The financial services regulator has issued an open letter to all licensees, urging them to bolster cyber defences against artificial intelligence.
The Australian Securities and Investments Commission (ASIC) has issued a direct warning to financial services licensees and market participants, stating that the rise of frontier artificial intelligence (AI) has accelerated cyber threats to a "step-change" level.
In an open letter addressed to industry directors on Friday (8 May), the regulator emphasised that while AI models, like Anthropic’s Claude Mythos (a recently released AI tool that specialises in cyber security) offer opportunity, they also allow malicious actors to exploit vulnerabilities at an unprecedented speed and scale; misusing them for criminal purposes.
Its letter reads: “The rapid evolution of frontier artificial intelligence models marks a significant shift in the cyber threat landscape. These models are accelerating both capability and accessibility, lowering the barrier to sophisticated cyber activity, increasing the speed and scale of attacks, and enabling new forms of exploitation that were previously out of reach for most actors.
“This does not mean entirely new categories of risk, but it does mean existing controls are more likely to be tested, more often, and under greater pressure.
“This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives.”
ASIC said its message came down to this: “[D]o not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.
“We are not calling for panic or reactive overreach. But we are calling for urgency, focus, and accountability.”
ASIC has said it expects entities to return to "first principles" and reminded licensees that “strengthening the basics is imperative, as they shape the baseline for your overall resilience”.
It has outlined 12 immediate steps to strengthen cyber resilience fundamentals:
-
Reassess cyber plans and refocus efforts on the most critical risks within the current threat environment.
-
Confirm that cyber risk, governance, and overall risk frameworks consider the cumulative impact of interrelated vulnerabilities and facilitate decision-making at the pace necessary to manage risk.
-
Identify and protect critical assets and systems based on a clear understanding of what matters most to the business and its customers.
-
Strengthen cybersecurity fundamentals through the regular review and validation of core controls.
-
Minimise attack surfaces by reducing the exposure of systems and services to untrusted networks.
-
Regularly review user access and reassess privileges to protect against unauthorised access, while monitoring for warning signs of increasing insider threats.
-
Patch systems promptly, acknowledging that AI is accelerating the discovery and exploitation of vulnerabilities.
-
Review and strengthen patch management processes, accounting for the challenges daily patching may present to testing and governance.
-
Implement layered, defence-in-depth architectures that operate under the assumption of a breach and restrict lateral movement.
-
Prepare for incident response by maintaining and exercising response plans and playbooks, including business continuity plans for high-priority services.
-
Actively manage third-party risks, specifically where external services introduce concentration or systemic exposure.
-
Utilise AI for defensive purposes where appropriate, such as identifying vulnerabilities and securing software prior to its release.
ASIC Commissioner Simone Constant stressed the urgency of the situation, noting that the window for preparation is closing.
"Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise.
"In this new world, weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors."
She continued: “Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same.
"Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.
"The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now."
Why the urgent call?
The warning comes after several high-profile cyber attacks in the finance industry. ASIC’s case against FIIG Securities Limited, in which the court found that cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of a business
The company was ordered to pay $2.5 million in pecuniary penalties after ASIC brought a case against the firm for failures to protect thousands of clients from cybersecurity threats for more than four years. A 2023 cyber-attack saw around 385 gigabytes of confidential information stolen and highly sensitive client data leaked onto the dark web – including driver’s licences, passport information, bank account details and tax file numbers.
Similarly, earlier this year, Broker Daily broke the news that threat actors had hacked fintech platform youX, affecting nearly 500,000 borrowers whose financial and personal information had been compromised, fears were raised as to the extent of the fallout from the attack.
However, the hackers behind the breach said the risk of causing a nationwide “wave of identity theft” was too great to release the data.
Following the breach, the Mortgage and Finance Association of Australia (MFAA) said the youX data breach serves as a timely reminder that cyber security must remain front of mind for mortgage and finance brokers.
The industry body outlined a number of ways that brokers can protect themselves, including multi-factor authentication and cyber insurance.
Tackling the use of AI in financial crime has also been in the limelight recently, as a result of a massive investigation into home loan fraud, estimated to encompass more than $3 billion of lending across multiple lenders.
Australia’s major banks and investigators have reportedly identified thousands of suspicious loans involving highly convincing, AI-generated documentation, including fabricated payslips, bank statements, and tax returns, which were designed to bypass traditional verification systems.
The investigations - which include looking at current and former brokers at several aggregation groups - have already led to several arrests, the termination of aggregator agreements, and the quiet blacklisting of hundreds of brokers as lenders move to isolate the networks responsible.
ASIC's open letter echoes warnings made from the Australian Prudential Regulation Authority (APRA) last week, in which it warned banks that their safeguards around artificial intelligence have fallen behind a rapid rollout of new tools – urging a decisive lift in how AI‑driven risks are governed and controlled.
APRA’s intervention follows a supervisory review it ran late last year across the main segments of the financial sector, examining where firms were using AI and how those systems are overseen.
The review found that algorithms are no longer confined to pilots, with many institutions now weaving AI into core operations and customer interactions.
APRA concluded that key risk disciplines – including governance, operational risk, and cyber security – had not evolved at the same speed.
[Related: APRA demands ‘step change’ in financial sector AI controls]
Want to see more stories from trusted news sources?
Make The Adviser a preferred news source on Google.
Click here to add The Adviser as a preferred news source.
