Global Financial AI-Vulnerability Watch
Institutional response to AI-accelerated vulnerability risk in financial services
AI-AV Threats are focusing on critical system vulnerabilities in two key ways: by accelerating vulnerability detection (AVD) and by accelerating vulnerability exploitation (AVX). This initiative monitors how central banks, prudential regulators, finance ministries, and bank executives are responding to these threats — including Anthropic's Claude Mythos, OpenAI's GPT-5.5, and other emerging AI systems with similar capabilities.
Analytical synthesis based on verified public statements and supervisory activity.
- Current signal: Regulatory attention is moving from individual statements to coordinated supervisory and political engagement.
- Most concrete action: APRA's April 30 letter.
- Most important new development: Eurogroup discussion on May 4.
- Next signal to watch: Whether Europe secures Mythos access terms or issues formal supervisory expectations.
The May 4 Eurogroup delivered the most consequential European development since the publication began tracking institutional response to AI-AV Threats. Euro-area finance ministers, meeting with the chairs of the Single Supervisory Mechanism and Single Resolution Board, took up Anthropic's Claude Mythos Preview directly — moving the European response from individual national engagements (the Bundesbank's Apr 21 Nagel speech and Apr 29 Theurer interview, ECB Banking Supervision's Apr 17 dialogue with euro-area lenders) to coordinated euro-area political-level engagement. Spain's economy minister Carlos Cuerpo, before the meeting, gave the most direct national-level positioning on Mythos from any EU finance minister, saying Europe needs a response to "ensure our companies have access to these models, and can protect themselves against what may come" and pushing for the AI Act as a regulatory instrument. Eurogroup President Kyriakos Pierrakakis acknowledged ministers will revisit the issue at future meetings. The meeting produced no formal access agreement; what it produced was a clearer collective signal that European supervisors expect equivalent treatment and may escalate.
Outside Europe, two anchors from the prior cycle remain structurally important. APRA's April 30 letter is still the most concrete supervisory document in the tracker — explicit on Mythos, calling for a "step-change" in how banks, insurers, and superannuation trustees manage AI-related risks. It sets the bar for what comparable formal action from PRA, ECB-SSM, or other prudential supervisors would look like. Fed Vice Chair for Supervision Michelle Bowman's May 1 FSOC roundtable speech remains the first on-record Mythos commentary from the Fed's top bank-supervisory official; she committed regulators to refine their supervisory approach without yet specifying what form that refinement will take. The pattern across jurisdictions is still coordinated supervisory engagement rather than formal action — APRA's letter is the exception. Formal action elsewhere — CPS-series amendments at APRA, a PRA "Dear CEO" letter, an ECB DORA-linked supervisory statement, an FSB workplan output — would represent the next phase if current trajectories continue. None of those has landed.
Three things to watch into the coming weeks. The next Eurogroup: Pierrakakis said ministers will revisit Mythos; the next regular meeting is the venue. Whether the revisit produces coordinated euro-area language or remains at consultative level will signal how far European political-level engagement is willing to go. The EU-Anthropic talks: EU Economy Commissioner Valdis Dombrovskis confirmed May 4 that the Commission is in talks with Anthropic about getting European companies and banks tested for Mythos-exposed vulnerabilities. Whether those talks produce concrete access arrangements — and on what terms — is the closest near-term Mythos-specific signal in Europe. The FSOC AI Innovation Series: the fourth roundtable on cybersecurity and risk management remains scheduled; whether Bowman's speech is the start of a Fed/FSOC supervisory framing track or a one-off will shape the US posture into Q2.
Analytical note: AI-AV Threats and the defensive shift required
AI-AV Threats are focusing on critical system vulnerabilities in two key ways: by accelerating vulnerability detection (AVD) and by accelerating vulnerability exploitation (AVX). Anthropic's Claude Mythos anchored the early evidence base — released in April 2026 to roughly 40 partner organizations under Project Glasswing, Mythos identified 271 previously undisclosed vulnerabilities in Mozilla Firefox and, in AISI's controlled evaluation, completed multi-step end-to-end network attacks in lab environments. (Project Glasswing, the Firefox 271 result, and AISI evaluations are vendor-announced and external-evaluation context that anchors why financial regulators are responding; they are not tracker entries themselves.)
