ECB Summons Banks Over AI Cyber Risks From Claude Mythos

ECB Summons Eurozone Banks Over AI Cybersecurity Risks – Advanced Models Accelerate Exploit Discovery

Key Takeaways

The European Central Bank has called 111 major Eurozone banks to a session focused on cybersecurity risks linked to advanced AI models such as Anthropic’s Claude Mythos.
ECB supervisory board vice-chair Frank Elderson urged banks to accelerate software patch deployment due to faster exploit development enabled by AI.
Claude Mythos Preview cleared 73% of expert-level Capture the Flag challenges, a benchmark no AI model had passed before April 2025.
Mozilla released Firefox 150 with 271 patches for vulnerabilities identified by the model, significantly exceeding prior results from Opus 4.6.
The ECB is encouraging US institutions with access to frontier AI tools to share testing insights with Eurozone banks.

ECB Calls Supervisory Session on AI Driven Cyber Risks

The European Central Bank has summoned banks under its direct supervision to a dedicated session on cybersecurity risks linked to advanced artificial intelligence systems. The meeting follows growing concern within the supervisory authority about the speed at which new AI models can identify and potentially exploit software vulnerabilities.

Frank Elderson, vice-chair of the ECB’s supervisory board, said the regulator wants banks to accelerate the rollout of security patches. The ECB directly supervises 111 of the largest banks in the Eurozone, and these institutions are expected to reassess their response times in light of recent technological developments.

Elderson stated that long standing cybersecurity issues remain relevant but now require faster resolution due to rapid progress in AI capabilities. He described the need to move beyond what he called an “andante” pace of remediation and adopt a significantly quicker tempo.

Claude Mythos Preview Demonstrates Advanced Exploit Detection

The ECB’s concerns are tied in part to recent testing results involving Anthropic’s Claude Mythos Preview, released in April under Project Glasswing, a restricted program.

According to evaluations conducted by the UK’s AI Security Institute, the Mythos Preview model successfully cleared 73% of expert-level Capture the Flag challenges. These challenges simulate complex cybersecurity tasks and are widely used to test vulnerability detection and exploitation capabilities. No AI model had previously reached that benchmark before April 2025.

The results highlight a step change in automated vulnerability discovery. While improved detection can help developers identify weaknesses, the same capabilities can theoretically be used to analyze and exploit systems if not addressed quickly.

Further evidence of the model’s capabilities emerged in the software sector. Mozilla released Firefox 150 with 271 patches addressing vulnerabilities identified by the AI model. This figure significantly exceeded results achieved using the earlier Opus 4.6 model.

ECB Warns of Faster Exploit Reverse Engineering

Elderson warned that attackers can now reverse engineer software fixes within 30 minutes. This compressed timeframe reduces the margin between vulnerability disclosure and active exploitation.

For banks, which operate complex IT infrastructures and handle sensitive financial data, patch management cycles have traditionally followed structured timelines. The ECB’s message indicates that these cycles may need to be shortened to keep pace with AI driven vulnerability analysis.

The regulator emphasized that existing cybersecurity frameworks remain valid but must be executed faster. According to Elderson, the acceleration of AI capability means that previously acceptable response speeds may no longer provide sufficient protection.

Access Gap Between US and European Institutions

A further issue raised by the ECB concerns unequal access to frontier AI systems. Most European lenders do not participate in Project Glasswing and therefore lack direct access to models such as Claude Mythos.

Elderson described this access gap as unfortunate but said it does not justify inaction. Instead, the ECB wants US institutions that have access to advanced models to share insights from their internal testing with Eurozone counterparts.

The upcoming supervisory session is expected to serve as a platform for exchanging information on how banks assess AI related cyber risks and adapt their internal controls.

Relevance for Financial Institutions and Digital Asset Services

For institutions operating in digital finance, including crypto related services and online platforms, cybersecurity resilience remains central to safeguarding client funds and maintaining operational continuity.

The ECB’s intervention underscores that AI is not only a tool for efficiency but also a factor reshaping the threat landscape. The ability of advanced models to rapidly identify vulnerabilities can shorten the lifecycle between flaw discovery and exploitation.

Banks supervised by the ECB are now being urged to adjust patch deployment timelines and strengthen their internal processes accordingly. Institutions outside direct supervisory scope may also monitor the developments, particularly if they rely on similar software environments.

Our Assessment

The ECB has formally escalated its focus on cybersecurity in response to the demonstrated capabilities of advanced AI models such as Claude Mythos Preview. Testing results showing high performance in expert-level vulnerability challenges and the identification of hundreds of software patches have prompted the regulator to push for faster remediation cycles. By convening supervised banks and encouraging cross border information sharing, the ECB is signaling that AI driven exploit detection represents an immediate operational risk that financial institutions must address through accelerated patch management and coordinated oversight.