Ministers are increasing pressure on Britain’s biggest companies to strengthen their cyber defenses, warning that a new generation of artificial intelligence tools, including Anthropic’s controversial Mythos model, could trigger a new wave of sophisticated hacker attacks against UK PLCs.
In a targeted intervention, Baroness Lloyd of Effra (pictured), the cybersecurity minister, has written to almost 200 business leaders, urging them to back a new “cyber resilience pledge” aimed at bringing boardrooms to the front line of digital defence.
To sign up, companies must explicitly make cybersecurity a board-level responsibility, enroll in the National Cyber Security Center’s Early Warning Service, and require “Cyber Essentials” certification across their supply chains. The pledge will officially launch in the summer and is intended to give investors, customers and trading partners a clearer benchmark against which to assess a company’s digital defenses.
The advance comes against a feverish background. Anthropic, the San Francisco-based AI developer, announced last week that it has decided not to release Mythos, a model designed for cybersecurity tasks, because of its uncanny ability to find vulnerabilities in software. Instead, the company quietly gave it to 40 U.S. tech firms to help them strengthen their defenses.
While some industry observers dismiss the move as a marketing stunt, Wall Street, the city and financial regulators are taking it seriously. The UK’s biggest lenders, including Barclays, Lloyds and NatWest, are understood to be negotiating with Anthropic for access to the scheme.
Bank of England Governor Andrew Bailey even went so far as to suggest that Anthropic may have “found a way to disrupt the entire cyber risk world,” an unusually colorful assessment from Threadneedle Street.
Britain’s AI Security Institute, one of the few institutions outside the United States that has put Mythos through its paces, described the model as a “step up” in performance. It concluded that Mythos was “at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained,” although it did not say whether the model could breach better-protected targets.
The assessment is uncomfortable reading for SMEs. The lion’s share of “small, weakly protected” enterprise systems are located squarely in the small and medium business community, where IT budgets are tight and dedicated security teams are a rarity.
Dan Jarvis, the security minister, will demonstrate that promise at this week’s CyberUK conference in Glasgow, where he is expected to argue that the country still suffers from a gaping perception gap between digital and physical crime. Referring to the recent ransomware attack that crippled Jaguar Land Rover, Jarvis will tell delegates that if the same damage had been done by “an old-school physical attack, the equivalent would have been hundreds of masked criminals turning up at dealerships across the country, smashing glass, destroying computers and driving cars right off the forecourt.”
His message: “There is no real difference between them; both are brazen criminal acts.”
Taking a similarly forceful tone, Lloyd told business leaders: “The cyber threat to UK businesses is serious, growing and evolving rapidly. AI is giving attackers opportunities that would have seemed extraordinary just a year ago, and no business can afford to be complacent. Cyber resilience is not just a technical issue; it is the board’s responsibility and we are calling on all boards in the UK to demonstrate that they are addressing it as a whole.”
Despite years of warnings from Whitehall and the NCSC, implementation of basic cyber hygiene measures remains stubbornly low. In 2025, just 56,000 Cyber Essentials certificates were issued, covering around 1 percent of UK companies, a figure that should give every CEO, managing director and finance director pause.
Some kind of help is on the way. The Cybersecurity and Resilience Bill currently being passed in Parliament will force companies operating in critical sectors to do their best. But ministers appear unwilling to wait for the law to be passed before putting pressure on boardrooms, which they believe should already be ahead.
For SME owners and directors, the practical takeaway is clear. AI-powered attack tools are no longer a theoretical concern kept at bay by the world’s best-equipped criminals. Increasingly they represent a clear and present danger, and signing a government commitment is of little use if the fundamentals are not in place behind the boardroom door.