OpenAI's GPT-5.5 is emerging as a second case: AISI's late-April evaluation reported comparable exploitation capability under the same lab conditions. More such models are likely to follow. Early evidence suggests an emerging pattern, and the regulatory response is beginning to reflect it.
Regardless of which AI technology is being used, current evidence suggests patch management alone may be insufficient against the compression occurring in exploit development cycles, on current lab evidence and operational constraints. AISI's controlled evaluations of Mythos and GPT-5.5 indicate exploit development can compress from days to hours under lab conditions; patch deployment cycles for production financial systems cannot reasonably go below days. The window between vulnerability disclosure and working exploit is, on current lab evidence, closing faster than the window between disclosure and deployed patch. CERT-In's April 26 advisory calls for Indian financial institutions to treat newly disclosed vulnerabilities as exploitable within hours, not weeks — an explicit acknowledgment that the patch window has changed.
The defensive response. Regulatory signals indicate a shift toward measures that disrupt exploitation in progress, regardless of whether AI is accelerating detection or accelerating exploitation. Broad expansion to all general security measures dilutes focus; the signaled posture is narrower — capabilities that operate during exploitation rather than only before it.
Whether attacks are human-directed or AI-directed, exploitation disruption is emerging as a central defensive objective in the regulatory record. AI-directed exploitation would increase pressure for defensive tooling capable of operating at comparable speed. APRA's April 30 letter calls for a “step-change” in how banks, insurers, and superannuation trustees manage AI-related risks — language reserved for substantive change in supervisory expectations rather than incremental adjustment. Read across the regulatory record — APRA's “step-change” framing, CERT-In's call for treating disclosed vulnerabilities as exploitable within hours, and the supervisory dialogues underway at ECB, MAS, HKMA, and RBA — the signaled posture is a defensive shift toward capabilities that operate during exploitation rather than only before it.
Methodology note. Model capability references in this overview (AISI evaluations, vendor announcements such as Project Glasswing) are used as contextual inputs to explain regulator responses. These evaluations are primarily based on controlled lab environments and do not represent unconstrained real-world cyber operations. This assessment reflects early-stage evidence and regulatory signaling; real-world attack capability and operational impact remain uncertain.
Upcoming
Meetings, milestones, and reasonably expected follow-ups worth watching. External events move into the tracker timeline once they happen.
- May 22, 2026Eurogroup meeting (next). Pierrakakis explicitly committed at the May 4 Eurogroup that ministers will revisit Mythos at future meetings; this is the next regular venue. Whether the revisit produces coordinated euro-area language or remains at consultative level is the question. Scheduled
- Q2 2026EU-Anthropic talks outcome. EU Economy Commissioner Dombrovskis confirmed May 4 that the Commission is in talks with Anthropic about getting European companies and banks tested for Mythos-exposed vulnerabilities. Whether those talks produce concrete access arrangements — and on what terms — is the closest near-term Mythos-specific signal in Europe. Watch
- Q2 2026FSOC AI Innovation Series — Roundtable 4. The cybersecurity and risk-management roundtable in Treasury's four-part series. Bowman's May 1 remarks were delivered at Roundtable 3; outputs from Roundtable 4 are likely to inform any Fed/FSOC supervisory framing on frontier-AI cyber risk. Anticipated
- Q2 2026UK PRA "Dear CEO" letter. Following Bailey's IMF and Columbia remarks plus the CMORG cross-market briefing, a formal supervisory letter to UK banks is plausible. Anticipated
- Q2 2026Singapore CII obligations review. SMS Tan Kiat How told Parliament May 5 the government is reviewing standards and obligations for CII owners to enable more urgent response to frontier-AI threats. CSA advisory issued same day. Watch
- Mid-JulyUS bank Q2 earnings calls. Potential opportunity for JPMorgan, Goldman, Morgan Stanley, BNY, Citi CEOs to update on Mythos-related risk posture, if referenced. Q1 commentary set a high bar.
