SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
How can banks adapt to the new, AI-driven economics of cybercrime?

How can banks adapt to the new, AI-driven economics of cybercrime?

Wed, 15th Jul 2026 (Today)
Richard Moore
RICHARD MOORE CISO 10x Banking

Security concerns within banks are intensifying. The evolution of advanced AI models, such as Claude Mythos is a story in constant flux, shut down one week and back online the next. Whatever its status today, it has raised awareness about the profound impact of agentic AI and the need to address the potential dangers these models could have in the hands of bad actors. 

Much of the discourse leads from what agentic models can do in terms of launching autonomous attacks. As a security practitioner, I think this mindset misses the most important shift.

AI has not changed the nature of cyber-attacks. The techniques driving most real incidents are the same as they were five or ten years ago: scanning for exposed services, exploiting known vulnerabilities, abusing credentials, and then moving laterally through trusted systems. Those techniques predate Mythos and they're not going anywhere. 

What has changed are the economics of how all of this is done. Models like Anthropic's Claude Mythos and OpenAI's Daybreak dramatically reduce the cost of analysing systems while repeatedly exercising the same attacks. Activities that once required expertise, time, and persistence can now be carried out cheaply and continuously.

There are already attempts to measure and respond to this shift in economics. Under Anthropic's controlled-access research programme, Project Glasswing, the company and around fifty partners have used Claude Mythos Preview to find more than 10,000 high- or critical-severity vulnerabilities across the world's most systemically important software. In a single month. And in early June, Anthropic released the first Mythos-class model to the general public. The US administration subsequently placed strict export controls on Mythos and Fable, one of Claude's other models, effectively shutting down Mythos completely. These restrictions have since been lifted. Guardrails are still in place, and the version of Mythos available to the public is not the vulnerability-finding variant. But the broader signal is unavoidable, with capability becoming more accessible.  

Other vendors, other models will follow. The window for banks to address this on their own timetable is closing quickly.

Leaders of financial institutions know this. The Conference Board's most recent measure of US CEO confidence found that nearly two-thirds of large-firm CEOs now rank cybersecurity as a top risk to their industry. AI is also up there as a leading concern, so when you add the two together, you've got a recipe for turbulence in the coming years. In the UK, EY found that financial services CEOs ranked cybersecurity just behind macroceconomics and geopolitical instability as the biggest threats to the industry. 

Around the world, the message is clear: action is needed.

Where to focus first

The first place everyone looks when a new wave of technology hits is at regulators.

In April, US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent meeting with the CEOs of Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman Sachs. The subject was Mythos and the risks it poses if it ends up in the wrong hands.

Here in the UK, the Bank of England Deputy Governor Sarah Breeden has talked about the need for bespoke frameworks, enhanced recovery, and an AI 'kill switch'. UK banks are not yet being formally regulated on AI-cybercrime, but it's obvious that regulation will come, and it will arrive faster than most institutions expect. The first step to getting ahead of it means knowing where you're most exposed.

For most, it will be legacy platforms. Systems designed around infrequent updates and long patch cycles were built for a different era. They're simply not ready for the level of repetition that AI now makes cheap. Under AI-supported threats, any delay stops being a tolerable trade-off and becomes a source of risk in its own right.

There are three areas for banks to address to build a more robust security posture in today's environment:

  1. Open source libraries: Everyone uses open source libraries, which means attackers can see them too. Vulnerabilities are shared and exploitable across organisations, but a common problem is also a solvable one. On a shared platform, a fix made once is applied for everyone; banks running heavily bespoke, internally-built systems inherit none of those collective learnings and must front the cost of every fix themselves. Either way, dependency hygiene, software bills of materials, and automatic upgrade paths will be more important than ever.
  2. Internet-facing systems: The internet is the obvious entry points for any automated probe, and reducing the potential attack surface is still an effective risk reduction tactic. Any service that doesn't need to be reachable from the public internet shouldn't be. 
  3. Critical assets and the software supply chain: These are generally the most well-protected assets, but the deep-network components pulled in via vendors, integration partners, and open source are what attackers want to target most. AI doesn't change the answer to this dilemma but it does change how fast the answer needs to be delivered.

The basics done brilliantly

As I said before, none of this is new except the scale and economics of it. That's why I think banks have cause to be optimistic about this shift rather than pessimistic.

Most major incidents still share the same root causes: shared environments, excessive privilege, slow patching, unrestricted connectivity, and untested recovery. That's why I often come back to the same phrase: basics done brilliantly. 

The volume of vulnerabilities being surfaced right now might look scary but it's a short-term peak. If the same tools that find weaknesses are used to catch them before they reach production, the curve will flatten. In the longer term, banks that act now will reach a baseline more secure than the one they started with.

Banks need to start designing for the security environment we're in now, not the one their systems were originally built for. That means isolation by default, just-in-time access, continuous patching, and controls that are tested under pressure and most importantly of all, modern cores. Those are the fundamentals. AI has changed the economics, but it hasn't changed what good looks like – and that's something banks can control.