Moody's rating agency has cautioned that the widening gap between AI-powered vulnerability discovery and banks' remediation timelines is creating structural credit risks, not incidental ones.

Anthropic's Claude Mythos model has autonomously identified thousands of previously unknown flaws across major operating systems and browsers. Large US banks were among the first to test their defenses under Project Glasswing.

In 2025, attackers exploited vulnerabilities within 44 days on average, while banks patched in 69 days. Although this is faster than other sectors, it still leaves exposure. The average cost of a US data breach has reached US$10.2 million, a record high.

Moody's highlighted legacy systems as a key weakness, with smaller institutions disproportionately exposed. It warned that operational contagion from a cyber incident could disrupt data access, settlement, or AI-driven credit monitoring, posing systemic risks comparable to financial contagion.

Third-party software vendors were also identified as a major vulnerability point. Moody's stated that institutions best positioned are those using zero-trust architectures, faster development cycles, and continuous patch management.

The agency concluded that the speed gap between AI-driven discovery and remediation timelines is reshaping cyber risk into a structural credit issue for banks.