BRIEFING: Will Claude Mythos impact the coverage and cost of cyber insurance?

The current position

Claude Mythos represents a potential step change in cyber risk, materially reducing the time between vulnerability discovery and exploitation. This acceleration challenges traditional assumptions around exposure windows and response timelines.

From an insurance perspective, cyber policies are generally designed to respond to cyber attacks regardless of the tools used by threat actors. The involvement of AI does not currently trigger exclusions or limitations in standard cover. While insurers are monitoring developments closely, at this stage, there is no evidence of immediate changes to pricing or policy structure driven specifically by Mythos. 

That said, security fundamentals matter more than ever. Vulnerability management, disciplined patching, effective detection and response capabilities, and tested recovery processes remain central to both risk mitigation and insurability.

Organisations with weaker controls should expect increased scrutiny at renewal, particularly as insurers assess how exposed they may be to faster, AI-enabled attack cycles.

What has happened?

Anthropic’s announcement that its Claude Mythos Preview model can autonomously identify and exploit previously unknown vulnerabilities at unprecedented speed and scale has attracted significant attention across both the cybersecurity and insurance markets.

During testing, the model reportedly uncovered thousands of serious vulnerabilities across major operating systems and browsers, including long-standing issues that had evaded detection despite extensive human and automated efforts.

In response to the potential risks, Anthropic opted not to release the model publicly. Instead, it launched Project Glasswing, a controlled initiative granting approximately 50 trusted organisations access to Mythos for defensive purposes.

The aim is to accelerate the identification and remediation of critical vulnerabilities before they can be exploited maliciously. Anthropic has supported this effort with a $100 million allocation in usage credits.

Why Mythos matters for risk managers

The most significant implication of Mythos is the effective collapse of the vulnerability lifecycle. Historically, the time between vulnerability discovery and exploitation has been measured in months or years.

Recent trends have already reduced this window dramatically, from an average of 771 days in 2018 to, in some cases, mere hours by 2024. Mythos-class AI has the potential to compress this timeline even further.

For threat actors, this creates the opportunity to identify and weaponise vulnerabilities that may never have been discovered through conventional means. The likely result is an increase in both the frequency and effectiveness of attacks.

For defenders, however, the same technology provides a powerful capability to identify latent vulnerabilities and remediate them before exploitation occurs. The overall impact will depend on how effectively organisations integrate such tools into their security programmes.

Implications for cyber insurance

At present, most cyber insurance policies will respond to incidents involving AI-enabled attacks in the same way as traditional cyber events. Policy triggers are generally framed around the occurrence of a cyber incident, rather than the methodology used by the attacker.

There is no clear evidence that insurers are seeking to introduce AI-specific exclusions or limitations. However, the evolution of the threat landscape is likely to influence underwriting practices. Rather than a structural shift in coverage, the market response is more likely to manifest through increased focus on risk quality. Insurers are already placing greater emphasis on how quickly organisations can detect, respond to, and remediate vulnerabilities.

The introduction of tools such as Mythos reinforces this trend. Organisations that cannot demonstrate effective control over patching cycles, exposure management and incident response may face more challenging renewal discussions.

At this stage, Mythos alone is unlikely to trigger a hardening of the cyber insurance market. Pricing remains influenced by a broader set of factors, including claims experience, ransomware trends and systemic risk concerns. However, it does add to the underlying pressures shaping insurer behaviour.

Likely areas of underwriting focus

As insurers adapt to the implications of accelerated vulnerability exploitation, several areas are likely to receive increased attention:

Patching cadence and vulnerability management, particularly how quickly critical vulnerabilities are identified and remediated;

• Use of compensating controls where immediate patching is not possible;

• Endpoint detection and response (EDR) and monitoring capability;

• Incident response planning and testing;

• Backup integrity and recovery testing;

• Exposure to legacy systems or unsupported software.

Insurers may also probe how organisations are leveraging emerging technologies, including AI, within their own defensive frameworks.

Policy considerations

While AI itself is not typically excluded, certain policy provisions may become more relevant in a Mythos-driven risk environment. These can include:

• Known vulnerabilities exclusion/condition: Limits or denies coverage for incidents caused by security flaws that were known but haven't been fixed;

• Failure to patch exclusion/condition: Limits or denies coverage because security updates (patches) weren’t applied in a reasonable timeframe;

• Ransomware coinsurance condition: The insured must pay a percentage of the loss if they suffer a ransomware attack;

• Reasonable security standards condition: Requires that you maintain an appropriate level of cybersecurity practices otherwise the insurer may limit or deny coverage.

The article was written by Andrew Hill, managing director, WTW’s global head of cyber product & innovation global FINEX and Robert Barberi, WTW’s managing director, chief client officer FINEX Cyber.