- JulyG20 Finance Ministers meeting. First G20 finance-track moment after Mythos. Watch for joint statement language naming Mythos, AVD/AVX threats, or frontier-AI cyber risk specifically — distinct from generic AI references. Scheduled
- Q3APRA prudential standards. APRA's Apr 30 letter signaled a "step-change" was needed. Watch for formal CPS-series prudential standards or amendments to existing CPS 234 (Information Security) referencing frontier AI. Anticipated
- Oct 13–19IMF / World Bank Annual Meetings. Major set-piece for global financial governance. The IMF Spring Meetings drove the Apr 14–17 cluster of Mythos-related regulator engagement (Bailey, Lagarde, Macklem, Champagne, parallel ECB / German consultations); the Annual Meetings will be the next opportunity to observe whether Mythos remains explicitly referenced in financial-stability discussions. Confirmed
- Q4FSB Plenary, AI workplan. The Financial Stability Board's plenary is expected to address AI cyber risk on its workplan. Bailey chairs the FSB — expect explicit framing. Scheduled
- JanuaryUS bank Q4 / 10-K filings. First annual filings after public Mythos engagement. Watch for AI-cyber risk factor disclosures and management commentary on frontier-AI security implications. Anticipated
- OngoingCross-jurisdictional coordination. Watch for joint statements, FSB workplan updates, or G7/G20 communiqué language tying Mythos and AI-AV Threats to financial-stability priorities. Watch
Status tags: Confirmed = official date set. Scheduled = on calendars but not yet final. Anticipated = reasonable expectation based on what's already in the timeline. Watch = signal worth tracking; outcome uncertain.
Updates
The tracker is updated multiple times per week. Recipients receive a short digest when new entries are added — typically two to three sentences plus links into the tracker.
Designed for finance professionals — central bank staff, prudential regulators, bank risk and compliance teams, banking lawyers, and audit professionals — tracking the regulatory and disclosure response to AI-accelerated cyber risk.
No marketing. No sharing your address. Remove yourself in one click.
External references
Working with a journalist or researcher who'd like background? Use "Updates" or contact us directly.
What's tracked, and how
This page covers public actions and statements from financial regulators, central banks, finance ministries, prudential supervisors, and bank/market executives in response to AI-AV Threats — including Anthropic's Claude Mythos Preview, OpenAI's GPT-5.5, and other emerging frontier-AI capabilities relevant to financial-sector cyber risk. Tech-only commentary, AI capability evaluations from non-financial bodies, and pure cybersecurity advisories are excluded unless they have a direct financial-sector angle.
Each entry is verified against at least one reputable source — Reuters, Bloomberg, Financial Times, official regulator communications, or named publication interviews. Quotes are verbatim from source where shown. Updates are made multiple times per week.
Selected statements
Statements from named officials and bank executives that frame the regulatory and industry stakes most clearly.
Selected supervisory actions
Concrete moves by regulators, ministries, and supervisors.
Resource library
Public documents that anchor the tracker's editorial framing.
Financial Industry Engagement History
A quick read of where national-level engagement has emerged — how many countries have publicly engaged, and when each first registered concern. Regional and multilateral engagements (Eurozone, EU, IMF) appear in the tracker and editorial but do not increment the country count.
Global Financial AI-Vulnerability Tracker
A focused tracker of public actions and comments from central banks, prudential regulators, finance ministries, supervisory bodies, banking executives and adjacent cyber/AI authorities responding to Anthropic's Claude Mythos Preview.
| Date | Jurisdiction | Type | Institution / Official | Action / summary | Sources |
|---|---|---|---|---|---|
| Apr 7, 2026 |
United States
|
🏛️Finance Ministry |
Treasury Secretary Scott Bessent; Fed Chair Jerome Powell
|
Closed-door meeting with bank CEOs
Bessent and Powell convened a closed-door meeting at Treasury HQ with the CEOs of Bank of America (Brian Moynihan), Citigroup (Jane Fraser), Goldman Sachs (David Solomon), Morgan Stanley (Ted Pick), and Wells Fargo (Charlie Scharf). JPMorgan's Jamie Dimon was unable to attend. Officials encouraged banks to run Mythos against their own systems.
|
Bloomberg; Financial Times; CNBC; The Hill |
| Apr 12, 2026 |
Multilateral
|
🛡️Financial Regulator |
IMF MD Kristalina Georgieva
|
CBS 'Face the Nation' interview
Georgieva said the world does not have the ability to protect the international monetary system against massive cyber risks, that risks 'have been growing exponentially,' and called for more attention to AI guardrails. Her line 'time is not our friend on this one' framed the issue ahead of the IMF Spring Meetings.
