ASIC has called on all licensees and market participants to urgently bolster their cyber resilience in response to the growing threat posed by frontier artificial intelligence.
The regulator warned that the misuse of frontier AI models could expose cyber security vulnerabilities at a speed, scale, and sophistication far beyond what organisations have previously faced. In an open letter to industry, ASIC urged entities not to delay action, stressing that firms must not wait for advanced AI tools to take hold before strengthening their fundamental cyber security posture and ensuring their systems are capable of withstanding AI-accelerated attacks.
The letter was issued by ASIC Commissioner Simone Constant and sets out a principles-based, model-agnostic approach to cyber resilience. It reinforces that cyber resilience must be treated as a core licensing obligation rather than a matter solely for IT departments. The release of the letter follows a recent court outcome against FIIG Securities, which underscored the legal expectation that cyber risk management controls must be both demonstrably effective and proportionate to the size, nature, and complexity of an organisation.
ASIC is calling on regulated entities to take a series of immediate steps: reassessing cyber plans to address the most critical risks; confirming that governance and risk frameworks account for the cumulative impact of interrelated vulnerabilities; identifying and protecting critical assets; strengthening core cyber controls through regular review and validation; minimising attack surfaces; reviewing user access privileges; and patching systems promptly in recognition that AI is accelerating vulnerability discovery.
Entities are also urged to implement layered, defence-in-depth architectures, maintain and regularly exercise incident response plans, actively manage third-party risks, and deploy AI for defensive purposes where appropriate. Entities are required to table the open letter at their ultimate board and risk governance committees.
ASIC is Australia’s independent regulator of financial services and markets, responsible for ensuring that the financial system operates with integrity, efficiency, and transparency. It oversees a broad range of licensed entities and market participants operating across Australia’s financial sector.
In addition to the specific steps outlined above, ASIC encouraged all regulated entities to draw on practical guidance from trusted sources, including the Australian Signals Directorate. The regulator also highlighted the Australian Government’s free and anonymous Cyber Health Check tool, which offers organisations a tailored action plan with actionable steps to improve cyber security. ASIC stated it would continue to work closely with other regulators, agencies, and industry bodies to monitor cyber risks and promote consistent expectations across the financial system.
ASIC Commissioner Simone Constant said, “Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise.
“In this new world, weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors.”
Ms Constant continued, “Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same.
“Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.
“The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now.”
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
