The Australian Securities and Investments Commission (ASIC) has compiled an open letter to industry, urging it to strengthen their cyber resilience in the wake of further advancements in artificial intelligence, stressing “the clock is at a minute to midnight”.
“Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise,” ASIC commissioner Simone Constant noted.
“In this new world, weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors,” she added.
The regulator suggested licensees and directors should act now and not wait for “perfect clarity” to address this new threat. In the letter ASIC calls for urgency, focus and accountability, while also stressing it does not to stoke panic.
The letter outlines 12 steps the ASIC wants entities to follow, starting with reassessing cyber plans and confirming cyber risk and governance frameworks, to preparing for incident response and actively managing third-party risks.
“Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber-attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same,” Constant explained.
Entities are also required to table the letter at their ultimate board and risk governance committees. The regulator stated it expects boards and senior executives to understand their organisation’s position, to ask the right questions and provide evidence of their final positions.
“Governance should not rely only on assurances. It should be supported by evidence – test results, audit findings, lessons from incidents, and independent validation, supported by appropriate capability and resourcing,” the letter said.
The regulator has made a commitment to continually monitor cyber risks, maintain constant communications about its expectations across the financial sector and work closely with other agencies to achieve these objectives.