|
CBS News; AOL; Reuters |
| Apr 16, 2026 |
European Union
|
🛡️Financial Regulator |
European Commission spokesman Thomas Regnier
|
First public statement; meeting with Anthropic
Following an Apr 15 meeting between EU officials and Anthropic, Regnier told reporters the EU needed information about the risks of the new AI model (context: Anthropic's Mythos). He confirmed a first meeting with Anthropic had taken place and more would follow. The Commission later said it was 'monitoring the security implications' of the technology.
|
Courthouse News; Bloomberg |
| Apr 13, 2026 |
United States
|
💬Bank Exec |
Goldman Sachs CEO David Solomon
|
Q1 earnings call (with Apr 28-29 Goldman Hong Kong development noted)
Multi-event synthesis. (1) On the Apr 13 Q1 earnings call, Solomon told analysts Goldman is 'aware of Mythos and its capabilities' and has the model, and described the bank as working closely with Anthropic and its security vendors to harness frontier capabilities. (2) Approximately two weeks later, FT reported (Apr 28; Reuters and Bloomberg confirmed Apr 29) that Goldman had stopped Hong Kong-based bankers from using Claude in recent weeks; Gemini and ChatGPT remained operational. HKMA contacted 'a range of major banks' to update risk assessments amid Mythos scrutiny and US-China AI access tensions.
|
Constellation Research; American Banker; Financial Times; Reuters; Bloomberg |
| Apr 14, 2026 |
United States
|
💬Bank Exec |
JPMorgan CEO Jamie Dimon; CFO Jeremy Barnum
|
Q1 earnings call
Dimon said JPMorgan was testing Mythos and that the model created 'additional vulnerabilities,' showing a lot more vulnerabilities needed to be fixed. Barnum said AI tools could make it easier to find vulnerabilities but also be deployed by bad actors in attack mode.
|
CNBC; Banking Dive |
| Apr 15, 2026 |
South Korea
|
🏛️Finance Ministry |
Ministry of Science and ICT
|
Emergency industry meetings
MSIT held a meeting with leading Korean cybersecurity firms to discuss the impact of Mythos and OpenAI's GPT-5.4-Cyber (a defensive cybersecurity variant of GPT-5.4 released Apr 14, 2026 to OpenAI's Trusted Access for Cyber program; named in Korean source coverage of the meeting), plus separate talks with chief information security officers from 40 major companies. GPT-5.4-Cyber is a Mythos-adjacent named model that is currently outside the publication's primary tracker scope; included here because it appears in the source's account of the meeting alongside Mythos.
|
Seoul Economic Daily |
| Apr 13, 2026 |
South Korea
|
🛡️Financial Regulator |
Financial Supervisory Service (FSS)
|
Industry security meeting
FSS held a meeting with information security officials from financial firms to review Mythos-related risks.
|
Reuters; Yonhap |
| Apr 15, 2026 |
South Korea
|
🛡️Financial Regulator |
Financial Services Commission (FSC)
|
Emergency meeting
FSC held an emergency meeting with chief information security officers from FSS, banks and insurers to review the risks (per Yonhap, citing industry sources).
|
Reuters; Yonhap; SCMP |
| Apr 15, 2026 |
United States
|
💬Bank Exec |
Morgan Stanley CEO Ted Pick
|
Q1 earnings call
Pick confirmed Morgan Stanley is permissioned on Claude Mythos Preview, describing AI as the latest generation of technology that would be part of the banking ecosystem and calling it the bank's 'friend.'
|
American Banker; Banking Dive |
| Apr 16, 2026 |
United States
|
💬Bank Exec |
BNY CEO Robin Vince; Citi CEO Jane Fraser
|
Q1 earnings call commentary
Vince confirmed BNY is running Mythos Preview and described AI as 'a superpower' that can be used for good or evil. Fraser said Citi is examining AI through four lenses including defensive cyber capabilities. Citi CFO Gonzalo Luchetti said the bank is approaching it with 'the degree of urgency that it requires.'
|
Banking Dive; Financial Times |
| Apr 16, 2026 |
Germany
|
💬Bank Exec |
Kolja Gabriel, German Banking Association (Bundesverband deutscher Banken); BaFin
|
Industry-regulator coordinated evaluation; on-the-record statements
Gabriel, executive board member responsible for technology and innovation, told Reuters the German Banking Association was consulting with cyber experts at member banks alongside the finance ministry, Bundesbank, and BaFin. Gabriel: "Mythos is being used in a controlled manner by IT security firms to close potential vulnerabilities as quickly as possible. We expect a series of software updates shortly and are closely monitoring developments." BaFin separately stated: "Financial firms must be prepared for the possibility that vulnerabilities could be discovered in the near future, which would then need to be addressed promptly and quickly."
