Key Takeaways
- Banks in India are re‑classifying IT expenditure from a routine “cost of running” to a survival‑critical “cost of surviving” because of emerging AI‑driven threats.
- Anthropic’s unreleased Claude Mythos model can discover and weaponise software vulnerabilities in under 72 hours, collapsing the traditional patch‑to‑exploit window.
- Public sector banks such as Punjab & Sind Bank and UCO Bank have announced higher IT budgets for the current fiscal year, with a large share earmarked for cybersecurity.
- Finance Minister Nirmala Sitharaman urged banks to adopt pre‑emptive measures after Mythos demonstrated its ability to find high‑severity flaws in major operating systems and browsers.
- Expert analysis warns that banks still rely on 2019‑era patching cycles, leaving them exposed to 2026‑style attacks despite using outdated SOPs.
- The highly interconnected nature of payments, clearing, forex, and stock‑market systems means a breach at one institution can rapidly cascade across the domestic and global financial ecosystem.
- A government panel led by SBI Chairman C S Setty has been formed to assess Mythos‑related risks and recommend mitigations, with intensive inter‑bank dialogue planned.
- Anthropic’s Project Glasswing granted 12 tech firms early access to Mythos under the banner of securing critical software, highlighting both the risk and the collaborative effort to understand it.
- The overarching shift is toward treating cybersecurity investment as essential for institutional survival rather than a discretionary cost centre.
Introduction: The Emerging AI Threat from Claude Mythos
The banking sector in India is confronting a new class of danger posed by Anthropic’s unreleased artificial‑intelligence model, Claude Mythos. Demonstrations have shown that Mythos possesses advanced coding and hacking abilities, enabling it to identify high‑severity vulnerabilities in operating systems, web browsers, and other critical software far faster than human analysts. Its capacity to move from vulnerability discovery to weaponisation in under three days has alarmed regulators and bank executives alike, prompting a reassessment of how IT budgets are allocated and what constitutes adequate protection in an AI‑accelerated threat landscape.
Bank Leadership’s Response: Increased IT Spending on Cybersecurity
In light of the Mythos revelations, senior bank officials have publicly committed to raising their IT expenditures for the current financial year. Punjab & Sind Bank’s Managing Director and CEO, Swarup Kumar Saha, told PTI that the bank will increase its IT spending to fortify systems, safeguard customer data, and protect monetary assets. Similarly, UCO Bank’s MD and CEO, Ashwani Kumar, confirmed that the bank’s IT budget will exceed last year’s allocation, with a substantial portion directed toward cybersecurity measures. These statements underscore a sector‑wide recognition that traditional IT spend levels are insufficient against the speed and sophistication of AI‑enabled attacks.
Specific Commitments from Punjab & Sind Bank and UCO Bank
Punjab & Sind Bank plans to channel the additional funds into upgrading intrusion detection systems, deploying advanced threat‑intelligence platforms, and conducting regular penetration‑testing exercises that simulate Mythos‑style attacks. UCO Bank intends to invest in next‑generation firewalls, zero‑trust network architectures, and continuous monitoring tools that can alert security teams within minutes of anomalous activity. Both banks emphasized that the heightened spending is not merely a reaction to a single threat but a strategic shift toward building resilient, adaptive defenses capable of withstanding evolving AI‑driven exploit techniques.
Government and Regulatory Reaction: Finance Minister’s Directive and Expert Analysis
Finance Minister Nirmala Sitharaman has urged all banks to take “all necessary pre‑emptive measures” to secure their IT systems after Mythos demonstrated its capacity to uncover weaknesses that could be leveraged for cyber attacks. Her directive aligns with warnings from industry experts such as Srinivas L, Joint MD & Joint CEO of 63SATS Cybertech Limited, who noted that frontier AI systems do not create a new risk category; instead, they compress the timelines of every existing vulnerability. The expert observed that the window between public disclosure of a flaw and its weaponisation has shrunk from 19 days in 2023 to fewer than 72 hours today, while many banks still operate on patching and response cycles designed for a 2019 threat surface.
The Compressed Vulnerability‑to‑Weaponisation Timeline and Legacy Systems Gap
This dramatic acceleration means that defenders are essentially preparing for 2026‑style attacks using 2019‑era standard operating procedures (SOPs). The reliance on legacy IT infrastructure—often built on outdated platforms that lack modern security features—exacerbates the gap. Banks that continue to apply periodic patch schedules rather than real‑time threat hunting and automated remediation will find themselves perpetually behind the curve. Experts argue that closing this gap requires not only additional tools but a fundamental redesign of security processes to match the velocity at which AI can generate and exploit weaknesses.
Interconnected Risks: How a Single Bank Breach Can Cascade Across the Financial Ecosystem
The systemic nature of banking amplifies the potential damage of a successful cyber intrusion. Payments, clearing houses, foreign‑exchange trading, money‑market exposures, stock‑market linkages, depositories, and payment gateways create a dense web of interdependencies. If one bank’s defenses are breached, attackers can laterally move to partner institutions, disrupt settlement processes, manipulate market data, or siphon funds across borders. The contagion effect could undermine confidence in the entire financial system, trigger liquidity crunches, and provoke regulatory penalties. Consequently, cybersecurity investment is viewed not only as a protective measure for individual entities but as a prerequisite for overall market stability.
Government‑Led Initiative: The SBI‑Chaired Panel and Collaborative Bank Efforts
Recognising the cross‑institutional stakes, the government has convened a panel under the chairmanship of SBI Chairman C S Setty to evaluate the risks emanating from the Claude Mythos platform and to formulate mitigating strategies. Finance Minister Sitharaman indicated that the panel will facilitate extensive interaction among banks over the coming weeks, allowing them to share threat intelligence, identify common vulnerabilities, and prioritize areas where additional investment is required. This collaborative approach aims to harmonise defenses, avoid duplication of effort, and ensure that the sector presents a united front against AI‑powered threats.
Anthropic’s Findings and the Project Glasswing Initiative
Anthropic itself has been proactive in assessing Mythos’s capabilities. During internal testing, the company reported that the model uncovered thousands of high‑severity vulnerabilities across every major operating system and web browser. To translate this knowledge into defensive action, Anthropic launched Project Glasswing, granting early access to Mythos for twelve leading technology firms under the banner of “securing the world’s most critical software.” The initiative reflects a dual intent: to understand the offensive potential of advanced AI while simultaneously enlisting industry partners to develop counter‑measures, sharing findings, and hardening critical infrastructure before malicious actors can exploit the same insights.
Outlook: Shifting from Cost‑Center to Survival‑Driven IT Investment
The collective response from bank CEOs, regulators, and experts signals a paradigm shift in how IT expenditure is perceived. No longer can cybersecurity be treated as a line‑item cost centre subject to periodic budget cuts; it must be regarded as an essential investment for institutional survival. By increasing spending on advanced threat detection, zero‑trust architectures, continuous monitoring, and incident response capabilities, banks aim to close the temporal gap between vulnerability disclosure and exploitation. The ongoing government‑led panel and inter‑bank cooperation further reinforce the notion that resilience in the face of AI‑driven threats is a shared responsibility, demanding coordinated action, transparent information sharing, and a willingness to allocate resources commensurate with the evolving risk landscape.
In summary, the emergence of Anthropic’s Claude Mythos has compelled Indian banks to rethink their IT strategies, moving from routine maintenance spending to a survival‑oriented cybersecurity posture. Leadership commitments, regulatory directives, expert warnings, and collaborative governmental initiatives all point toward a future where robust, AI‑resilient defenses are not optional but imperative for the stability and continuity of the financial sector.