The accidental leak of Anthropic’s Mythos—an artificial intelligence (AI) system that can find and exploit software vulnerabilities in enterprise systems and networks—on March 26 has put industry players, especially in the banking, financial services and insurance (BFSI) sector, on alert regarding the potential damage that it can cause. Due to the risks Mythos poses, Anthropic subsequently restricted its release to select companies, which will study the cybersecurity risks, as part of what it calls Project Glasswing; these partner companies include JP Morgan, Apple, AWS, Microsoft and Nvidia. In a press release dated April 7 Anthropic said, “As part of Project Glasswing, the launch partners will use Mythos Preview as part of their cybersecurity work. Anthropic will share what we learn so the whole industry can benefit.”
Mythos is an AI system that can autonomously identify software flaws lying dormant in legacy banking software systems and can misuse them in a matter of hours, which is too short a time to find solutions for these flaws. Since banks share their digital infrastructure with third-party vendors, such as cloud-based services, a single exploit by Mythos can have a rapidly cascading impact across wider, interconnected financial systems.
Current cyber insurance policies cover financial fallouts from AI-driven “zero-day” cyberattacks—attacks in which software developers have zero days to fix the system’s flaws—and widespread software vulnerabilities. These policy coverages can absorb losses caused by business interruptions and can fund the company’s response to such incidences. However, existing cybercrime insurance policies do not cover potential threats specifically posed by Mythos.
Vrajesh Bhavsar, CEO of San Francisco-based, cyber security platform Operant AI, says the emergent nature of Mythos poses the biggest risk. “Nobody at Anthropic designed it to discover zero-day [scenarios]; it just did. That’s what emergent behaviour means in practice: An AI system crossing capability thresholds its creators never intended, never tested for, and couldn’t predict. Over 99 percent of the vulnerabilities it found during testing were unpatched at disclosure. Every security assumption financial institutions are operating on was built before emergent behaviour at this scale was proven possible. That’s the real threat: Not one specific exploit, but a fundamentally changed playing field. The good news is runtime defence exists precisely for this: Blocking threats as they emerge, not after,” he says.
Apurva Gopinath, cyber leader and vice president, Financial Services and Professional Group, AON India, says Mythos can target customer funds, credentials, and payment systems of banks. “Regulators in India expect continuous monitoring, rapid detection and strong incident response for emerging malware families. Successful attacks can cause major financial loss, reputational damage and operational disruption,” she says. Although the Indian market has insurance coverage for cybercrimes, no new product has been formulated to protect against the kind of threats that Mythos can potentially cause.
Najim Bilgrami, national head, Liability Lines, Tata AIG General Insurance, says insurance coverage typically includes protection against data breaches, cyber extortion and legal expenses. “Organisations are now looking increasingly beyond financial protection and seeking access to a broader support ecosystem, including risks such as ransomware, supply chain vulnerabilities, insider threats, IoT exposures, regulatory compliance failures, and AI-enabled cyberattacks. We are working with companies across sectors to strengthen cyber preparedness through risk assessment and cyber hygiene initiatives,” he says. So far, there are no policies to cover threats specifically posed by Mythos.
“Digital-first businesses, BFSI players and tech firms have shown increasing interest. Cyber insurance enquiries and policy discussions have risen 25 to 40 percent in the past few months. For banks, advanced AI systems can potentially identify vulnerabilities, and significantly compress the time between detection and execution,” says Evaa Saiwal, business head – liability and cyber insurance, PolicyBazaar. The online insurance platform, however, did not give figures for any increase in sale of such insurance policies after the advent of Mythos. The most common policies are still the ones that cover data breach, privacy liability, ransomware, cyber extortion, and business interruption losses.
The heads of various banks are calling for increased vigilance and investments against the Mythos threat. For instance, Swarup Kumar Saha, MD and CEO of Punjab and Sind Bank, told PTI in early May that the bank is going to increase its IT spending this financial year to meet the challenges posed by new technology. Ashwani Kumar, MD and CEO of UCO Bank, said it was planning increased IT spends towards cyber security, in an investor presentation. HDFC Bank said it is planning to widen insurance coverage as risks continue to evolve, while Axis Bank said its teams are receiving training in AI-driven threat detection and analytics.
BFSI is not the only sector to which Mythos poses threats. Bhavsar says that every sector using AI is exposed to the same problem of emergent behaviour. “Mythos didn’t develop offensive capabilities because it was pointed at financial systems; those capabilities emerged regardless of context. Hospitals running AI on diagnostic or medication systems, power operators using AI for grid management, telecoms with AI embedded in network infrastructure—all of them are operating on the assumption that their AI does what it’s configured to do. Mythos proves that assumption is no longer reliable. These sectors have historically had less security investment than financial services,” he adds.
AON’s Gopinath says a strong uptake in the past three months of cyber insurance can also be seen among IT/ITeS, data centres and cloud service providers, mainly driven by contracts with global clients. “Ecommerce, retail, telecom and media mostly buy a cover due to high online transaction volumes and customer data exposure. In recent years, digital-first startups and SMEs have also begun purchasing cyber insurance. The advent of DPDP Act is also expected to further increase these purchases,” she says.
Sanjiv Bajaj, joint chairman and MD of Bajaj Capital, says that some firms continue carrying cyber insurance policies and limits thay were decided years ago, when the scale of exposure was different. “Today, a breach can involve business interruption, regulatory scrutiny, legal costs, and reputational damage. Earlier, complex attacks were linked to highly specialized actors. The landscape has changed. That’s why organisations need to look beyond simply having a policy,” he adds.
Bhavsar echoes the thought. He says that the tools protecting most of the infrastructure today was designed for a landscape that Mythos has made obsolete. “Emergent behaviour doesn’t announce itself or wait for organisations to catch up. Runtime defence is how you stay ahead of it, but first organisations have to accept that the old playbook no longer applies,” he adds.
Click Here For The Original Source.