|
Reuters; Invezz; Global Banking and Finance |
| Apr 17, 2026 |
Eurozone
|
🏦Central Bank |
ECB President Christine Lagarde
|
IMF Spring Meetings remarks (Bloomberg TV)
Lagarde described Anthropic and Mythos as a good example of a responsible company but warned that 'if it falls in the wrong hands, it could be really bad.' She added that no governance framework currently exists to address the issue, and that one needs to be built.
|
Financial Times; Irish Times; Bloomberg TV |
| Apr 14, 2026 |
United Kingdom
|
🏦Central Bank |
Bank of England Governor Andrew Bailey (also FSB chair)
|
Columbia University speech, New York
Bailey said Anthropic 'may have found a way to crack the whole cyber risk world open' and called on global regulators to rapidly evaluate the threat. The core regulatory question, he said, was the extent to which Mythos can identify vulnerabilities in third-party systems that can then be exploited for cyberattack purposes.
|
Reuters; Bloomberg; FT |
| Apr 17, 2026 |
United Kingdom
|
🏦Central Bank |
Bank of England Governor Andrew Bailey (also FSB chair)
|
IMF Spring Meetings remarks
At the IMF/World Bank Spring Meetings, Bailey called Mythos 'a very serious challenge for all of us' and said regulators must move fast. On regulation timing he warned of the dual risks of moving too early — distorting evolution of the technology — or too late, when threats can get out of control.
|
Financial Times; Irish Times; PYMNTS |
| Apr 17, 2026 |
Canada
|
🏛️Finance Ministry |
BoC Governor Tiff Macklem; Finance Min. Champagne; AI Min. Solomon
|
IMF Spring Meetings
Macklem said global financial systems must 'come to grips' with AI risks; the model was discussed at the BoC's financial sector resiliency group. Champagne called Mythos a 'test case' and 'unknown unknown.' AI Minister Evan Solomon met directly with Anthropic.
|
BBC; The Canadian Press; Globalnews.ca |
| Apr 17, 2026 |
United Kingdom
|
🏛️Finance Ministry |
Bank of England — CMORG; FCA; HM Treasury; NCSC
|
Cross-Market briefing scheduled
The Cross Market Operational Resilience Group (CMORG), co-chaired by the BoE's Duncan Mackinnon, scheduled an urgent meeting with NCSC, FCA, HM Treasury and major British banks/insurers/financial-infrastructure providers within a fortnight to examine vulnerabilities raised by Mythos.
|
Raconteur; Financial Times; Computing.co.uk |
| Apr 17, 2026 |
Eurozone
|
🏛️Finance Ministry |
ECB Banking Supervision; BaFin; Bundesbank; German Banking Association
|
Parallel supervisory engagement
Two parallel attributions on the same date. (1) ECB Banking Supervision: supervisors prepared to question euro-area lenders directly about Mythos readiness, gathering information ahead of a roundtable. (2) German Banking Association: confirmed it was consulting cyber experts at member banks, the Finance Ministry, the Bundesbank, and BaFin on Mythos response. The two engagements are tracked together because they describe coordinated euro-area / German supervisory machinery in motion the same day, but they are distinct statements from distinct institutions.
|
Reuters; Cybernews; Dawn Liphardt |
| Apr 17, 2026 |
United Kingdom
|
💬Bank Exec |
Barclays CEO C.S. Venkatakrishnan
|
Public statement in Washington
Venkatakrishnan said in Washington that Mythos was a serious threat to the global banking system and likely to be followed by similar, more powerful cyberthreats.
|
Reuters; BusinessWorld |
| Apr 20, 2026 |
Singapore
|
🛡️Financial Regulator |
Monetary Authority of Singapore (MAS)
|
Formal statement to Reuters/Bloomberg
MAS said advances in AI could speed up the discovery and exploitation of software vulnerabilities, and that financial institutions needed to 'redouble efforts' to strengthen security defences, identify and close vulnerabilities, and raise vigilance on cyber hygiene including timely patching. MAS coordinated with the Cyber Security Agency of Singapore.
