ASIC issues call to action regarding AI cyber risks

Misuse of frontier AI poses the greatest threat, with technologies such as Anthropic’s Clause Mythos able to exploit security vulnerabilities at unprecedented levels.

An open letter released on 8 May stated: “ASIC’s message is straightforward: do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.”

Issued by ASIC commissioner Simone Constant, it outlined the need for entities to ensure systems can withstand AI models that are “accelerating both capability and accessibility, lowering the barrier to sophisticated cyber activity, increasing the speed and scale of attacks, and enabling new forms of exploitation that were previously out of reach for most actors”.

In the letter, Constant said: “In this new world, weaknesses that once seemed isolated can now have a system-wide domino effect, enabling new forms of exploitation that were previously out of reach for most malicious actors.”

As reported by Accounting Times’ sister brand, Cyber Daily, in February, the Federal Court handed down a $2.5 million penalty against FIIG Securities for inadequate handling of cyber security measures: specifically, failing to have adequate financial, technological and human resources, failing to have adequate risk management systems, and failing to provide financial services efficiently, honestly and fairly.

According to ASIC, this was the first time the Federal Court imposed civil penalties for cyber security failures under the general AFS licensee obligations.

Commissioner Constant said, “Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same.”

“The clock is at a minute to midnight - if you aren’t on top of your cyber resilience already, the time to act and prepare is right now.”

ASIC urged entities to implement a number of measures: reassess cyber plans, confirm your risk and governance frameworks, identify and protect critical assets and systems, strengthen cyber security fundamentals, reduce exposure to untrusted networks, review user access and privileges, patch systems promptly and strengthen systems, implement layered, defence-in-depth architectures, maintain incident response plans, actively manage third-party risks, and use AI for defensive purposes where appropriate.

“The time to act is now, not by reinventing your approach, but by ensuring the basics are robust, resourced, and working effectively.”