By Aidan Healy, Cathal McCoy & Jon Hopkins
|
Published 11 May 2026
In April 2026, senior finance ministers, central bankers and regulators from multiple jurisdictions engaged in a series of urgent discussions at IMF meetings in Washington D.C. At this point, it has been well publicised that the subject was not inflation, geopolitics or market volatility, but a new, unreleased artificial intelligence system known as Claude Mythos ("Mythos") Preview, developed by American AI company Anthropic as part of its wider Claude AI system. Mythos is already being treated by governments as a potential systemic risk in cyber, capable of reshaping the threat landscape on which modern financial systems, and the insurance policies that underpin them, depend.
Mythos is an example of a growing class of so‑called “frontier AI” systems. Unlike conventional generative AI tools, it is claimed that Mythos has demonstrated an ability to autonomously identify and exploit vulnerabilities within complex software environments with minimal human input.
According to Anthropic and independent testing by the UK’s AI Security Institute, preview versions of the system surfaced thousands of previously unknown security flaws across all major operating systems and web browsers, including weaknesses that had remained undetected for decades despite extensive testing, without the reliability of that testing previously being questioned.
Following early demonstrations of Mythos’ performance, Anthropic chose not to release the AI system publicly, instead granting limited access to selected technology companies and financial institutions under its “Project Glasswing” initiative. The aim is to allow organisations responsible for critical infrastructure to test and remediate vulnerabilities before it or AI systems with similar capabilities becomes publicly available. Even so, finance ministers at recent IMF and World Bank meetings characterised Mythos as an “unknown unknown” for financial stability, prompting coordinated reviews by banking supervisors and intelligence agencies.
What does this mean for cyber insurers?
There is a clear potential for significant increases in the frequency and severity of malicious cyber attacks, enabled via the democratisation of AI systems. However, Mythos illustrates that the cyber insurance market, and indeed the wider insurance market, may be exposed to AI-enabled cyber risks that may be faster, more scalable, and more interconnected than previously anticipated.
Aggregation of cyber-related risks has long been a concern for the market since it is nebulous. Reinsurers have consistently identified common dependencies, cloud providers, operating systems and widely deployed software as major contributors to correlated loss scenarios. Munich Re has cautioned that even without AI acceleration, cyber incidents have the potential to cause economy‑wide disruption through supply‑chain failures and cascading outages. AI systems such as Mythos significantly increase the probability that a single latent vulnerability could be discovered and exploited across large numbers of policies at near‑simultaneous speed.
Against this backdrop, a crucial question emerges: do existing insurance policies respond to AI‑enabled cyber losses at all? In most cases, policies are silent. The majority of cyber insurance wordings do not expressly mention artificial intelligence, meaning that any AI‑related are typically non‑affirmatively covered; neither expressly covered nor excluded, now commonly referred to as “silent AI”.
Mythos further illustrates the potential issue of "silent AI". If an AI system contributes in any way to a cyber attack, for example it autonomously identifies system vulnerabilities, is the resulting loss “caused" by AI, or does AI instead operate as a contributing or enabling factor in the causal chain? How do policy definitions of “security failure” or “malicious act” apply where a system was attacked without direct human involvement? Such questions may well generate coverage disputes.
Some insurers are electing to affirm AI-related risks via endorsements, or enhancing their wordings. Indeed, there is growing number of stand-alone AI insurance policies in the market designed specifically to provide cover for AI-related risks. However, there is also an increased number of AI-related exclusions in the market.
Conclusion
What ultimately distinguishes Mythos from previous AI systems is the level of involvement of governments and financial regulators. Authorities in the UK, US and India have all treated the Mythos as warranting coordinated policy scrutiny.
The existence of credible frontier AI systems such as Mythos may act as a catalyst for accelerated pricing discipline and product innovation within the cyber insurance market, particularly in respect of affirming or excluding AI-related risks in existing policies or the creation of stand-alone policies.