|
Reuters; Bloomberg; iTnews |
| Apr 20, 2026 |
Hong Kong
|
🛡️Financial Regulator |
Hong Kong Monetary Authority (HKMA)
|
Engagement with major banks
HKMA said it had engaged with major banks, was highly vigilant to evolving AI-driven cyber threats including Mythos, and was about to bring forward a new framework. Confirmed it had contacted 'a range of major banks' to update risk assessments.
|
Reuters; iTnews |
| Apr 21, 2026 |
Germany
|
🏦Central Bank |
Bundesbank President Joachim Nagel
|
Speech at International Economic Symposium, Rome
Nagel described Mythos as an AI model capable of quickly identifying and exploiting security vulnerabilities in financial institutions' software. He called for all institutions to have access to avoid competitive distortion: 'All relevant institutions should have access to this technology.' Warned of new and sophisticated cyber risks from autonomous AI agents.
|
Reuters; Central Banking; Cointribune |
| Apr 22, 2026 |
Japan
|
🏛️Finance Ministry |
Finance Minister Satsuki Katayama, Ministry of Finance / FSA
|
FSA press conference confirming planned megabank meeting
At her regular FSA press conference, Katayama publicly confirmed she would meet "core members of the Bank of Japan, the three megabanks, and the Tokyo Stock Exchange" later that week to discuss Mythos. Katayama framed the rationale: "When a system or technology becomes highly capable, its vulnerabilities may also be identified quickly, creating the risk that they could be exploited by malicious actors." She also noted that the Greek Finance Minister, current chair of the Eurogroup, had raised concerns about the issue in a recent bilateral. The press conference is the public confirmation of intent two days before the formal April 24 working group (Row 25).
|
FSA official press conference transcript; Bloomberg; Japan Times |
| Apr 22, 2026 |
Australia
|
🏦Central Bank |
Reserve Bank of Australia (RBA); ASIC
|
Public statements on Mythos
RBA confirmed to Central Banking it had noted Mythos's coding and vulnerability identification capabilities and was 'closely monitoring developments related to Claude Mythos.' RBA spokesperson: the bank is 'engaging with peer regulators, government and regulated entities' to assess implications. ASIC said separately it 'notes the recent announcement by Anthropic and is closely monitoring these developments along with peer regulators to assess possible implications for the Australian market.' ASIC added that financial services licensees should 'be on the front foot.'
|
Bloomberg; Reuters; Central Banking; The Nightly; iTnews |
| Apr 22, 2026 |
New Zealand
|
🏦Central Bank |
Reserve Bank of New Zealand (RBNZ)
|
Public statement on Mythos
RBNZ confirmed to Bloomberg that it was monitoring developments around Anthropic's Mythos AI model — issued as a separate New Zealand central bank statement alongside the parallel RBA statement the same day. RBNZ described the risks as 'developing' and confirmed it was coordinating with domestic and Australian counterparts.
|
Bloomberg; Reuters; Japan Times; TradingView |
| Apr 22, 2026 |
India
|
🏦Central Bank |
Reserve Bank of India (RBI); NPCI
|
Reuters report on global consultations
Reuters: RBI 'in talks with global regulators, Indian lenders and government officials' over Mythos. Held consultations with US Federal Reserve and Bank of England; possible direct engagement with Anthropic. NPCI sought early access alongside small group of banks to test for zero-day vulnerabilities in Indian payment systems.
|
Reuters; Yahoo Finance; Tech Observer |
| Apr 23, 2026 |
India
|
🏛️Finance Ministry |
Finance Min. Nirmala Sitharaman; RBI; MeitY
|
Inter-ministerial meeting
Sitharaman chaired a meeting with bank chiefs, RBI officials and MeitY representatives, calling the risks 'unprecedented' and ordering creation of a real-time threat intelligence sharing system across banks, CERT-In and other agencies.
|
Business Today; Harro; Newsbytesapp |
| Apr 24, 2026 |
Japan
|
🏦Central Bank |
FSA; Bank of Japan; JPX; megabanks
|
Joint working group formed
Financial Services Minister Satsuki Katayama announced a joint working group plan, approved at a meeting attended by BOJ Governor Kazuo Ueda, JPX CEO Hiromi Yamaji and the heads of MUFG, SMFG and Mizuho. 'Cyberattacks against the financial industry could immediately trigger credit uneasiness,' she said.
