Financial leaders around the world are warning about — and preparing for — the potential systemic cyber risk posed by the development of Anthropic’s latest AI model, Claude Mythos Preview.
“I happened to be at a…meeting 10 days ago [and] that dominated the entire conversation,” Lynn Oldfield, former president and CEO of AIG Insurance Company of Canada, said in a keynote address Thursday.
“So, I would put that on your radar screen. Claude Mythos…really impacts the global financial system.”
Oldfield, who held leadership positions at the Insurance Institute of Canada from 2015 to 2019, spoke at the Institute’s annual symposium held in Toronto. She spoke about a number of global risk trends affecting Canada’s P&C industry.
One is the global systemic cyber risk posed by Claude Mythos Preview, an AI technology that hasn’t been released publicly because of its major threat to business operating systems.
The danger is “Mythos Preview’s ability to find and exploit zero-day (that is, undiscovered) vulnerabilities in real open-source codebases,” says a paper published online in April by red.anthropic.com, a group that tested the capabilities of Mythos Preview.
“During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.”
Over the long term, the paper’s authors note, this is intended to help organizations find vulnerabilities in coding and patch them. But it could also be a powerful tool for cybercriminals as well.
“Over 99% of the vulnerabilities we’ve found have not yet been patched, so it would be irresponsible for us to disclose details about them (per our coordinated vulnerability disclosure process),” red.anthropic.com’s paper states. “Yet even the 1% of bugs we are able to discuss give a clear picture of a substantial leap in what we believe to be the next generation of models’ cybersecurity capabilities — one that warrants substantial coordinated defensive action across the industry.
“We conclude our post with advice for cyber defenders today, and a call for the industry to begin taking urgent action in response.”
Also in the news: Questions raised over Ontario trucking insurance website
For the Canadian P&C industry, this means AI has reached a stage when it can enter into companies’ operating systems throughout the entire organization “and literally in no time find every vulnerability,” as Oldfield explained.
That would pose a huge challenge for insurance companies still running legacy systems, she added. And many in Canada still do. Several insurance companies’ backend systems are built based on acquisitions that layer, bolt on, or add parallel IT systems after mergers.
“If your legacy systems are anything like [they are in] the rest of the industry, you’ve got some code that’s been around since The Godfather [a movie made in 1972],” Oldfield said. “So, there is some legacy coding, some original challenges, that have been built on and built on and built on. And this particular tool is so dangerous to the world that they will not release it to the general public.”
Oldfield referenced the creation of Project Glasswing in April 2026. The initiative brings together 40 groups — including Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — in an effort to secure the world’s most critical software.
As noted on its website, “Project Glasswing partners will receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in their foundational systems — systems that represent a very large portion of the world’s shared cyberattack surface.
“We anticipate this work will focus on tasks like local vulnerability detection, black box testing of binaries, securing endpoints, and penetration testing of systems.”
Anthropic, the maker of Claude Mythos, a company estimated to be worth up to $380 billion, is donating $100 million to this project.
“There was an emergency meeting in Washington, a week ago Friday, of the IMF [International Monetary Fund], the World Bank, every bank governor of a developed economy, and the head of Anthropic and this research team to try and figure out what on earth we are going to do to protect ourselves from this particular flavour of AI,” said Oldfield. “Global regulators are beside themselves.”
Oldfield said this new AI development has many in the industry questioning the trend to move company data and information to the cloud. The cloud refers to a vast online storage space hosted by a collection of servers that host software and infrastructure. It’s accessed over the Internet.
“You know how we are trying to get people into the cloud? People are now literally talking about, ‘No, we need substacks. We need to actually reign off our core data in our financial institution.’
“So, this one, ladies and gentlemen, arrived so quickly. And all it takes is one bad actor to get their hands on it. And they [GRI board directors] do believe it will create systemic risk to the global financial system.”