Claude Mythos cyber risk: Sitharaman alerts banks 2026

Why the Finance Ministry called banks for a security review

India’s Finance Minister Nirmala Sitharaman has flagged what she called an “unprecedented” cybersecurity risk tied to Claude Mythos, an advanced AI model built by Anthropic. The warning came after the Finance Ministry convened a high-level meeting with heads of several banks to assess potential threats to India’s financial systems.

According to the Ministry’s post on X, the discussion focused on vigilance, preparedness, and coordination across banks and financial institutions. The government’s concern is rooted in the dual-use nature of cybersecurity-focused AI: a tool that can strengthen defences can also be misused to identify and exploit vulnerabilities. The meeting signals a push to harden the banking ecosystem as AI-driven threat capabilities evolve.

Who attended, and what the government highlighted

Sitharaman chaired the meeting with senior bank leadership, and IT Minister Ashwini Vaishnaw was present. The Finance Ministry’s X post said the threat required “a very high degree of vigilance, preparedness and better coordination across financial institutions and banks.”

Officials discussed how emerging AI models could be misused to weaponise software vulnerabilities and target financial infrastructure. Banks were asked to take pre-emptive measures to protect their IT systems, customer data, and financial assets. The government also indicated that it is examining sector-wide processes rather than leaving responses to individual institutions.

What is Anthropic’s Claude Mythos, as described in reports

Claude Mythos is described as Anthropic’s most powerful cybersecurity-focused AI model. Reports cited in the article say Anthropic has not released the model to the general public because of its capability. The system is said to have identified thousands of security flaws that human experts missed.

One specific detail highlighted in the reports is that Mythos found vulnerabilities that were as old as 27 years in major operating systems and web browsers. Anthropic has cautioned that broad access could make exploitation easier for malicious actors with basic resources.

Why access is restricted to around 40 companies

Anthropic has reportedly restricted access to Mythos to about 40 companies. The list cited includes major technology firms such as Amazon, Microsoft, and Google. The rationale presented is risk containment: limiting who can use the model reduces the chance that its vulnerability-finding capabilities are deployed irresponsibly.

The restricted-access approach also reflects the wider debate around frontier AI systems that can be applied to security testing and offensive exploitation. In banking and payments, where systems run at scale and downtime can have large knock-on effects, the prospect of accelerated vulnerability discovery adds urgency.

Reports of unauthorised access add to concerns

The article notes reports suggesting an unauthorised group may have gained access to Mythos. This detail is central to why regulators and banks are treating the issue as immediate rather than theoretical. If a malicious actor can use a model that excels at identifying hidden weaknesses, the window between discovery and exploitation could shrink.

The Finance Ministry and the Reserve Bank of India are studying how serious the risks could be for India’s financial sector, according to the reports. A senior finance ministry official was quoted as saying Indian systems are secure so far and there is no need for “unduly worrying,” while acknowledging ongoing due diligence.

India’s response: framework, pre-emptive controls, and monitoring

The Finance Ministry is planning to develop a framework to detect and respond to potential cyber threats linked to advanced AI tools like Mythos. In the meeting, Sitharaman instructed banks to take preventive steps to secure IT infrastructure and protect customer data.

Banks were also urged to enhance defensive and monitoring capabilities with help from cybersecurity professionals and specialised agencies. The focus, as presented, is on readiness: hardening systems and ensuring banks can identify suspicious activity quickly.

Real-time threat intelligence sharing with CERT-In and agencies

A major operational recommendation was the creation of a real-time threat intelligence sharing mechanism. The Finance Ministry said it was advised that such a robust mechanism be established among banks, CERT-In, and other relevant agencies.

The intent is sector-wide coordination: identify threats early, circulate indicators of compromise quickly, and enable timely action across the banking ecosystem. This approach aims to reduce fragmentation in responses, especially when a fast-moving threat could affect multiple institutions.

The IBA’s role in coordinated response

Sitharaman asked the Indian Banks’ Association (IBA) to develop a coordinated institutional mechanism to respond swiftly to cyber threats. The IBA’s role, as laid out in the reports, is to help create a common response playbook and enable faster alignment across banks.

The government’s direction also emphasises collaboration with cybersecurity experts, reflecting a view that banking security is now tightly linked to specialised technical capacity. The RBI is also carrying out its own checks, according to the reports.

Global attention: US talks with Wall Street banks

The article says India is not the only country monitoring Mythos. Reports indicate the US government has held talks with Wall Street banks to take similar measures. The White House is also likely planning to use Mythos across agencies to bolster cybersecurity, as per reports cited.

This global context matters because the same capability that can help agencies find and patch vulnerabilities can, if leaked or misused, raise systemic risk. For financial systems, cross-border coordination becomes relevant when vulnerabilities can affect widely used operating systems and browsers.

Key facts from the reports

Market impact: what changes for banks, customers, and investors

The article does not cite any immediate market moves or bank-specific financial impact. But it lays out clear operational implications: banks are being asked to tighten monitoring, strengthen IT controls, and adopt coordinated response mechanisms across the sector.

For customers, the measures are aimed at safeguarding data and ensuring continuity of digital banking services. For investors, the key takeaway is the regulator and government focus on systemic resilience, especially as AI-driven vulnerability discovery could shorten incident response timelines.

Analysis: why this matters for India’s digitising financial system

India’s banking and payments ecosystem is deeply digital, which increases both efficiency and exposure to cyber risk. A tool that can find “unknown” vulnerabilities at scale, as Mythos is claimed to do, shifts the security baseline. The policy response described in the article prioritises shared intelligence and coordinated action, which are standard practices in managing sector-wide cyber threats.

The reports also highlight a dual narrative: officials say systems are secure so far, while still treating the threat as severe enough to warrant a high-level review and new frameworks. That combination suggests the government is trying to avoid alarm while pushing banks to treat AI-driven cyber risk as a new class of operational priority.

Conclusion

Sitharaman’s meeting with bank heads and key stakeholders reflects India’s intent to prepare for AI-linked cyber threats tied to Anthropic’s Claude Mythos. The immediate next steps, as reported, include a Finance Ministry-led framework, real-time threat intelligence sharing with CERT-In, and an IBA-coordinated response mechanism. Further clarity is likely to emerge as the Finance Ministry and RBI complete their ongoing assessment of risks to the financial sector.