Ministers are turning up the heat on Britain’s biggest companies to fortify their cyber-defences, warning that a new generation of artificial intelligence tools, including Anthropic’s controversial Mythos model, risks unleashing a fresh wave of sophisticated hacking against UK plc.
In a pointed intervention, Baroness Lloyd of Effra (pictured), the cybersecurity minister, has written to almost 200 business leaders pressing them to back a new “cyber-resilience pledge” designed to drag boardrooms into the front line of digital defence.
To sign up, companies must make cybersecurity an explicit board-level responsibility, enrol with the National Cyber Security Centre’s early-warning service, and require the “Cyber Essentials” certification throughout their supply chains. The pledge will be formally launched in the summer and is intended to give investors, customers and trading partners a clearer benchmark by which to judge a business’s digital defences.
The push comes against a febrile backdrop. Anthropic, the San Francisco-based AI developer, revealed last week that it had decided not to release Mythos, a model honed for cybersecurity work, because of its uncanny ability to sniff out vulnerabilities in software. Instead, the company has quietly handed it to 40 US technology firms to help them shore up their defences.
While some industry watchers have dismissed the move as a marketing flourish, Wall Street, the City and financial regulators are taking it seriously. Britain’s biggest high-street lenders, including Barclays, Lloyds and NatWest, are understood to be in talks with Anthropic about gaining access to the model.
Andrew Bailey, governor of the Bank of England, has gone so far as to suggest that Anthropic may have “found a way to crack the whole cyber-risk world open”, an unusually colourful assessment from Threadneedle Street.
The UK’s AI Security Institute, one of the few bodies outside the United States to have put Mythos through its paces, described the model as a “step up” in capability. It concluded that Mythos was “at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained”, though it stopped short of saying whether the model could breach better-fortified targets.
For SMEs, the assessment is uncomfortable reading. The lion’s share of “small, weakly defended” enterprise systems sits squarely in the small and medium-sized business community, where IT budgets are tight and dedicated security teams a rarity.
Dan Jarvis, the security minister, will press the pledge at this week’s CyberUK conference in Glasgow, where he is expected to argue that the country still suffers from a yawning perception gap between digital and physical crime. Drawing on the recent ransomware attack that crippled Jaguar Land Rover, Jarvis will tell delegates that had the same damage been done by “an old-school physical attack, it would have been the equivalent of hundreds of masked criminals turning up to dealerships across the country, breaking glass, smashing up computers and driving cars right off the forecourt”.
His message: “There is no real difference between them; they are both brazen acts of criminality.”
Lloyd struck a similarly urgent tone, telling business leaders: “The cyber threat facing UK businesses is serious, growing and evolving fast. AI is giving attackers capabilities that would have seemed extraordinary just a year ago and no organisation can afford to be complacent. Cyber-resilience isn’t just a technical issue; it’s a board responsibility and we’re asking every boardroom in Britain to prove they treat it as one.”
Despite years of warnings from Whitehall and the NCSC, the take-up of basic cyber hygiene measures remains stubbornly low. Just 56,000 Cyber Essentials certificates were issued in 2025, covering roughly 1 per cent of UK businesses, a figure that ought to give every chair, chief executive and finance director pause for thought.
Help, of a sort, is on the way. The Cyber Security and Resilience Bill, currently working its way through Parliament, will compel firms operating in critical sectors to raise their game. But ministers appear unwilling to wait for the legislation to land before applying pressure on the boardrooms they believe should already be ahead of the curve.
For SME owners and directors, the practical takeaway is unambiguous. AI-powered attack tools are no longer a theoretical worry kept at bay by the world’s best-resourced criminals. They are, increasingly, a clear and present danger, and a signature on a government pledge will count for little if the basics are not in place behind the boardroom door.
Read more:
Ministers urge British boardrooms to sign cyber-resilience pledge as AI threat escalates