By Rosemarie Connell
Rosemarie Connell explores how the latest AI-driven cyber threats are forcing financial firms and regulators to radically accelerate cybersecurity responses.
Anthropic’s “Mythos” AI system, which is being widely discussed across financial and technology sectors for its ability to autonomously identify and potentially exploit software vulnerabilities, is raising growing concern across financial services firms. It highlights that cybersecurity cannot realistically keep pace with machine-speed threats capable of uncovering weaknesses embedded across decades-old and deeply interconnected operational systems.
These are not isolated vulnerabilities. They are systemic exposures across legacy infrastructures and modern environments, often sitting undetected until they are actively exploited.
In parallel, FINRA, the U.S. self-regulatory organisation overseeing brokerage firms and securities professionals to enforce market integrity and investor protection standards, has launched its Financial Intelligence Fusion Center (FIFC) to improve real-time sharing of cyber threat and fraud intelligence across financial institutions.
Together, these developments reflect a broader shift in how cybersecurity is being defined across financial services. For firms operating across U.S. and international markets, this shift is already visible in day-to-day operations, particularly where legacy systems and new threats meet.
The BBC[i] has reported growing concern among financial leaders that vulnerabilities in complex banking systems may now be identified faster than they can be fixed. This aligns with warnings from the UK’s National Cyber Security Centre (NCSC)[ii], which states that AI-enabled tools are likely to increase both the volume and speed of cyberattacks against systems that have not been updated with security fixes. The NCSC cautions that by 2027, the time between vulnerability discovery and exploitation could shrink to days, creating material risks for critical infrastructure and financial supply chains.
In highly interconnected financial environments, even minor weaknesses can quickly become systemic risks.
The FIFC and the limits of coordination
The launch of the FIFC strengthens collective defence by improving the speed and structure of cyber threat intelligence sharing, enhancing visibility across institutions and enabling earlier identification of emerging attack patterns.
However, more intelligence does not translate into action. Many financial institutions remain bound by legacy infrastructure, fragmented architectures, and complex change processes that slow remediation even when risks are clearly understood. As a result, coordination is improving faster than the ability to respond.
Cyber Risk is now defined by speed
AI systems such as Mythos are compressing the attack lifecycle. Tasks such as vulnerability scanning, system mapping, and exploit development that once took days or weeks can now be completed in hours.
The World Economic Forum highlighted that AI is compressing cyber response timelines to the point where traditional patch cycles are no longer sufficient. This creates a widening gap between attack speed and defensive response. Cybersecurity is therefore shifting away from detection and becoming a question of response speed and about how quickly organisations can act once a threat emerges.
Prevention isn’t enough
For decades, cybersecurity has been built around prevention focused on blocking attacks, identifying vulnerabilities, and patching systems before exploitation occurs. That model is increasingly under strain.
Resilience assumes a different reality: that some attacks will succeed, even in well-defended environments. The objective shifts from preventing breaches to limiting impact and maintaining continuity of critical services.
Put simply, prevention seeks to avoid failure. Resilience assumes it and contains it.
This shift is now embedded in regulatory expectations around operational resilience, where firms must demonstrate not only protection, but recovery under stress.
Legacy systems are the structural constraint
Legacy infrastructure remains one of the defining challenges in financial services cybersecurity. Many institutions still rely on systems built over decades, creating tightly coupled environments with deep interdependencies across internal platforms and external vendors. These systems are slow to update and difficult to secure end to end.
In response, firms must redesign security architecture around segmentation and isolation, adopt risk-based patching, and embed recovery as a core operational capability rather than a fallback. Modernisation must also reduce reliance on legacy systems without destabilising core operations.
The central question is shifting and it’s no longer just about whether systems can be fully secured, but whether they can continue operating under attack.
Conclusion
The emergence of AI systems such as Mythos signals a broader shift in cyber risk. The challenge is no longer only the sophistication of attacks, but the speed at which they evolve.
Regulators are responding through initiatives such as the FIFC, and firms are adapting. But intelligence sharing alone will not resolve the underlying constraint: response speed.
Cybersecurity is therefore being redefined as resilience and the ability for firms to absorb disruption, contain its impact, and maintain critical services under pressure.
In an environment where AI is accelerating both attack discovery and exploitation, the question is no longer how to prevent every breach. It is whether systems continue to function when one succeeds.
About the Author
Rosemarie Connell is Senior Managing Director at Integrated Solutions, which provides advisory, regulatory compliance, and fund administration services to financial firms across U.S., UK, and international markets. She brings extensive experience in commodities trading, emerging markets, and financial regulation.
References
[i] What is Anthopic’s Claude Mythos and what risks does it pose? – BBC News
[ii] https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027
