Claude Mythos: India banks tighten cyber drills in 2026

Why Mythos is on the government’s radar

India’s financial authorities have stepped up scrutiny of Anthropic’s Mythos AI model amid concerns that advanced AI tools could amplify cyber risks for banks and the broader fintech ecosystem. Finance Minister Nirmala Sitharaman chaired a high-level meeting with heads of banks to assess the possible impact of “Claude Mythos” on India’s financial systems. The review comes as global agencies and regulators discuss the model’s reported ability to identify and exploit software vulnerabilities. Officials framed the issue as a mix of near-term operational risk and longer-term strategic opportunity for defensive cybersecurity.

What happened at the high-level meeting

Sitharaman held the meeting with banks on Thursday to discuss issues linked to Mythos and the cybersecurity posture of lenders. Officials from the Department of Financial Services (DFS), the Ministry of Electronics and Information Technology (MeitY) and the Indian Computer Emergency Response Team (CERT-In) participated, signalling a coordinated approach across agencies. In another account of the meeting, the Minister for Electronics and Information Technology Ashwini Vaishnaw was also part of the discussions. The deliberations focused on risks AI could pose to the financial sector and the preparedness needed across banks and financial institutions.

A finance ministry post on X said the nature of the emerging threat is “unprecedented” and requires a very high degree of vigilance, preparedness and better coordination. The ministry also noted that banks have made progress in strengthening cybersecurity systems and protocols, but warned that AI-driven threats could evolve quickly. A senior finance ministry official, as reported, said Indian systems are secure so far and there is no need for undue worry, while also noting that the RBI is doing due diligence to ensure the sector remains secure.

The government’s key instructions to banks

The meeting’s guidance to banks centred on preemptive hardening of systems and faster information flow during incidents. Sitharaman asked banks to take necessary measures to secure IT systems, safeguard customer data, and protect monetary resources. Banks were advised to enhance cyber monitoring frameworks and engage specialised cybersecurity experts to strengthen defensive systems.

The finance ministry said it was advised that “a robust mechanism for real-time threat intelligence sharing may be established among banks, @IndianCERT and other relevant agencies” so emerging threats are identified early and disseminated without delay. Banks were also advised to immediately report suspicious activity or cyber incidents to relevant authorities, including CERT-In, and to maintain close coordination with agencies concerned. The Indian Banks’ Association (IBA) was asked to develop a coordinated institutional mechanism to respond swiftly and effectively to potential threats.

Who was involved across agencies

The meeting brought together a mix of policy, technical, and regulatory stakeholders. DFS, MeitY and CERT-In officials participated alongside senior bankers, and reports also cited participation from the Reserve Bank of India (RBI) and NPCI. The multi-agency presence reflects how cyber risk in banking spans payments infrastructure, banking IT controls, and national incident response.

M. Nagaraju, secretary at DFS, described Mythos as both a challenge and an opportunity. “Mythos is a threat and opportunity for the fintech ecosystem,” he said, as the government and regulators work to understand the technology better.

What is Claude Mythos, and why it matters

Claude Mythos is described in reports as Anthropic’s most powerful cybersecurity-focused AI model. Anthropic has said the system is so advanced that it has not been released publicly due to safety concerns. The model reportedly identified thousands of security flaws that human experts failed to detect, including vulnerabilities that are nearly three decades old. Reports also reference 27-year-old vulnerabilities in major operating systems and web browsers.

Due to concerns about misuse, access to Mythos has reportedly been restricted to about 40 companies, including Amazon, Microsoft and Google. However, reports suggest an unauthorised group may have gained access to the model, raising fears it could be used to identify and weaponise unknown vulnerabilities. Anthropic, an US-based company, said unauthorised access was made on its new model Mythos, which is deemed too dangerous for public release.

Global attention and parallel discussions

India is not alone in monitoring the potential impact of Claude Mythos. Reports indicate that authorities in the United States have also discussed the issue with major Wall Street banks. Separately, the White House is believed to be considering using the model within government agencies to strengthen cybersecurity defences. Wire reports also said government officials in the U.S., Canada and Britain have met top banking officials to discuss threats linked to Claude Mythos Preview.

Why banks are viewed as especially exposed

Banks are seen as vulnerable because their IT platforms connect multiple stakeholders, including corporates, retail users and other financial services providers, for seamless transactions. Reports also highlighted that a cyberattack on banks could threaten financial stability. The discussions took on added significance as the government continues to encourage digital transactions, including through UPI.

For Indian lenders, the risk is not limited to a single institution. Interconnected systems can allow an incident to spread across payment rails, customer-facing channels, and shared service providers. That is why the finance ministry’s emphasis on real-time intelligence sharing and immediate reporting to CERT-In is central to the response plan outlined in the meeting.

Market impact: what changes for lenders and fintechs

The immediate market relevance is operational rather than tied to near-term earnings disclosures. Banks were urged to ring-fence payment systems and strengthen monitoring, which can translate into tighter cyber controls, more frequent testing, and higher reliance on specialist agencies. The push for a real-time threat intelligence sharing mechanism across banks and @IndianCERT aims to reduce detection times and standardise response actions during an incident.

The finance ministry and the RBI are studying the extent of risks the Indian financial sector faces from the reported breach and broader developments around Mythos. While an official said systems are secure so far, the coordinated review indicates regulators are treating AI-driven cyber threats as a systemic risk topic, not a routine IT matter.

Key facts at a glance

Analysis: why this matters for India’s financial security posture

The meeting signals a policy shift toward treating advanced AI models as a new class of cyber risk that can compress the time between vulnerability discovery and exploitation. If a model can identify large volumes of hidden bugs quickly, defensive teams need faster coordination, prioritisation, and patching cycles to keep up. That is consistent with the ministry’s emphasis on real-time intelligence sharing and rapid incident reporting.

At the same time, officials have acknowledged the dual nature of the technology. DFS secretary M. Nagaraju’s “threat and opportunity” framing aligns with the idea that such models could strengthen defensive capabilities, but only if deployment remains controlled and institutions are prepared for the transition period.

Conclusion

India’s finance ministry-led review of Anthropic’s Claude Mythos puts AI-driven cyber threats on the agenda for banks, regulators, and incident response agencies. The immediate focus is on preventive controls, real-time threat intelligence sharing, and strict reporting to CERT-In. Next steps are expected to include further assessment by the finance ministry and the RBI, alongside a coordinated institutional mechanism led by the IBA to enable swift sector-wide responses.