The Australian Securities and Investments Commission (ASIC) has called on all licensees and market participants to urgently strengthen their cyber resilience measures as frontier artificial intelligence (AI) intensifies the global cyber risk environment.
In an open letter to industry, ASIC warns that misuse of frontier AI models such as Anthropic's Claude Mythos could expose cyber security vulnerabilities at an unprecedented speed, scale and sophistication. The regulator urges entities to act immediately rather than wait for advanced AI tools to uplift their cyber security fundamentals and ensure systems can withstand AI-accelerated threats.
The letter, issued by ASIC Commissioner Simone Constant, emphasises the need for urgent, focused action using a principles-based, model-agnostic approach. It reminds industry that cyber resilience must be treated as a core licensing obligation, not simply an information technology issue.
Commissioner Constant said that cyber risk has "entered a new era" as frontier AI models create both opportunity and materially increased risk. She highlighted the ability of these technologies to expose vulnerabilities far faster than many realise, warning that weaknesses that once appeared isolated can now have a system-wide domino effect. According to the Commissioner, this dynamic enables new forms of exploitation that were previously out of reach for most malicious actors.
ASIC's letter follows its recent court outcome against FIIG Securities Limited, which reinforced the legal case for cyber risk management controls to be demonstrably effective and proportionate to the size, nature and complexity of a business. The regulator is using this outcome to underline the expectation that entities maintain robust and appropriate cyber risk frameworks.
Priority actions for entities
ASIC is urging entities to undertake a comprehensive reassessment of their cyber resilience. Recommended actions include reassessing cyber plans, confirming cyber risk and governance frameworks, and identifying and protecting critical assets. Entities are also encouraged to strengthen cyber security fundamentals, minimise attack surfaces, regularly review user access, and patch systems promptly.
The regulator further advises implementing layered defence-in-depth architectures, preparing for incident response, and actively managing third-party risks. Where appropriate, ASIC notes that entities may also use AI for defensive purposes.
ASIC requires that the open letter be tabled at entities' ultimate board and risk governance committees, underscoring the expectation that cyber resilience is overseen at the highest levels of corporate governance in light of the evolving AI-enabled threat landscape.
