OSFI Warns Canadian Banks Over Anthropic Mythos

OSFI Warns Canadian Banks Over Anthropic Mythos

Canada’s Office of the Superintendent of Financial Institutions (OSFI) warned the country’s largest financial institutions in April 2026 about cybersecurity risks posed by Anthropic’s Claude Mythos and other advanced AI models, according to documents obtained by Reuters through an access-to-information request. The regulator said the new technology could increase cyber threats and reduce the time institutions have to identify and fix vulnerabilities. The email was sent to chief technology officers, chief information security officers, and chief risk officers across the financial industry, including major banks and insurers.

What Makes Claude Mythos a Security Threat

Mythos, an AI model described as extremely capable at finding and exploiting cybersecurity vulnerabilities, poses significant challenges to the banking industry and its legacy technology systems, according to cybersecurity experts. Claude Mythos was developed to help organizations scan code and patch software flaws. However, security evaluations including testing by the UK AI Safety Institute revealed, it can autonomously chain together multiple complex steps to execute a complete network takeover.

Autonomous attack chain diagram showing pathway from initial vulnerability through privilege escalation to network comprom...

Anthropic has purposefully withheld the model from the general public due to its extreme capabilities. Historically, when a system flaw is found, cybersecurity teams have days or weeks to deploy a fix while Mythos-class tools allow threat actors to find and weaponize those flaws instantly at a massive scale.

Vulnerability response timeline comparison: traditional slow defense vs AI-accelerated fast cyberattack exploitation threat.

The Regulator’s Official Warning

In the April 29 email, OSFI stated that “Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation”. The regulator added, “Accordingly, this bulletin is grounded in our existing guidance and outlines sound practices that institutions can adopt to enhance the speed and effectiveness of risk identification, mitigation and response”.

OSFI urgent notice on cybersecurity enforcement for Canadian financial institutions, mandatory compliance requirements.

Additional contents of the email were redacted due to some sections of the Access to Information Act. OSFI said in an emailed response to Reuters questions that the regulator “takes a technology-neutral, risk-focused approach to emerging technologies, including advanced artificial intelligence models such as Mythos”.

Timeline of Regulatory Concerns

In early April, Canadian bank executives met with regulators to discuss the risks posed by Mythos shortly after U.S. Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell convened an urgent meeting with bank CEOs to warn of cyber risks posed by Anthropic’s latest artificial intelligence model. OSFI sent the email to company executives on April 29.

Regulators globally are trying to assess cybersecurity risks such as Anthropic’s frontier AI model Mythos. A judge blocked Anthropic’s initial blacklisting by the Pentagon in March, and the conflict has eased following the private release of Anthropic’s Mythos.

Banking Industry Response

In an interview in June, RBC’s chief technology officer Bruce Ross said Mythos underscored a shift in the cyberattack landscape, making it imperative for organizations to respond rapidly since attack methods can emerge as soon as new vulnerabilities are identified. Ross stated, “The way we’re (the industry) dealing with it is, building our own AI defenses… we’ll continue to do that”.

Banking industry defense mechanisms: AI security systems, rapid response teams, and defensive AI tools protecting financia...

Some banks deferred comments to the Canadian Bankers Association, which said banks have invested heavily to protect the financial system and are complying with robust requirements from OSFI on cyber risk management and incident reporting.

Three of Canada’s big six banks, Royal Bank of Canada, TD Bank and BMO, have outlined a plan to earn millions from their investments in AI. Bank of Nova Scotia, CIBC and National Bank have also disclosed several AI initiatives.

Limited Access to Defensive Tools

The Canadian government has said it has access to Anthropic’s Project Glasswing, which allows companies to have access to Mythos. Canada has gained limited defensive access to the platform via its Communications Security Establishment (CSE) under this program. However, it is not clear which, if any, banks in Canada are using it.

Restricted deployment of Mythos to authorized entities - Canadian security gate with access denied warning signs and biome...

An acknowledgment of the risks of Mythos from OSFI could ensure Canadian banks, insurers and other regulated institutions invest in technology to protect clients from cyber risks. OSFI is responsible for regulating and maintaining the stability of Canada’s financial sector, from banks to pension funds, and identifying risks emerging from foreign interference, geopolitics and new technology.

Key Facts

  • OSFI sent warning emails to major Canadian financial institutions on April 29, 2026, specifically naming Anthropic’s Claude Mythos as a cybersecurity threat
  • Claude Mythos can autonomously chain together multiple complex steps to execute complete network takeovers, according to UK AI Safety Institute testing
  • The AI model compresses the vulnerability exploitation timeline from days or weeks to instant weaponization at massive scale
  • Canadian bank executives met with regulators in early April following similar warnings from U.S. Treasury Secretary Scott Bessent and former Federal Reserve Chair Jerome Powell
  • Canada’s Communications Security Establishment has defensive access to Mythos through Anthropic’s Project Glasswing
  • RBC’s chief technology officer confirmed in June that the bank is building AI defenses in response to the shifting cyberattack landscape

Sources

Sources

  1. Canada Regulator Cited Anthropic’s Claude Mythos in Warning to Banks on Cyber Risks, Email Shows
  2. Canadian regulator warns banks of cyber threats, citing Anthropic’s Claude Mythos
  3. Canada regulator cited Anthropic’s Claude Mythos in warning to banks on cyber risks, email shows | MarketScreener
  4. Canada regulator cited Anthropic’s Claude Mythos in warning to banks on cyber risks, email shows | The Star