In a notable shift for cybersecurity collaboration, Anthropic has revised its Project Glasswing program to allow JPMorgan Chase to share vulnerability findings from its AI model, Mythos, with other financial institutions. This marks the first time such insights will be formally communicated to community and regional banks, addressing growing concerns over the cybersecurity risks associated with advanced AI systems.
The change follows a letter from Rep. Josh Gottheimer, co-chair of the House Democratic Commission on AI and the Innovation Economy. It effectively removes a nondisclosure agreement that previously restricted the sharing of critical information. Gottheimer emphasized the urgency of addressing cyber threats, stating, "No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks."
This decision carries significant implications for smaller banks that depend on larger institutions like JPMorgan for insights into vulnerabilities in shared software systems. As the only bank among the initial partners in Project Glasswing, JPMorgan's capacity to share vulnerabilities identified by Mythos is expected to strengthen the cybersecurity posture of smaller financial entities that may lack the resources to independently detect such risks.
The Role of Mythos in Vulnerability Discovery
Anthropic's Mythos has shown an impressive ability to identify security flaws, uncovering thousands of previously unknown vulnerabilities across major operating systems and browsers. Internal testing indicates that Mythos produces effective exploits more than 83% of the time on its first attempt. For example, Mozilla reported that Mythos identified 271 vulnerabilities in Firefox, all of which were patched in the latest release. Similarly, Palo Alto Networks noted that it received alerts about 26 vulnerabilities from Mythos, a significant increase compared to its typical monthly findings.
This new capacity to share critical findings aligns with recent comments from U.K. regulators emphasizing the need for financial firms to enhance their cybersecurity measures amid rising AI capabilities. The Bank of England and other financial authorities have warned that the current generation of AI models could outpace traditional methods of vulnerability identification in speed, scale, and cost-effectiveness.
Future Steps and Regulatory Expectations
Given the challenges posed by advanced AI, U.K. regulators have urged financial firms to actively strengthen their cybersecurity frameworks. They have identified five key areas for action: governance and strategy, vulnerability identification and risk management, third-party risk, protection, and response and recovery. While these guidelines do not introduce new regulations, they consolidate existing expectations for operational resilience in the financial sector.
In contrast, U.S. regulators have yet to articulate similar formal expectations, raising concerns about the adequacy of current cybersecurity measures within American financial institutions. The lack of a comparable framework may leave many institutions exposed as AI-driven threats become more prevalent.
The urgency of these developments is underscored by an upcoming report from Anthropic, set to provide insights from the Glasswing program within 90 days of its April launch. As the industry anticipates this report, pressure mounts on both Anthropic and OpenAI to improve transparency and collaboration in cybersecurity.
As smaller banks gain access to important vulnerability information, the potential for improved cybersecurity practices across the banking sector grows. Sharing findings from advanced models like Mythos could create a more resilient financial ecosystem, better prepared to tackle the evolving space of cyber threats.
This collaboration between large financial institutions and their smaller counterparts may serve as a model for other sectors facing similar challenges posed by the rapid advancement of AI technologies. By enhancing communication and information sharing, the financial industry can strengthen its defenses against the sophisticated tactics employed by cybercriminals in an increasingly interconnected world.
Quick answers
What is Project Glasswing?
Project Glasswing is a cybersecurity initiative by Anthropic aimed at addressing vulnerabilities in software systems using AI.
How does Mythos identify vulnerabilities?
Mythos uses advanced AI techniques to uncover previously unknown security flaws and generate effective exploits with a high success rate.
Why is the NDA carve-out significant?
The carve-out allows JPMorganChase to share vulnerability findings with smaller banks, enhancing their ability to respond to cyber threats.
What are the U.K. regulators’ expectations for financial firms?
U.K. regulators expect financial firms to take proactive measures in governance, risk management, and other areas to address cybersecurity risks associated with advanced AI.
