Chiefs of financial institutions met MAS to discuss measures against AI threats following Mythos’ limited release
Sign up now: Get ST's newsletters delivered to your inbox
News broke in April that Anthropic’s Claude Mythos Preview is reportedly able to surface vulnerabilities in software systems and generate code to exploit flaws.
PHOTO: AFP
SINGAPORE – The chief executive officers of major financial institutions in Singapore have met the Monetary Authority of Singapore (MAS) to discuss the collective action to be taken against cyberthreats posed by advanced AI models.
Singapore’s cybersecurity commissioner will also be sending letters to the senior leadership and board members of critical information infrastructure (CII) owners to urge them to review their cyber-risk posture, said Senior Minister of State for Digital Development and Information Tan Kiat How in Parliament on May 5.
He was responding to questions filed by MPs on the Government’s assessment of risks posed by frontier AI models such as Anthropic’s Claude Mythos Preview, and steps that are being taken to safeguard the country’s digital systems.
News broke in April that Anthropic’s limited-release model is reportedly able to surface vulnerabilities in software systems and generate code to exploit flaws – a feature that is said to allow hackers to speed up attacks with fewer resources.
The US-based firm claims that the model, which was released to a group of about 50 companies, has found vulnerabilities in every major browser and operating system.
“These attacks are faster, more scalable and significantly more sophisticated,” said Mr Tan. “What we have not yet seen is fully autonomous AI agents running end-to-end campaigns. But this is a matter of time given the trajectory of technological developments.”
But advances in capabilities enabled by Mythos should be viewed as a continuum rather than a step change, said Mr Tan.
He cited OpenAI’s GPT-5.5 model, which is already showing comparable cybersecurity capabilities, and rapidly improving open-source AI models that are likely to reach similar proficiency within months.
He added that artificial intelligence is also changing the way attacks are carried out, such as a new class of PROMPTFLUX malware that is able to consult a live AI model during attacks and rewrite code in real time to evade detection.
“The issue is not any single model like Mythos,” said Mr Tan.
“The underlying shift is broader and the risks are real. We are treating them with the seriousness they deserve.”
In the light of such threats, MAS has brought together the CEOs of major financial institutions to discuss collective action and strengthen their cybersecurity posture, said Mr Tan.
He added: “The same urgency extends across all sectors. The Cyber Security Agency of Singapore (CSA) will issue a letter to the boards and senior leadership of all CII owners today.”
The Republic’s 11 CII sectors are aviation, healthcare, land transport, maritime, media, security and emergency services, water, banking and finance, energy, info-communications, and government.
Mr Tan said the review of cybersecurity risks should not be delegated to information technology teams alone, urging attention from leaders at the highest levels, including board members and CEOs.
He warned that most breaches begin with unmanaged assets, such as forgotten internet-facing systems or a shadow cloud account.
He also advised firms to constantly monitor and patch faster due to the narrowing time window between vulnerability disclosure and exploitation, and to adopt AI-powered tools for detection and response.
While the Government has been working with industry partners to access the best tools available, it is also developing in-house capabilities to reduce external reliance, said Mr Tan.
“These are being piloted within the Government and will be extended to more agencies and CII owners when ready.”
CSA is also reviewing standards and obligations for CII owners to account for faster attack timelines that AI enables, said Mr Tan, adding that the agency has the authority to direct and enforce action where necessary.
Though the Government does not have direct access to Anthropic’s Mythos model to test its capabilities, the authorities will continually assess its risk based on published evaluations, threat intelligence and ongoing engagement with major AI firms, said Mr Tan.
He was replying to a question by Mr Louis Chua (Sengkang GRC) on whether a risk assessment has been conducted on the model’s ability to find zero-day vulnerabilities.
Zero-day vulnerabilities are flaws unknown to the software maker and thus have no fix.
In dealing with sophisticated AI-driven cyberattacks that can be conducted in a borderless manner by bad actors globally, Mr Tan added that attracting talent is the most critical factor to cybersecurity.
“There is no singular definition of what kind of cybersecurity talent is needed,” said Mr Tan, in response to a question from Mr Yip Hon Weng (Yio Chu Kang).
He added that this includes defenders to do detection, red-teaming and penetration testing, and even understanding the psyche of bad actors.
Red-teaming is when ethical hackers simulate cyberattacks so organisations can test the effectiveness of their cybersecurity systems, while penetration testing is done to identify vulnerabilities in a computer system.
Citing the efforts by agencies such as CSA to support fresh graduates and mid-career professionals who want to move into the cybersecurity sector, he said that the Government welcomes more talent.
“(We) will continue to raise awareness, set standards and support organisations in building robust cyberdefences,” said Mr Tan.
“But resilience depends on everyone doing their part – we must act early and decisively, and stay ahead of the threat.”
