Moody's Warns that AI Cyber Arms Race Raises Risks for Banks

Frontier AI has changed the bug hunting game forever – unleashing a storm of vulnerabilities faster than organisations can patch them – forcing businesses into a new era of cyber resilience where defence speed and system architecture matter more than ever.

Among the industries that this shift is sending off to the cybersecurity battlefield, financial institutions are in the frontline dealing with the fallout. 

The panic started after the release of highly capable models such as Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber that are capable of autonomously identifying thousands of previously unknown software vulnerabilities across major operating systems and browsers.

Large US banks were among the first to gain controlled access to Mythos through Project Glasswing, an initiative designed to stress test cyber defences against next-generation AI threats. 

A recent Moody’s industry report titled “Arms Race: Deep defenses will help banks navigate cyber threats from new AI models” dives into the cyber risk landscape for financial institutions.  

Banks face rising cyber pressure 

Banks which hoard vast customer funds, operate critical payments infrastructure and hold highly sensitive data, are naturally lucrative targets for cybercriminals. 

“According to IBM, the average cost of a US data breach is US$10.2m – an all-time high,” Moody’s study notes. 

“With Mythos, the magnitude and sophistication of attacks are likely to increase, which could increase the total cost.”

Very heavy regulatory obligations and long-standing investment in cybersecurity gives most financial institutions a stronger baseline of resilience compared with many other sectors.

Concerningly however, Moody’s points out that the speed gap between bad actor attacks and defender response is widening. 

Moody’s research shows that in 2025 the average time for attackers to exploit a software weakness fell to 44 days, while median remediation times stood at 87 days across all sectors. 

Even in banking, where performance is better at 69 days, defenders are still lagging behind attackers.

Cyber spending is also expected to rise significantly. A 2025 survey done by the company shows that the share of banks allocating more than 10% of their technology budget to cyber is climbing high. 

Bain says that “many organisations will need to significantly increase cybersecurity spending, by up to two times their current levels or even more; planned increases of about 10% annually fall far short of what the threat now demands".

“Cyber risk in digital finance is no longer niche, it’s becoming systemic as institutional adoption grows,” notes Rajeev B, Head of Strategy, Digital Economy at Moody’s Ratings, on LinkedIn. 

“Our latest research highlights how the convergence of private systems with public blockchains is amplifying risk severity, driven largely by operational vulnerabilities rather than core protocol flaws.

“Looking ahead, emerging threats such as quantum enabled attacks, while still distant, underscore the need for forward-looking resilience, stronger cyber governance and greater preparedness as the ecosystem evolves.”

Legacy systems and patch delays 

Legacy IT environments, sometimes built decades ago, are proving difficult to modernise at the speed now required.

According to Moody’s analysis, outdated systems where software has not been patched for years represent one of the most attractive entry points for attackers. 

These environments are complex, tightly interconnected and often slow to update, increasing exposure to exploitation.

In parallel, third-party software dependencies are expanding the attack surface. Many financial institutions rely on large ecosystems of vendors, each of which can introduce potential vulnerabilities into core systems.

Despite these risks, banks are not standing still. Many are shifting towards continuous patching, stronger vendor controls and Zero Trust security models that authenticate every access request before granting system entry.

AI defence muscle

 “Companies will need to fix their software vulnerabilities faster than malicious actors can exploit them,” Moody’s notes. 

An efficient way to do this is to actively incorporate AI as a prominent tool in the defence toolkit. Financial institutions are increasingly using machine learning systems to detect vulnerabilities earlier in the development cycle. 

However, while these tools can identify weaknesses, they do not automatically resolve them, leaving implementation and operational risk firmly with human teams.

For banks, the priority is shifting towards speed, coordination and design resilience. 

Secure-by-design software development is gaining traction, with security integrated into code from the outset rather than added after deployment.

Moody’s concludes that while AI is raising the stakes for financial cybersecurity, it is also strengthening defenders who can adapt quickly.