There European Central Bank (ECB) has called for tomorrow, Tuesday 26 Mayone extraordinary meeting dedicated to cybersecurity. The objective is to push credit institutions to strengthen their IT systems in the face of a concrete threat, represented by the most advanced artificial intelligence models.
At the heart of the debate is Claude Mythosa generative system developed by the American company Anthropic that has demonstrated hitherto unprecedented capabilities: identifying flaws in the software protection systems of credit institutions on a global scale with a speed and precision never seen before. The technology in question is able to analyze software patches (the code fragments released by manufacturers to correct vulnerabilities) and trace the original problem in less than half an hour. A period of time that is too short for technicians to be able to secure banking infrastructures before someone attacks them.
Access to Mythos is today reserved for a few entities, mostly North American, involved in the test program called Project Glasswing. The ECB could use tomorrow’s meeting to convince the European subsidiaries of large overseas financial groups to share the information gathered during these tests with their counterparts on the Old Continent. The logic is simple: build a common defense before similar tools end up in the wrong hands.
Let’s be clear, what is scary is not a critical flaw in the IT framework of our banks, but the speed at which changes are happening in the AI sector applied to banking. During controlled simulations, the developers found that Mythos managed to find thousands of critical vulnerabilities within the digital platforms and browsers we use every day, and this in a very short time.
Until yesterday, banks’ technical teams managed updates methodically, if slowly. Today, the computing power of models like Mythos allows potential attackers to do so reverse engineering – that is, reverse-engineer a newly published fix to the original bug – in just a few minutes. The result? Banks that are not yet updated become potentially easy targets to hit.
Frank EldersonVice-President of the Supervisory Board of the ECB, speaking at the Financial Times used a musical metaphor to describe the situation: if to date the moderate pace – defined by Elderson «going» – for the procedures adopted it was sufficient, the evolution of AI requires us to move to a decidedly more orchestral tempo «Soon». Words that sound like a wake-up call for the 111 main eurozone institutions supervised by the ECBincluding the European branches of giants such as JPMorgan Chasewho have already had access to Mythos as part of Project Glasswing and therefore have valuable data at their disposal. Regarding the importance of banks being quick to implement software fixes, Elderson explained bluntly:
It seems that if one of the big software vendors releases a patch, it is possible to reverse engineer the vulnerability that the patch is supposed to fix, not in weeks, but perhaps in 30 minutes. (…) This means that, once the patch is published, a bank must have processes in place to ensure that it applies these patches much faster than is currently the case according to market practice.
There is a clear asymmetry in access to these technologies. Anthropic has so far shared analyzes and general reports only with very few supranational bodies, including the European Commission and the Financial Stability Board, excluding large purely European banking groups. But this temporary exclusion cannot become an alibi for remaining still.
The supervisory leaders forcefully remind us: not using a tool directly does not eliminate the risk that others – including criminal groups – will do so shortly. Tomorrow’s meeting, a historically unusual event outside the normal institutional calendar, is a strong and clear signal. Protecting your financial data architecture has become one strategic priority for European banks.
