Key Takeaways
- The UK government is urging nearly 200 of the nation’s largest firms to sign a new “cyber‑resilience pledge” that makes cybersecurity a board‑level responsibility.
- To qualify, companies must adopt the National Cyber Security Centre’s (NCSC) early‑warning service and enforce Cyber Essentials certification throughout their supply chains.
- The pledge, slated for a formal launch in summer, aims to create an industry benchmark and reassure investors and customers amid rising AI‑driven threats.
- Anthropic’s Mythos model, an AI system exceptionally adept at uncovering software vulnerabilities, is not being released publicly but has been shared with 40 U.S. technology firms to bolster their defenses.
- Experts debate whether Mythos could enable a new wave of autonomous hacking; the UK’s AI Security Institute notes it can attack weakly defended enterprise systems but remains uncertain about its efficacy against well‑protected networks.
- British banks—including Barclays, Lloyds and NatWest—are in discussions with Anthropic for potential access to Mythos, while the Bank of England’s governor warns the model could “crack the whole cyber‑risk world open.”
- Ministers Baroness Lloyd (cybersecurity) and Dan Jarvis (security) stress that AI is accelerating attacker capabilities and that cybercrime should be viewed as seriously as physical crime.
- Adoption of NCSC’s Cyber Essentials remains low—only about 56,000 certificates were issued in 2025, roughly 1 % of UK businesses—highlighting a gap between advice and action.
- The forthcoming Cyber Security and Resilience Bill will compel key‑sector companies to strengthen resilience, seeking to close that gap through legislation.
Government’s Call for a Cyber‑Resilience Pledge
Baroness Lloyd of Effra, the UK’s cybersecurity minister, has written to almost 200 chief executives and board chairs, urging them to embrace a newly drafted cyber‑resilience pledge. The initiative seeks to elevate cybersecurity from an IT concern to a core boardroom responsibility, signalling that senior leadership must actively oversee and fund defensive measures. By targeting the country’s biggest businesses, the government hopes to create a ripple effect that encourages smaller firms to follow suit.
Core Requirements of the Pledge
To sign the pledge, organisations must meet three concrete criteria. First, cybersecurity must be assigned a explicit seat at the board, ensuring strategic oversight and accountability. Second, firms need to subscribe to the NCSC’s early‑warning service, which provides timely alerts about emerging threats and vulnerabilities. Third, they must require their entire supply chain to hold the NCSC’s Cyber Essentials certification, thereby extending baseline security standards beyond the organisation’s own walls.
Timing and Strategic Intent
Although the pledge has already been circulated informally, a formal launch is planned for the summer. Government officials describe it as a benchmark that will help investors, customers, and partners gauge a company’s cyber‑readiness. By establishing a clear, measurable standard, the initiative aims to lift the overall security posture of UK industry and reduce the likelihood of successful breaches that could disrupt national economic activity.
Anthropic’s Mythos Model and Its Implications
Last week, U.S.‑based AI firm Anthropic announced that it would not release its new Mythos model—a system explicitly designed to identify software flaws—because of its extraordinary effectiveness. Instead, Anthropic distributed Mythos to 40 American technology companies so they could harden their own defences. The decision has sparked debate: some commentators view it as a prudent safeguard, while others suspect a marketing stunt intended to generate buzz around Anthropic’s capabilities.
Potential for Autonomous Hacking
Security analysts have warned that a tool as proficient as Mythos could lower the barrier for conducting sophisticated, autonomous attacks. The UK’s AI Security Institute, one of the few non‑U.S. bodies to evaluate Mythos, described it as a “step up” in capability, noting that it can independently probe and exploit small, weakly defended enterprise systems once network access is obtained. However, the Institute cautioned that there is insufficient evidence to confirm whether Mythos could breach well‑defended, mature security architectures.
Banking Sector Interest and Systemic Risk Concerns
Major British banks—including Barclays, Lloyds, and NatWest—are reportedly in contact with Anthropic to explore possible access to Mythos. Andrew Bailey, governor of the Bank of England, remarked that the model might have “found a way to crack the whole cyber‑risk world open,” hinting at the potential for systemic repercussions if such capabilities fell into malicious hands. The remarks underscore the tension between leveraging advanced AI for defence and the risk of those same tools being repurposed for offence.
Ministerial Emphasis on the Evolving Threat Landscape
Both Baroness Lloyd and security minister Dan Jarvis have stressed that artificial intelligence is accelerating the speed and sophistication of cybercriminals. Lloyd warned that the threat is “serious, growing and evolving fast,” urging organisations not to become complacent. Jarvis plans to highlight this point at the CyberUK conference in Glasgow, arguing that the public often underestimates cybercrime’s impact compared with traditional physical crime.
Analogising Cyber and Physical Harm
In his upcoming speech, Jarvis will draw a striking comparison: a recent ransomware attack on Jaguar Land Rover, which halted production and inflicted significant financial loss, would be equivalent to “hundreds of masked criminals turning up to dealerships across the country, breaking glass, smashing up computers and driving cars right off the forecourt” if carried out by physical means. The analogy aims to convince executives that cyber attacks deserve the same level of urgency, resources, and executive attention as any tangible threat to safety or property.
Current Uptake of Cyber Essentials and Legislative Response
Despite repeated warnings from the government and the NCSC, adoption of basic cyber hygiene remains sparse. In 2025, only about 56,000 Cyber Essentials certificates were issued—approximately one per cent of all UK businesses—indicating a considerable gap between recommanded practice and actual implementation. To address this shortfall, the Cyber Security and Resilience Bill is progressing through Parliament. The legislation will mandate heightened resilience measures for companies operating in critical sectors, seeking to enforce standards that the voluntary pledge currently encourages on a broader scale.
Conclusion: Bridging the Gap Between Advice and Action
The UK’s current strategy blends voluntary commitments—exemplified by the emerging cyber‑resilience pledge—with impending regulatory requirements under the Cyber Security and Resilience Bill. While the pledge offers a flexible, industry‑led pathway to better security, the low uptake of Cyber Essentials reveals that many organisations still lag behind. Continued ministerial pressure, heightened awareness of AI‑enabled threats like Mythos, and forthcoming legal obligations together aim to shift corporate culture from reactive patch‑management to proactive, board‑driven cyber resilience. If successful, these measures could significantly narrow the perception gap between cyber and physical crime, ultimately strengthening the nation’s defence against an increasingly sophisticated threat landscape.