Japan tightens bank defences over Mythos

Japan has set up a financial-sector task force to assess risks from advanced artificial intelligence systems capable of discovering software flaws at a speed that could outpace existing cyber defences, deepening official concern over the resilience of banks, exchanges and payment infrastructure.

The move follows high-level talks involving the Financial Services Agency, the Bank of Japan, national cyber security officials, Mitsubishi UFJ Financial Group, Sumitomo Mitsui Financial Group, Mizuho Financial Group and Japan Exchange Group. The focus is Anthropic’s Mythos, a powerful AI model developed for defensive cyber security work but now regarded by regulators as a potential systemic risk if similar capabilities reach hostile actors.

Finance Minister Satsuki Katayama has framed the issue as an urgent challenge for core financial institutions, warning that Japan’s highly connected financial system could face cascading disruption if attackers used AI to identify and exploit weaknesses before institutions could repair them. No breach linked to Mythos has been reported, but officials are pressing banks to examine incident response plans, software exposure, vendor dependencies and market-continuity arrangements.

Japan tightens bank defences over Mythos as regulators confront a new cyber security problem: an AI tool built to strengthen software security may also demonstrate how fast the balance between defenders and attackers is shifting. Anthropic has said its Mythos Preview found thousands of high-severity vulnerabilities, including flaws affecting every major operating system and web browser. The company has placed the model under restricted access through Project Glasswing, an effort to use frontier AI for defensive discovery before equivalent capabilities spread more widely.

Security specialists see the financial sector as particularly exposed because banks rely on layered infrastructure that includes legacy systems, cloud services, trading platforms, third-party vendors and customer-facing applications. A vulnerability in one component may not remain isolated. Settlement systems, payment networks and securities markets depend on trust, synchronised data and rapid processing, leaving little tolerance for prolonged outages or uncertainty.

Japan’s top lenders have spent heavily on cyber resilience after a series of global incidents involving ransomware, software supply-chain attacks and attacks on critical infrastructure. Yet regulators remain concerned that AI-enabled vulnerability discovery could compress the time between flaw identification and exploitation. Traditional patch cycles often take days or weeks, while advanced models may help attackers generate working exploit paths far faster.

The task force is expected to coordinate technical assessments, information sharing and emergency procedures across the financial sector. Officials are also likely to examine how institutions verify third-party software, monitor anomalous activity and isolate critical operations during a cyber event. For exchanges and clearing systems, the priority will be maintaining orderly trading and settlement even if parts of the technology stack come under pressure.

The concern extends beyond Japan. Regulators in Asia, Europe and the United States have been urging banks to review their cyber controls as AI systems become more capable of code analysis, vulnerability chaining and automated exploitation. The issue has moved from a narrow technology debate into the domain of financial stability, because a successful attack on a major bank or exchange could quickly affect liquidity, confidence and cross-border transactions.

Anthropic has presented Mythos as a controlled defensive tool rather than a public product. The company says the model is intended to help responsible institutions find and fix vulnerabilities before they are misused. That defence has not removed policy concerns. The same capability that enables security teams to uncover hidden bugs can also lower the barrier for sophisticated offensive activity if access controls fail or comparable models emerge elsewhere.

Japan’s response reflects a broader shift in cyber regulation. Authorities are moving away from treating cyber security as a compliance checklist and towards stress-testing how institutions would cope with fast-moving, AI-assisted threats. Banks may face pressure to shorten patching timelines, improve software inventories and strengthen board-level oversight of technology risk.

For Japan, the issue also intersects with its ambition to modernise finance while promoting digital innovation. The country is expanding fintech services, digital payments and AI adoption across corporate operations, but regulators are signalling that innovation must be matched by stronger safeguards. Financial institutions are being asked to prepare for a threat environment in which attackers may use tools that can scan, reason and adapt at machine speed.

The immediate test for the task force will be whether it can turn concern into operational readiness. That means clear reporting channels, shared technical indicators, realistic crisis drills and faster coordination between banks, regulators, exchanges and cyber agencies. Japan’s financial authorities are seeking to prevent an AI-driven security breakthrough from becoming a market-disrupting event.