Banks in India are alert and extra cautious to the potential threat that Mythos AI, a model created by San Francisco-headquartered Anthropic, can cause by identifying and exploiting vulnerabilities—including previously undetected ones—in complex IT systems.

On Friday, Challa Sreenivasulu Setty, the chairman of State Bank of India, after announcing the bank’s quarterly earnings data, said “...[Mythos] has placed the banking system on a heightened state of alertness”.

The need for urgency has already been identified and reflected through various high-level conversations which government officials—including Finance Minister Nirmala Sitharaman and Department of Financial Services (DFS) Secretary M. Nagaraju—have had with regulators, the Reserve Bank of India and the Securities and Exchange Board of India, alongside NPCI, top bankers, and registrars of companies.

Sebi has created a task force called cyber-suraksha.ai, which includes representatives from stock exchanges and depositories and transfer agents who will examine cybersecurity risks posed by AI-based models and devise a uniform mitigation strategy against these risks.

The positive element is that the concerned agencies are proactive and aligned. The negative part is that there is no understanding of how much technology could be misused, because Anthropic has limited the access to Mythos, to only some technology giants such as some Google, Microsoft, JP Morgan Chase, and CrowdStrike.

The deeper concern is that in all previous hacking or vulnerability operations, there were humans involved. Even in AI, which came three to four years ago, it operated on a limited knowledge base and on a single model situation. “[But now] this model is different because it can launch agents in parallel,” says Ramesh Lakshminarayanan, HDFC Bank’s group head, information technology and chief information officer.

“I think this is a very important phase of cybersecurity. Most of the times that we have all looked at cybersecurity, we have been doing patching based on a knowledge that we have carried [from the past],” he told Fortune India.

SBI chairman Setty said a structural shift is redesigning the way banks operate. “Advanced AI models highlight the sophistication and speed at which vulnerabilities can be identified and exploited. This is why working with the government, regulators and other banks is critical for India to create a cyber resilient framework.”

Supply chain systems may face risk of compromise

A CTO with another private sector bank said earlier from original equipment manufacturers to creating IT infrastructure, security patches would take 5 to 90 days to complete. “Now AI can create proof of concept patches which can exploit vulnerabilities and may get released within hours, so the software or data is exposed to the world,” he told Fortune India.

“On the Mythos issue, I am cautious; we just need to re-think. I am hoping that self-healing capabilities and anecdotes need to be developed by AI,” the second banker said.

Lakshminarayanan said: “AI has to fight AI. It's no longer a battle of human to human. The current battles are like dealing with a swarm of drones that have just entered the system. The model can actually produce the swarm.”

While India’s banks do have multi-layered security systems in place with guardrails, vendors and parties they deal with would be operating using different software systems. The tools these vendors use might not be compromised but the server from where the tool downloaded could be compromised.

Ramkumar Subbaraj, co-founder and CTO at Phi Commerce, an omni-channel digital payments platform, says, “It is important for a bank to know how secure its vendor system is.” A well-known fact is that 70% of compromise is “credential compromise”, when attackers gain unauthorised access to valid login details (usernames, passwords, API keys, tokens). Legitimate users are impersonated and data breaches take place. “Continuous monitoring for what is a deviation from the normal data flow, needs to be done continuously and incessantly,” Subbaraj told Fortune India.

SBI MD Rama Mohan Rao Amara, who heads the bank’s retail business and operations, said: “Right now based on what one hears, Mythos AI is something to worry about. What needs to be done is using traditional ways, but it needs to be done in a much quicker manner. Patching vulnerabilities has a well-known process, but Mythos has shrunk the timeline. We must increase our capabilities to identify and fix them on the go.”

Short-term and long-term solutions

Lakshminarayanan spells out some short-term and tougher long-term solutions which banks much adopt at this stage to safeguard themselves and the ecosystem. The short-term solutions include:

• Keep patching

To strengthen the ecosystem, there are tougher solutions which need to be built. These include:

• White box cryptography (important keys are secured in untrusted environments)

Banks in India will have challenging times to face up to. Besides implementing new ECL guidelines to ensure improved asset quality checks and provisioning, strengthening cybersecurity, in a centralised manner, will have to be implemented.