ECB presses banks to speed patches after AI finds exploits

The European Central Bank has called the largest banks it supervises to a Tuesday session urging faster rollout of software patches after work with Anthropic’s Claude Mythos showed advanced AI can surface vulnerabilities that attackers can reverse-engineer in about 30 minutes.

Frank Elderson, vice-chair of the ECB’s supervisory board, told attendees banks must treat patching as an urgent operational task and move faster than traditional security cycles allow. He warned that the speed of automated discovery shortens defenders’ windows to respond.

Anthropic released the Claude Mythos Preview in April through Project Glasswing, a restricted testing program for frontier AI capabilities. Independent evaluations found the model solved a high share of expert-level Capture the Flag challenges. Browser maker Mozilla reported that findings from the model led to 271 fixes in a single Firefox update.

The ECB’s session covers the 111 largest banks it supervises in the euro area; U.S. institutions were also invited. Elderson encouraged banks with direct access to frontier models to share testing experiences with peers that do not have such access, calling the gap unfortunate but saying it cannot justify inaction.

Regulators outlined immediate steps for banks: accelerate testing and deployment of vendor patches, increase the frequency of vulnerability scans, and enhance information sharing between institutions that use frontier models and those that do not. The ECB aims to set clearer expectations for timelines and coordination so fixes issued by software vendors are applied before attackers can turn findings into working exploits.

Using a musical analogy, Elderson remarked, “andante may have been good enough, but we need to go to presto.”