Ministers Urge Boardrooms to Act as Myth of Anthropic AI Raises New Hacking Fears
Ministers have urged Britain’s biggest companies to strengthen their cyber defences, warning that a new generation of artificial intelligence tools, including Anthropic’s controversial Mythos model, risk unleashing a new wave of sophisticated hacking against UK plc.
In a direct intervention, Baroness Lloyd of Effra, the cyber security minister, has written to nearly 200 business leaders urging them to support a “cyber resilience pledge” designed to move boardrooms to the forefront of digital security.
To register, companies must make cybersecurity a transparent board-level responsibility, register with the National Cyber Security Center’s alert service, and seek “Cyber Essentials” certification throughout their supply chains. The offer will be officially launched in the summer and aims to give investors, customers and trading partners a clear measure to judge a business’s digital security.
Pushing comes after febrile. Anthropic, an AI developer based in San Francisco, revealed last week that it decided not to release Mythos, a model that has been praised for its cybersecurity work, because of its incredible ability to sniff out software vulnerabilities. Instead, the company quietly offered it to 40 US tech companies to help them strengthen their defenses.
While some industry watchers dismissed the move as marketing ploys, Wall Street, the City and financial regulators took it seriously. Major British lenders, including Barclays, Lloyds and NatWest, are understood to be in talks with Anthropic about access to the model.
Andrew Bailey, the governor of the Bank of England, has even suggested that Anthropic may have “found a way to open up the whole world of cyber-risk”, an unusually colorful assessment from Threadneedle Street.
The UK’s AI Security Institute, which is one of the few organizations outside the United States to install Mythos, described the model as a “step up” in capabilities. It concluded that Mythos is “at least capable of independently attacking small, lightly defended and vulnerable enterprise systems once network access is gained”, though it stopped short of saying whether the model could breach better-fortified targets.
For SMEs, testing is not easy to learn. The majority of “small, less secure” enterprise systems reside in the small and medium-sized business environment, where IT budgets are tight and dedicated security teams are rare.
Dan Jarvis, the security minister, will reiterate the pledge at this week’s CyberUK conference in Glasgow, where he is expected to argue that the country still suffers from a yawning gap in thinking between digital and physical crime. Using the recent ransomware attack that crippled Jaguar Land Rover, Jarvis will tell attendees that the damage caused by “an old-school physical attack, would have been equivalent to hundreds of masked criminals turning up at markets across the country, smashing glass, smashing computers and driving away cars.”
His message: “There is no real difference between them; they are both shameful crimes.”
Lloyd spoke with the same urgency, telling business leaders: “The cyber threat facing UK businesses is serious, growing and evolving fast. AI is giving attackers capabilities that would have been rare just a year ago and no organization can afford to be complacent. Cyber resilience is not just a technical problem; it’s a board job and we’re asking them to treat it like one in Britain.”
Despite years of warnings from Whitehall and the NCSC, uptake of basic cyber hygiene measures remains abysmally low. Only 56,000 Cyber Essentials certifications were issued by 2025, covering around one per cent of UK businesses, a figure that should give every chairman, chief executive and finance director pause for thought.
Help, in a way, is on the way. The Cyber Security and Sustainability Bill, currently working its way through Parliament, will force firms operating in key sectors to up their game. But ministers seem unwilling to wait until the law comes before putting pressure on the boardrooms they believe should be at the forefront.
For SME owners and directors, the practical implications are unclear. AI-powered attack tools are no longer a concern reserved for the world’s best-resourced hackers. Further, they are at a clear and present risk, and the signature of the government guarantee will be less if the fundamentals are not behind the boardroom door.
