iscover 
In an open letter addressed to all licensees and directors on Friday (8 May), the Australian Securities and Investments Commission (ASIC) has warned that the misuse of artificial intelligence (AI) models could expose cybersecurity vulnerabilities at an unprecedented speed, scale, and sophistication.
The letter, issued by ASIC Commissioner Simone Constant, is therefore calling on all licensees and market participants to urgently strengthen their cyber resilience measures, as frontier AI intensifies the global cyber risk environment.
"Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise," she said.
"In this new world, weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors."
ASIC is therefore emphasising the need for urgent, focused action using a principles-based, model-agnostic approach, reminding industry that cyber resilience must be treated as a core licensing obligation, not simply an IT issue.
It warned that the window for preparation is rapidly closing.
"The rapid evolution of frontier artificial intelligence models marks a significant shift in the cyber threat landscape," the letter stated.
"These models are accelerating both capability and accessibility... enabling new forms of exploitation that were previously out of reach for most actors."
It notes: "This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives."
Constant therefore issued a rare, urgent call to action: "The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now."
She flagged that entities must have robust incident response plans.
"Whether an entity faces a basic phishing attempt or a more sophisticated cyber attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same.
"Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited."
12 Critical Steps for Licensees
ASIC is urging entities to take the following steps now:
- reassess your cyber plans and refocus efforts on the most critical risks in today’s threat environment
- confirm your cyber risk, governance and overall risk and decision-making frameworks consider the cumulative impact of interrelated vulnerabilities and facilitate clear decision making and escalation at the pace necessary to manage risk
- identify and protect critical assets and systems, with a clear understanding of what matters most to your business and customers
- strengthen cyber security fundamentals by regularly reviewing and validating core controls
- minimise attack surfaces by reducing exposure of systems and services to untrusted networks
- regularly review user access and reassess privileges, to protect against unauthorised access Insider threats are increasing and entities should monitor for warning signs and act to restrict access where concerns are identified
- patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation
- review and strengthen patch management processes, considering challenges daily patching may present to identification, testing, and governance of critical updates
- implement layered, defence-in-depth architectures that assume breach and restrict lateral movement
- prepare for incident response by maintaining and exercising incident response plans and playbooks including business continuity plans and identification of highest priority services, channels and platforms
- actively manage third-party risks, particularly where services introduce concentration or systemic exposure
- use AI for defensive purposes, where appropriate, including identifying vulnerabilities and securing software before release.
Cyber threats building
The regulator reminded the industry that cyber resilience is now a "licence to operate" requirement. This follows the landmark Federal Court ruling in ASIC v FIIG Securities, where the firm was ordered to pay a $2.5 million penalty for failing to protect thousands of clients from a 2023 cyber-attack.
Earlier this year, fintech company youX was the target of a data breach, where hackers exfiltrated the data of nearly 500,000 borrowers. While the hackers ultimately claimed they would not release the data to avoid a "wave of identity theft," the Mortgage and Finance Association of Australia (MFAA) noted the incident served as a "timely reminder" that brokers are prime targets - and issued a guide for industry to help shore up defences.
ASIC’s letter aligns with a similar "step-change" demand issued by the Australian Prudential Regulation Authority (APRA) last week. APRA warned that banks and insurers have allowed their safeguards to fall behind the rapid rollout of AI, urging a decisive lift in how these risks are governed.
[Related: Will AI help or hinder the fight against mortgage fraud?]
Want to see more stories from trusted news sources?Make Broker Daily a preferred news source on Google.