounded in our existing guidance and outlines sound practices that institutions can adopt to enhance the speed and effectiveness of risk identification, mitigation and response."
Additional contents of the email were redacted due to some sections of the Access to Information Act. An acknowledgment of the risks of Mythos from OSFI could ensure Canadian banks, insurers and other regulated institutions invest in technology to protect clients from cyber risks.
After Reuters sent questions to OSFI last week, the regulator on Monday posted a public bulletin on generative and agentic artificial intelligence online.
"OSFI takes a technology‑neutral, risk‑focused approach to emerging technologies, including advanced artificial intelligence models such as Mythos. Our focus is not the technology itself, but how federally regulated financial institutions govern and manage the risks associated with its use," the regulator said in an emailed response to Reuters questions.
In early April, Canadian bank executives met with regulators to discuss the risks posed by Mythos shortly after US Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell convened an urgent meeting with bank CEOs to warn of cyber risks posed by Anthropic's latest artificial intelligence model.
OSFI sent the email to company executives on April 29.
Canadian banks build AI defenses as Mythos access restricted
OSFI is responsible for regulating and maintaining the stability of Canada's financial sector, from banks to pension funds, and identifying risks emerging from foreign interference, geopolitics and new technology.
The cyber capabilities of some frontier AI systems are considered so powerful that access has been restricted, with euro zone banks currently excluded from Mythos.
Anthropic has also had a tumultuous relationship with the US government. A judge blocked its initial blacklisting by the Pentagon in March, and the conflict has eased following the private release of Anthropic's Mythos.
Three of Canada's big six banks - Royal Bank of Canada, TD Bank and BMO - have outlined a plan to earn millions from their investments in AI as the banks moved from experimental AI projects to applying them in chatbots, building internal tools and lowering their reliance on third-party tools.
Bank of Nova Scotia, CIBC and National Bank have also disclosed several AI initiatives.
The Canadian government has said it has access to Anthropic's Project Glasswing, which allows companies to have access to Mythos. It is not clear which, if any, banks in Canada are using it. Some banks deferred comments to the Canadian Bankers Association, which said banks have invested heavily to protect the financial system and are complying with robust requirements from OSFI on cyber risk management and incident reporting.
In an interview in June, RBC's AI Group Head Bruce Ross said Mythos underscored a shift in the cyberattack landscape, making it imperative for organizations to respond rapidly since attack methods can emerge as soon as new vulnerabilities are identified.
"The way we're (the industry) dealing with it is, building our own AI defenses... we'll continue to do that," Ross said.