ECB Urges Banks to Accelerate Cyber Defenses Against AI Risks

ECB Executive Board member and Supervisory Board vice-chair Frank Elderson told the Financial Times the ECB summoned major eurozone banks to an urgent meeting in late May 2026 to accelerate cyber defenses, after Anthropic's Claude Mythos Preview model identified thousands of high-severity software vulnerabilities. Elderson said AI can now reverse-engineer a vendor's security patch into a working exploit in "maybe 30 minutes" rather than weeks, warning banks that "the clock is ticking." Only 40 to 50 organizations, none of them European banks, have access to Mythos through Anthropic's controlled Project Glasswing program; in testing, the model produced working exploits on its first attempt more than 83% of the time. The ECB is asking US banks with Mythos access to share findings with EU peers, while the Fed, US Treasury, and Financial Stability Board separately review the same risk.
This is less a story about a single ECB meeting than about a genuine capability gap in financial-sector cybersecurity: a frontier AI model is finding and weaponizing vulnerabilities faster than the patch-and-defend cycle most banks are built around, and the organizations best positioned to see that risk, European banks, currently have no access to the model producing it.
What happened
ECB Executive Board member and Supervisory Board vice-chair Frank Elderson told the Financial Times that the ECB summoned major eurozone banks, of which it supervises about 111, to an urgent meeting in late May 2026 to accelerate cybersecurity work already underway. "There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster," Elderson said, according to the Financial Times, as reported by The Next Web and FStech. He said AI models can now reverse-engineer a software vendor's patch and produce a working exploit within minutes of release: "It seems if one of the big software providers comes with a patch it is possible to reverse-engineer the vulnerability that the patch is supposed to patch, not in weeks but maybe in 30 minutes." Elderson called the shift "game-changing" and said "the clock is ticking." The trigger is Anthropic's Claude Mythos Preview, which the company has said identified "thousands of high-severity vulnerabilities" across major operating systems and browsers, with a first-attempt exploit success rate above 83% in controlled testing, according to reporting on the model.
Industry context
Access to Mythos is restricted to roughly 40 to 50 organizations through Anthropic's Project Glasswing testing program, including Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase, per The Next Web; no European bank is on that list. The ECB is asking the US banks with access to share their findings with European counterparts. Elderson called the access gap "unfortunate" but said it is "not an excuse for inaction," warning that "malicious actors might have access to this technology soon" (Anthropic has estimated adversaries could replicate the capability within six to twelve months). The concern extends beyond the ECB: Anthropic has briefed the Financial Stability Board, at the request of Bank of England governor Andrew Bailey, who chairs it, and the Federal Reserve and US Treasury separately convened bank CEOs on the same risk. Separately, French AI startup Mistral AI is in talks with European banks, including HSBC and BNP Paribas, about a rival vulnerability-hunting model, framing it as a matter of technological sovereignty.
For practitioners
For bank security and compliance teams, the practical takeaway is that patch-and-defend timelines built around weeks or days no longer hold when adversaries, or defenders, can wield AI-assisted reverse engineering; the EU's Digital Operational Resilience Act (DORA), which requires banks to manage IT risk, test resilience, and report incidents, is the regulatory lever the ECB is expected to lean on. Expect near-term demand for automated patch orchestration, faster incident-response pipelines, and closer scrutiny of third-party and vendor risk, regardless of whether a given bank has access to Mythos-class tooling.
What to watch
- •Whether the EU reaches an access agreement with Anthropic for banks and regulators to test against Mythos-class vulnerabilities directly; talks with the European Commission were reported stalled as of mid-May.
- •Formal ECB supervisory guidance or DORA-linked expectations referencing AI-driven cyber risk.
- •Progress on Mistral AI's rival cybersecurity model and whether European banks adopt it as an alternative access point.
- •Further disclosures from Palo Alto Networks and others on the pace of AI-discovered vulnerabilities industry-wide.
Key Points
- 1ECB's Frank Elderson said AI can now reverse-engineer a security patch into a working exploit in about 30 minutes, urging banks to speed up cyber defenses.
- 2Only 40 to 50 organizations, none of them European banks, have access to Anthropic's Mythos model, which found exploits on its first attempt over 83% of the time.
- 3The Fed, US Treasury, and Financial Stability Board are separately reviewing the same AI-driven cybersecurity risk, while Mistral AI courts European banks with a rival model.
Scoring Rationale
Materially more significant than the original thin write-up captured: this is a systemic financial-stability story with the ECB, Bank of England-chaired Financial Stability Board, US Federal Reserve, and Treasury all separately mobilizing around the same AI-driven cyber risk, plus a live competitive dynamic (Mistral AI courting European banks). Verified via two independently fetched outlets quoting the same on-the-record ECB official. Upgraded from the prior score to reflect the real scope now visible.
Sources
Public references used for this report.
View 4 more sources
- 04ECB Convenes Banks to Fix Flaws Exposed by AI Models, FT Saysbloomberg.com
- 05ECB pushes banks to speed cyber defenses as AI threats escalateseekingalpha.com
- 06ECB's Elderson: ECB to Warn Banks About AI-Driven Cyber Riskseconostream-media.com
- 07ECB Emergency Summit Targets Banking Cybersecurity Gaps From Frontier AIai2.work
Practice with real Banking data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Banking problems