The Bank of Canada and the country’s major banks and financial firms met Friday to discuss cybersecurity risks raised by Anthropic PBC’s latest artificial intelligence model.
The gathering followed a similar move by US policymakers earlier in the week. Bloomberg News reported Thursday that US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned Wall Street leaders for an urgent discussion about Anthropic’s Mythos and similar AI models. The executives included Citigroup Inc’s Jane Fraser and Goldman Sachs Group Inc’s David Solomon.
The Canadian meeting involved members of a body known as the Canadian Financial Sector Resiliency Group, which includes representatives from the six largest domestic banks including Royal Bank of Canada and Toronto-Dominion Bank. Members also include the parent company of the Toronto Stock Exchange, the federal finance department, and financial regulatory agencies including the country’s bank regulator, the Office of the Superintendent of Financial Institutions.
It was an executive-level gathering of the group to share information and perspectives on the issue, not a discussion about any active or imminent cyber threats, according to a person familiar with the discussions.
"We are in active conversations with institutions to raise awareness, as well as assess this situation and its potential impact on the resilience of the financial system,” a spokesperson for OSFI said in an emailed statement. The regulator is engaged with banks "on recent developments regarding advanced artificial intelligence models and their potential cybersecurity implications.”
The meeting and OSFI’s comments are further signals of the growing concern among regulators globally that more powerful AI models will lead to a new breed of cyber attacks against the financial industry.
Banks are increasingly creating dedicated teams to use AI to find savings and identify business opportunities, but the companies are also seeking to manage the risks that come with the fast-moving technology. Since 2023, OSFI has been tasked with evaluating whether the country’s banks and insurers have adequate policies in place to protect themselves against security threats. It’s also issued a guideline on technology and cyber risk management.
"OSFI does not plan to issue short-term changes to its existing guidelines in response to this emerging threat,” the spokesperson said, but added that the regulator will continue sharing "threat and mitigation information in coordination with the Canadian Centre for Cyber Security and monitor risks accordingly.”
Mythos, Glasswing
Anthropic’s Mythos is a sophisticated new model capable of identifying and exploiting vulnerabilities in every major operating system and web browser, the company has said. It’s so powerful, that the company has decided not to release it to the general public. Instead, it’s formed a group called Project Glasswing to provide testing access to a group of major tech companies as well as JPMorgan Chase & Co.
The goal is for the companies to test the model against their own products, scouring them for flaws that could be exploited, and report back. Anthropic will use the findings to help determine what guardrails are needed for the technology.
In the US, some Wall Street banks are testing the technology internally, including Goldman Sachs, Citigroup and Bank of America Corp.
"The Bank of Canada is aware of this issue. We take cybersecurity very seriously,” Paul Badertscher, a spokesperson for the central bank, said by email.
The mandate of the group that met on Friday, which is a public-private partnership led by the Bank of Canada, is to "enhance the operational resilience of Canada’s critical financial sector.”
A spokesperson for Finance Minister François-Philippe Champagne confirmed the meeting took place on Friday.
The Canadian Bankers Association, an industry lobby group that represents dozens of banks including the big six, didn’t comment specifically on the Anthropic model or the meeting Friday.
Banks are managing the risks associated with AI through "long-standing, sector‑specific regulatory requirements and internal frameworks,” CBA spokesperson Ethan Teclu said by email. – Bloomberg
