Treasury teams—to varying degrees—are starting to respond to growing fears that Anthropic’s Mythos AI model may be used by bad actors to exploit software vulnerabilities and launch cyberattacks on operating systems, web browsers and banks among other potential targets. Those fears got more attention Wednesday after Anthropic said it was “investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments.” - Reacting to that news, one NeuGroup member treasurer said, “I put it in the category that we feel that sooner or later something like this is inevitable, whether with Mythos or with any of the other similar tools we expect to be coming out from U.S. and non-U.S. players. That’s why we’ve been working on it urgently as opposed to feeling that we have three to six months before this becomes a real risk.”
Treasury triages risks. In a session organized by NeuGroup earlier in the week as some members fielded calls about Mythos from the C-suite, the treasurer said senior leaders at his company are looking at the risks through a broad systemic and operational lens because the business is viewed as critical broadband infrastructure. The company’s strongest security resources are therefore concentrated on protecting its network. But leadership, he said, asked treasury to assess its own vulnerabilities—with limited support.
To make the problem manageable, the treasurer is evaluating risk and vulnerability through three lenses: vendor platforms such as treasury systems and banks; transmission rails like ACH and wires; and internal company processes including approvals and authorizations. The member also triaged treasury risks into priority tiers:
- The highest-priority bucket includes cash positioning, access to liquidity, entitlements and payment approvals.
- The next tier covers trading and investing activities, with risk seen as important but not immediately existential.
- The lowest tier, for now, is reporting, on the assumption that errors there would matter less in a broader systemic event than a loss of cash control or payment capability.
Mitigation measures. The treasurer described some immediate mitigation ideas including: more frequent reconciliations; keeping some hard-copy backups; reviewing concentration of cash at major banks; considering whether some funds should sit at institutions less likely to be first-line targets; and establishing a “kill switch” process so treasury could halt movement of funds quickly if suspicious activity appeared.
- He emphasized that these ideas were not polished solutions but attempts to create practical resilience where possible.
Bigger picture, key questions to ask. This treasurer’s responses stood out among other NeuGroup members, most of whom said they were not yet taking specific treasury actions. Some noted that if ACH or the Federal Reserve’s payment rails were disrupted, the problem would be economy-wide rather than something treasury alone could realistically ring-fence.
- One member noted that from an audit and ERM perspective the right response likely starts with enterprise risk and cybersecurity teams rather than treasury acting independently. Another agreed, saying his company’s ERM function was already taking a coordinating role.
- However, some members plan to begin asking banks about their response plans, especially those holding large balances or investment assets outside of core partners. One participant said bank counterparties were the first concern but sees TMS providers as a possible blind spot because valid-looking instructions could still be forwarded if an upstream system were compromised.
- Members identified these questions as they learn more about Mythos and prepare:
- Which systems matter most?
- What dependencies on banks, TMS providers and payment rails are most critical?
- Which internal controls are most vulnerable to spoofing or bypassing?
- Where should responsibility sit between treasury, cybersecurity, ERM and leadership?
