
Canada’s top banking regulator sent a warning to the country’s largest financial institutions about the cybersecurity dangers posed by Anthropic’s Claude Mythos and other cutting-edge artificial intelligence models, according to an email obtained through an access-to-information request.
The Office of the Superintendent of Financial Institutions — known as OSFI — distributed the message in April to chief technology officers, chief information security officers, and chief risk officers across the financial sector, including major banks and insurance companies.
Cybersecurity specialists describe Mythos as an AI model with an exceptional ability to identify and exploit security weaknesses, posing serious challenges to the banking industry and its older technology infrastructure. Regulators around the world are working to understand the risks that such frontier AI models present.
“Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation,” OSFI stated in the email.
“Accordingly, this bulletin is grounded in our existing guidance and outlines sound practices that institutions can adopt to enhance the speed and effectiveness of risk identification, mitigation and response,” the regulator added.
Portions of the email were withheld under certain provisions of the Access to Information Act. OSFI’s recognition of the risks tied to Mythos could push Canadian banks, insurers, and other regulated entities to invest more in technology that shields customers from cyber threats.
After Reuters submitted questions to OSFI last week, the regulator published a public bulletin on generative and agentic artificial intelligence on Monday.
“OSFI takes a technology-neutral, risk-focused approach to emerging technologies, including advanced artificial intelligence models such as Mythos. Our focus is not the technology itself, but how federally regulated financial institutions govern and manage the risks associated with its use,” OSFI said in its written response.
In early April, Canadian bank executives sat down with regulators to talk through the dangers of Mythos — a meeting that followed a similar urgent gathering in the United States, where Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell brought together bank CEOs to address cyber risks linked to Anthropic’s latest AI model. OSFI formally sent its email to company executives on April 29.
OSFI oversees the stability of Canada’s financial sector, covering everything from banks to pension funds, and monitors threats stemming from foreign interference, geopolitical tensions, and new technologies.
The cyber capabilities of certain frontier AI systems are viewed as so formidable that access has been restricted in some regions — euro zone banks are currently barred from using Mythos.
Anthropic has also navigated a complicated relationship with the U.S. government. A federal judge blocked an initial Pentagon blacklisting of the company in March, and tensions have since eased following the private release of Mythos.
Three of Canada’s six largest banks — Royal Bank of Canada, TD Bank, and BMO — have laid out plans to generate revenue from their AI investments, having moved beyond experimental projects into practical applications such as customer chatbots, internal tools, and reduced dependence on outside vendors. Bank of Nova Scotia, CIBC, and National Bank have also announced various AI initiatives.
The Canadian government has said it has access to Anthropic’s Project Glasswing, a program that allows companies to use Mythos, though it remains unclear which Canadian banks, if any, are currently using it. Some banks directed questions to the Canadian Bankers Association, which said financial institutions have made significant investments to protect the financial system and are meeting OSFI’s requirements for cyber risk management and incident reporting.
In a June interview, RBC’s chief technology officer Bruce Ross said Mythos highlighted a fundamental shift in how cyberattacks unfold, making it critical for organizations to respond quickly since new attack methods can surface the moment vulnerabilities are discovered.
“The way we’re (the industry) dealing with it is, building our own AI defenses… we’ll continue to do that,” Ross said.








