ASIC Urges Financial Sector to Harden Cybersecurity Against Mythos

ASIC published a letter to the Australian financial services industry urging urgent action on cybersecurity risks from frontier AI models, Reuters reports. Simone Constant, an ASIC commissioner, told Reuters that preparedness across Australian financial services organisations "varied widely" and warned that, unlike earlier risk horizons, vulnerabilities linked to frontier AI can "emerge incredibly quickly." Reuters and other outlets report that Anthropic has made Mythos available in a tightly restricted preview called Project Glasswing, which includes participants such as Amazon, Microsoft, Nvidia, and Apple.

Reporting by The Next Web and Reuters describes Mythos as a frontier coding-capable model whose testing has identified large numbers of software vulnerabilities. The Next Web reports that tests attributing to the model or associated evaluations found thousands of high-severity vulnerabilities across multiple operating systems and browsers, including long-standing bugs patched after a single evaluation pass. Reuters notes that Mythos's high-level coding capability has prompted regulators and some banks to re-evaluate cyber resilience testing approaches.

Industry-pattern observations: models with advanced code-generation and code-auditing capability materially accelerate discovery of exploitable flaws because they can automate and scale tasks that previously required specialist human effort. For defenders, that creates an asymmetric exposure when offensive users gain comparable access faster than defenders can run comprehensive evaluations. Organizations that rely on conventional scanning or periodic pen testing may find those approaches insufficiently rapid or exhaustive against model-driven vulnerability discovery.

Editorial analysis: this regulator intervention follows other supervisory commentary that financial-sector information security practices are lagging the pace of AI-driven change, as reported by Reuters and The Economic Times. The combination of a widely used sector, concentrated systemic interconnections, and a model capable of surfacing zero-days elevates prudential concerns beyond individual firms to sector-level resilience. Reporting by The Next Web highlights geopolitical and prudential debate in Europe and among central banks about access to such models for defensive testing; those debates frame ASIC's letter as part of a broader international conversation on how to balance restricted access, disclosure, and defensive capability.

Editorial analysis: observers should track whether supervisors or industry bodies publish specific guidance, minimum testing expectations, or coordinated testing programs following ASIC's letter. Also watch for changes in access policies to Mythos or similar frontier models, including expanded defensive access programmes or formalised disclosure channels between vendors and major financial institutions. Finally, monitor vendor responses and whether banks increase automated, continuous testing or adopt red-team processes that explicitly incorporate model-driven findings.

Reuters quotes Simone Constant saying "Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the fundamentals that underpin your business." Reuters and other outlets quote Shemara Wikramanayake, chief executive of Macquarie, saying the bank is running substantial technology programmes to test potential risks against frontier AI models and noting that Mythos has surfaced vulnerabilities that have existed for years. Reporting indicates Anthropic had not immediately responded to requests for comment on ASIC's letter.

Editorial analysis: for practitioners in security and risk teams, the key implication in public reporting is that frontier code-capable models change the speed and scale at which vulnerabilities can be discovered. That dynamic increases the value of faster, automated, and continuous testing regimes and underscores the importance of coordination between vendors, regulated entities, and supervisors.