|
Nippon.com (Jiji); BigGo Finance; Dark Reading |
| Apr 24, 2026 |
Switzerland
|
🛡️Financial Regulator |
FINMA
|
Statement to Bloomberg on systemic risk
A FINMA spokesperson told Bloomberg that uncontrolled, immediate availability of AI models such as Mythos "would be classified as a systemic risk," warning that virtually all software systems could simultaneously face previously unknown zero-day vulnerabilities exploited via AI. FINMA said it was in contact with the Federal Office for Cybersecurity, banks, and critical service providers, and coordinating with international authorities.
|
Bloomberg; Reuters via Investing.com |
| Apr 29, 2026 |
Germany
|
🏦Central Bank |
Bundesbank board member Michael Theurer
|
Reuters interview
Theurer told Reuters it was 'necessary' for the European Commission and governments in Europe to approach Anthropic — or the United States — to request that the technology be shared, so that European institutions could also benefit from the insights. Sources told Reuters Anthropic plans to provide access to European banks soon.
|
Reuters; StreetInsider; MarketScreener |
| Apr 30, 2026 |
Australia
|
🛡️Financial Regulator |
APRA (Australian Prudential Regulation Authority)
|
Formal letter to industry
APRA published a formal letter calling for 'a step-change in how banks, insurers and superannuation trustees manage AI-related risks,' explicitly warning that frontier AI models such as Anthropic's Claude Mythos could enhance the discovery of vulnerabilities by bad actors. Member Therese McCarthy Hockey said governance 'isn't keeping up' with AI adoption.
|
APRA; Reuters; The Star |
| Apr 28, 2026 |
United States
|
💬Bank Exec |
JPMorgan CEO Jamie Dimon
|
Norges Bank Investment Management conference, Oslo
Asked the greatest risk to the global economy, Dimon — who for years had answered 'geopolitics' — replaced it with: 'Cyber. The bad guys can use cyber, and they're going to get stronger and more powerful in terms of finding vulnerabilities.'
|
Fortune; Reuters; Bloomberg |
| Apr 22, 2026 |
United States
|
🏦Central Bank |
St. Louis Fed President Alberto Musalem
|
Reuters interview
Musalem told Reuters Mythos emphasized the need for the U.S. central bank to "revisit how we're thinking about cybersecurity. And we're evaluating." First public Mythos commentary from a regional Fed Bank president.
|
Reuters; BBC Bermuda |
| Apr 28, 2026 |
Multilateral
|
🛡️Financial Regulator |
Cambridge Centre for Alternative Finance; BIS; IMF; WEF; World Bank
|
Joint global report on AI in financial services
The 2026 Global AI in Financial Services Report — surveying 628 organisations across 151 jurisdictions including 130 central banks and financial authorities — found financial firms adopting AI at more than twice the rate of supervisors (40% vs 20% advanced adoption). The report explicitly cited Anthropic's Mythos, describing the model as "often more capable than humans in hacking" and noting that this makes manual oversight of AI use in financial services problematic. 48% of respondents flagged adversarial AI as a top concern.
|
Reuters; Cambridge Judge Business School; PYMNTS |
| May 4, 2026NEW |
Eurozone
|
🏛️Finance Ministry |
Eurogroup (euro-area finance ministers)
|
Eurogroup meeting; ministers discussed Mythos with banking supervisors
Multi-event synthesis. (1) As previewed in Bloomberg's Apr 30 reporting, euro-area finance ministers met with the chairs of the Single Supervisory Mechanism and Single Resolution Board to take up Mythos as part of the bank operational-resilience agenda item covering cyber security and AI use. (2) Spain's economy minister Carlos Cuerpo, before the meeting, told reporters: 'We need to have a response from Europe… how we can defend ourselves, ensure our companies have access to these models, and can protect themselves against what may come.' Cuerpo also said Mythos and similar models may be able 'to find vulnerabilities or backdoors in virtually all our institutions, not only in the financial sector and companies, but across all sectors,' and pushed for invoking the AI Act. (3) Eurogroup President Kyriakos Pierrakakis acknowledged ministers will need to revisit the issue at future gatherings. (4) The meeting produced no formal access agreement; the institutional outcome was a coordinated euro-area political-level signal that supervisors expect equivalent treatment, escalating from individual national engagements (Bundesbank Theurer Apr 29, Nagel Apr 21, ECB Banking Supervision Apr 17) to political-level engagement.
