ASIC calls for urgent cyber uplift as AI accelerates cyber threats

ASIC is calling on all licensees and market participants to urgently strengthen their cyber resilience measures, as frontier artificial intelligence (AI) intensifies the global cyber risk environment.

While cyber risk has always existed, misuse of frontier AI models such as Anthropic's Claude Mythos could expose cyber security vulnerabilities at an unprecedented speed, scale, and sophistication.

In an open letter to Industry ASIC has urged entities to act now and not wait for advanced AI tools to uplift their cyber security fundamentals and ensure their systems can withstand AI-accelerated threats.

The letter, issued by ASIC Commissioner Simone Constant, emphasises the need for urgent, focused action using a principles-based, model-agnostic approach, reminding industry that cyber resilience must be treated as a core licensing obligation, not simply an IT issue.

Commissioner Constant said, 'Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise.

'In this new world, weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors.'

Today's letter follows ASIC's recent court outcome against FIIG Securities Limited (26-021MR), which reinforced the legal case for cyber risk management controls to be demonstrably effective and proportionate to the size, nature and complexity of a business.

Ms Constant continued, 'Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same.

'Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.

'The clock is at a minute to midnight - if you aren't on top of your cyber resilience already, the time to act and prepare is right now.'

ASIC is urging entities to take the following steps now:

• reassess your cyber plans and refocus efforts on the most critical risks in today's threat environment
• confirm your cyber risk, governance and overall risk and decision-making frameworks consider the cumulative impact of interrelated vulnerabilities and facilitate clear decision making and escalation at the pace necessary to manage risk
• identify and protect critical assets and systems, with a clear understanding of what matters most to your business and customers
• strengthen cyber security fundamentals by regularly reviewing and validating core controls
• minimise attack surfaces by reducing exposure of systems and services to untrusted networks
• regularly review user access and reassess privileges, to protect against unauthorised access Insider threats are increasing and entities should monitor for warning signs and act to restrict access where concerns are identified
• patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation
• review and strengthen patch management processes, considering challenges daily patching may present to identification, testing, and governance of critical updates
• implement layered, defence-in-depth architectures that assume breach and restrict lateral movement
• prepare for incident response by maintaining and exercising incident response plans and playbooks including business continuity plans and identification of highest priority services, channels and platforms
• actively manage third-party risks, particularly where services introduce concentration or systemic exposure
• use AI for defensive purposes, where appropriate, including identifying vulnerabilities and securing software before release.

Entities are required to table the letter at their ultimate board and risk governance committees.

All ASIC-regulated entities should use practical guidance from trusted sources to strengthen cyber defences, including the Australian Signals Directorate (ASD).

ASIC also encourages the use of the Australian Government's free and anonymous Cyber Health Check, which provides a tailored action plan with simple, actionable steps to improve cyber security.

ASIC will continue to work closely with other regulators, agencies and industry to monitor cyber risks and promote consistent expectations across the financial system.

Downloads

Letter to industry

Background

ASIC is working closely with other regulators - including global peers - to monitor developments in AI, assess impacts on the local market and proactively address emerging vulnerabilities.

ASIC's regulatory resources include further information about cyber security and cyber resilience:

• Cyber resilience good practices
• Cyber risk: Be prepared
• Resources on cyber resilience

Entities may wish to also refer to APRA's recent letter to industry on Artificial Intelligence (AI).

ASIC recommends organisations and investors to consider advice from the ASD's Australian Cyber Security Centre, subscribe to ASD alerts and consider the ASD partnership program where appropriate.

The ASD provides easy to understand advice about what to do when organisations and investors suffer a data breach via their Report and recover webpage.