OSFI tells banks AI is closing their window to fix cyber flaws: Reuters

Canada's banks are pouring money into the same AI they're now told to fear

OSFI tells banks AI is closing their window to fix cyber flaws: Reuters

The time Canada's banks and insurers have to catch and patch security flaws is shrinking, and the country's banking regulator has told them so in writing. 

The Office of the Superintendent of Financial Institutions warned chief technology, information-security and risk officers across the sector in a private April email that advanced AI compresses the window for containing cyber threats, according to documents Reuters obtained through an access-to-information request.  

"Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation," OSFI said in the email, which it sent on April 29 and which was partly redacted under the Access to Information Act. 

OSFI followed the email with a public bulletin on generative and agentic AI in July, after Reuters sent questions.  

"OSFI takes a technology-neutral, risk-focused approach to emerging technologies, including advanced artificial intelligence models such as Mythos," the regulator said in an emailed response.  

"Our focus is not the technology itself, but how federally regulated financial institutions govern and manage the risks associated with its use." 

The bulletin names frontier AI models rather than Mythos and builds on OSFI's existing technology, operational-resilience and third-party risk guidelines.  

It tells institutions to raise senior management's AI literacy, keep sensitive data out of public or unapproved AI tools, check AI-generated code for flaws before it reaches production, and limit the access AI agents hold to internal systems.  

The regulator also said institutions can use frontier models to prioritize risks and speed up patching, turning the technology on the problem it creates. 

The Canadian warning tracked an earlier move in the United States, where US Treasury Secretary Scott Bessent and Jerome Powell, then chair of the US Federal Reserve, called Wall Street leaders to an urgent meeting over concerns that Anthropic's latest model would raise cyber risk. 

Bank of Canada Governor Tiff Macklem said governments and regulators need to move fast while playing down any immediate crisis.  

"At the moment, there is no actual live cyber incident," Macklem told reporters in Washington, according to The Globe and Mail, though he warned the models can find and exploit weaknesses far faster than before.  

The Canadian Financial Sector Resiliency Group, which the Bank of Canada chairs and which includes other regulators and the big banks, met twice in one week on the fallout, the outlet reported, and Finance Minister François-Philippe Champagne raised the matter with Bessent. 

The concern rests on how fast the model works.  

Anthropic has said Mythos Preview found thousands of high-severity zero-day vulnerabilities across major operating systems and browsers, including a 27-year-old bug in OpenBSD, as per The Hacker News.  

The UK AI Security Institute found it cleared 73 percent of expert-level Capture the Flag challenges, a bar no model had passed before April 2025, Yahoo Finance reported, while ECB officials said attackers can now reverse-engineer a fix within 30 minutes.  

In testing by US intelligence agencies, the model broke into almost all classified systems in hours rather than weeks, US Senator Mark Warner said in congressional testimony reported by Cybernews

The warnings arrive as Canada's biggest banks bet heavily on the same technology.  

Royal Bank of Canada, TD Bank and BMO have set out plans to earn returns from AI as they move from experiments to chatbots and internal tools, Reuters reported.  

TD expects $1bn in annual value from AI by 2028, including $500m in annualized revenue, while RBC expects $700m to $1bn in enterprise value by 2027, according to the Globe

RBC CEO Dave McKay said at Davos in January that the bank spends $6bn a year on technology, with $2bn going to modernization and AI.  

Bank of Nova Scotia, CIBC, and National Bank have also disclosed AI projects.

Bank security leaders frame the change as one of speed and scale.  

Adam Evans, chief information security officer at Royal Bank of Canada, said the model attacks through the same pathways human hackers use but can hit many weaknesses at once, forcing firms to detect and respond in near real time, according to The Canadian Vanguard.  

Bruce Ross, RBC's AI group head, said in a June interview that the shift makes fast response essential.  

He told Reuters that the industry is responding by "building our own AI defenses." 

Regulators abroad have moved along similar lines.  

The European Central Bank has ordered the 110 banks it supervises to file AI cyber-risk action plans by October 31, Euronews and American Banker reported, and Claudia Buch, who chairs the ECB's supervisory board, wrote that the newest models can find weaknesses and write working exploits "at unprecedented speed."  

The Bank of England has flagged AI as a threat to financial stability, Cybersecurity Magazine reported, though Governor Andrew Bailey said it would share vulnerability findings with firms rather than issue orders. 

Access to the model has been uneven.  

Anthropic launched Fable 5 and Mythos 5 on June 9, suspended access on June 12 under a US export-control directive, and restored it from July 1 once Washington lifted the controls, according to Fortune

Ottawa has said it can reach the model through Anthropic's Project Glasswing, though which Canadian banks use it, if any, is not clear. 

Some banks referred questions to the Canadian Bankers Association, which said its members have spent heavily to protect the financial system and comply with OSFI rules on cyber risk management and incident reporting, Reuters said. 

LATEST NEWS