Canadian banking regulator warns lenders over cyber risks from advanced AI models

0

Canada’s federal banking regulator has warned the country’s largest banks and insurers that advanced artificial intelligence models, including Anthropic’s Claude Mythos, could significantly heighten cybersecurity risks by shortening the time available to detect and address software vulnerabilities.

‎The Office of the Superintendent of Financial Institutions (OSFI) issued the warning in an email sent on 29 April to chief technology officers, chief information security officers and chief risk officers across federally regulated financial institutions, according to documents obtained by Reuters through an access-to-information request.

‎In the communication, OSFI said frontier AI systems were capable of dramatically accelerating cyber threats and urged institutions to strengthen their ability to identify, mitigate and respond to emerging risks.

‎”Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation,” the regulator said in the email.

‎”Accordingly, this bulletin is grounded in our existing guidance and outlines sound practices that institutions can adopt to enhance the speed and effectiveness of risk identification, mitigation and response.”

‎Parts of the email were withheld under Canada’s Access to Information Act, but the disclosure highlights growing concern among regulators that increasingly capable AI systems could be exploited to identify and weaponise software vulnerabilities more rapidly than existing security processes can counter.

‎Following questions from Reuters, OSFI on Monday published a public bulletin addressing the governance of generative and agentic artificial intelligence.

‎In a statement, the regulator said it remained focused on the risks posed by emerging technologies rather than the technologies themselves.

‎”OSFI takes a technology-neutral, risk-focused approach to emerging technologies, including advanced artificial intelligence models such as Mythos. Our focus is not the technology itself, but how federally regulated financial institutions govern and manage the risks associated with its use,” the regulator said.

‎The warning comes amid heightened international scrutiny of frontier AI systems. Regulators worldwide are assessing the cybersecurity implications of increasingly sophisticated models, with experts warning that systems such as Mythos possess advanced capabilities for discovering and exploiting security weaknesses, posing particular challenges for financial institutions operating legacy technology infrastructure.

‎According to Reuters, Canadian banking executives met with regulators in early April to discuss the risks associated with Mythos after senior US officials, including Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell, held an urgent meeting with major bank chief executives on similar cybersecurity concerns.

OSFI, which oversees the stability of Canada’s financial system, is responsible for supervising banks, insurers and pension funds while monitoring risks arising from geopolitical developments, foreign interference and technological change.

‎The report also noted that access to some frontier AI systems has been restricted because of their cyber capabilities, with eurozone banks currently excluded from Mythos.

‎Despite the security concerns, Canadian financial institutions continue to expand their use of artificial intelligence. Royal Bank of Canada, TD Bank and BMO have outlined plans to generate significant returns from AI investments by deploying the technology in customer service, internal productivity tools and operational efficiency initiatives. Bank of Nova Scotia, CIBC and National Bank have also announced several AI programmes.

‎The Canadian government has stated that it has access to Anthropic’s Project Glasswing, which provides organisations with access to Mythos, although it remains unclear whether any Canadian banks are currently using the model.

‎The Canadian Bankers Association said member institutions have invested heavily in cybersecurity and continue to comply with OSFI’s stringent cyber risk management and incident reporting requirements.

‎Royal Bank of Canada’s Chief Technology Officer, Bruce Ross, said in June that the emergence of Mythos had fundamentally changed the cybersecurity landscape by enabling attack methods to evolve almost immediately after vulnerabilities are identified.

‎”The way we are dealing with it is, building our own AI defences… we will continue to do that,” Ross said.

LEAVE A REPLY

Please enter your comment!
Please enter your name here