|
Bloomberg; The Next Web; Insight EU Monitoring |
| Apr 27, 2026NEW |
United States
|
🏦Central Bank |
Fed Vice Chair for Supervision Michelle Bowman
|
FSOC AI Innovation Series roundtable speech (delivered Apr 27, published May 1)
In prepared remarks at an FSOC AI Innovation Series roundtable (delivered Apr 27, published May 1), Bowman described Mythos as highlighting the dynamic nature of frontier AI and the rapid pace at which capability evolves. She framed the dual-use tension: the capability could enhance cyber security by helping firms address self-identified vulnerabilities, but "if used maliciously it could be deployed to identify and exploit weaknesses." Bowman noted banks of all sizes had raised access concerns and committed regulators to refine their supervisory approach. First on-the-record Mythos commentary from the Fed's top supervisory official.
|
Federal Reserve Board; Bloomberg; PYMNTS; ABA Banking Journal |
| May 4, 2026NEW |
Eurozone
|
🏦Central Bank |
ECB Vice President Luis de Guindos
|
ECON Committee hearing remarks on Mythos
At his final European Parliament ECON Committee appearance presenting the ECB's 2025 Annual Report, de Guindos addressed Mythos directly: advanced AI models 'should be focused on identifying the flaws of your operating systems' but warned that if bad actors gain access, it 'can give rise to a lot of problems.' First on-the-record Mythos commentary from the ECB's vice president to the European Parliament. Same-day appearance as the Eurogroup political-level engagement, but a separate institutional venue (Parliament committee hearing rather than ministers' meeting).
|
The Next Web; Eunews.it; European Parliament ECON Committee |
| May 4, 2026NEW |
European Union
|
🏛️Finance Ministry |
EU Economy Commissioner Valdis Dombrovskis
|
Confirmed Commission in talks with Anthropic over Mythos access
Speaking after the May 4 Eurogroup, Dombrovskis confirmed the European Commission is in talks with Anthropic about getting European companies and banks tested for vulnerabilities Mythos might expose. Commission representatives had met Anthropic and received a briefing on the model's cyber capabilities and risks. The Commission is assessing implications for EU policies and legislation.
|
Bloomberg; techwireasia |
| May 5, 2026NEW |
Singapore
|
🛡️Financial Regulator |
SMS Tan Kiat How (MDDI); Cyber Security Agency of Singapore
|
Parliament statement; CSA frontier-AI advisory; CII review
Multi-event synthesis. (1) Senior Minister of State Tan Kiat How told Parliament May 5 that frontier AI models could enable attacks that are 'faster, more scalable and sophisticated,' and that the government is reviewing standards and obligations for Critical Information Infrastructure (CII) owners so they can respond more urgently to threats posed by these models. (2) The Cyber Security Agency of Singapore (CSA) issued an advisory on frontier AI risks outlining immediate mitigation measures including patching high-critical vulnerabilities, plus other defense strategies. (3) Tan said the Singapore government is working with partners that have access to Mythos to better understand its capabilities; the government does not have access and is not aware of any local bank that has been granted access. Builds on the earlier MAS Apr 20 supervisory framing.
|
Techgoondu; techwireasia |
| May 4, 2026NEW |
Spain
|
🏛️Finance Ministry |
Spain economy minister Carlos Cuerpo
|
Pre-Eurogroup statement positioning Spain on Mythos
Speaking to reporters before the May 4 Eurogroup meeting in Brussels, Cuerpo gave the most direct national-level positioning on Mythos from any euro-area finance minister to date. He told reporters: 'We need to have a response from Europe… how we can defend ourselves, ensure our companies have access to these models, and can protect themselves against what may come.' Cuerpo also said Mythos and similar models may be able 'to find vulnerabilities or backdoors in virtually all our institutions, not only in the financial sector and companies, but across all sectors,' and pushed for invoking the AI Act as a regulatory instrument. The pre-Eurogroup framing distinguishes this from the broader Eurogroup engagement: Cuerpo articulated Spain's view as a national position before consulting with euro-area peers.
|
Bloomberg; The Next Web |