Agentic AI could help banks exploit their “home field” advantage by detecting security vulnerabilities before hackers do, according to Lloyds’ chief security officer Matt Rowe.
While banks’ in-depth understanding of their internal technology stacks and processes technically gives them an edge over attackers, this has not always translated into stronger cyber defences, says Rowe, who leads a 1,000-strong security team at Lloyds.
However, using AI agents and large language models, which are good at finding a “needle in a haystack”, banks could find potential attack paths and “shut them down” before hackers gain a foothold.
“AI could mean we get a step ahead,” he told The Banker.
Rowe was speaking on the sidelines of a cyber attack simulation exercise hosted earlier this week in London by Lloyds, Google and cyber readiness platform Hack The Box. The exercise saw more than 30 teams from across the UK financial services industry test their real-world cyber defence skills against one another.
“The burden on us doing a good job has been significant, and it doesn’t get any easier,” said Rowe, adding that such exercises give banks the opportunity to flex their “attacker muscles” and think about cyber defensive strategies in “a deeper way”.
Sharpening cyber defence skills is critical in an era where new AI models such as Anthropic’s Claude Mythos Preview could “crack the whole cyber risk world open”, by giving non-experts the tools to more easily identify software vulnerabilities.
UK lenders are still waiting to gain access to Mythos, after Anthropic restricted its rollout to a handful of US banks and tech firms, deeming it “too dangerous” to be released to the public.
Rowe described Mythos as a “step forward”, as it will help banks identify vulnerabilities that need fixing, which they wouldn’t have found so easily before. But he warned banks will need to patch security vulnerabilities identified at “a high velocity”.
Anthropic claims Mythos can identify vulnerabilities in every major operating system and web browser, including ones that have gone undetected for years.
Given the pace at which AI is evolving, Rowe believes Mythos is only the start, and will be succeeded by other models that do “a similar thing quite well, or even better”.
However, some cyber security specialists attending the two-day simulation exercise this week were more sceptical, describing Mythos’s restricted rollout as “marketing hype”.
Others said banks need to take greater advantage of AI, to stay ahead of criminal hackers.
“With AI, we can improve our defences. If we can keep up the pace and not stay behind with the technology, we can actually win,” said one ethical hacker participating in this week’s exercise.
Rowe believes AI has made the job more interesting, describing it is “an amazing time” to be in cyber security.
“Two or three years ago, [security] teams were just doing repetitive things like opening or closing a [security] ticket, patching a security [vulnerability] or investigating an alarm. Every time it fires, you still need to check it,” he said.
With AI, many of these mundane tasks can be automated and security teams can now focus on “harder problems” such as finding attackers that mimic normal user or system behaviour to remain undetected.
“People in security just want to do a brilliant job,” said Rowe. “AI now gives them the tools to do stuff that they only would have imagined to be possible a few years ago.”
Was this article helpful?
(optional)
Thank you for your feedback!
Your feedback will help us improve our article content.
