ARTICLE
2 July 2026

ASIC Demands Urgent Cyber Upgrades To Combat Frontier AI Security Threats

K
Kennedys

Contributor

Our lawyers handle both contentious and non-contentious matters, and provide a range of specialist legal services, for many industry sectors including insurance and reinsurance, aviation, banking and finance, construction and engineering, healthcare, life sciences, marine, public sector, rail, real estate, retail, shipping and international trade, sport and leisure, transport and logistics and travel and tourism. But we have particular expertise in litigation and dispute resolution, especially in defending insurance and liability claims.
In an open letter published on 8 May 2026, ASIC, who are responsible for regulating Australia’s corporate, financial services and insurance sectors, urged Australian financial services licence (AFSL) holders to act promptly against the risks posed by advanced AI systems. ASIC warned that malicious actors are increasingly using cutting-edge AI models to identify and exploit vulnerabilities at an unprecedented scale.
Australia Technology
Kennedys are most popular:
  • within Media, Telecoms, IT, Entertainment, Transport and Insurance topic(s)

Australia’s financial services regulator, the Australian Securities and Investments Commission (ASIC), has called on financial service providers to improve their cybersecurity and cyber resilience to combat the threats posed by “frontier” AI models.

In an open letter published on 8 May 2026, ASIC, who are responsible for regulating Australia’s corporate, financial services and insurance sectors, urged Australian financial services licence (AFSL) holders to act promptly against the risks posed by advanced AI systems. ASIC warned that malicious actors are increasingly using cutting-edge AI models to identify and exploit vulnerabilities at an unprecedented scale. 

All entities providing financial services in Australia are required to hold an AFSL, which are subject to several “core obligations”. ASIC has reminded AFSL holders that cybersecurity and cyber resilience are a key part of these obligations. Boards and senior management need to understand and take an active role in strengthening their organisation’s cybersecurity position and cyber resilience processes.

In particular, ASIC’s letter stresses the need for urgency due to the rapid adoption of frontier AI models by malicious actors, and the consequent increase in the speed, size and effectiveness of cyber-attacks. ASIC Commissioner Simone Constant stated that:

“Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise. In this new world, weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors.”

The message has been prompted by the recent Federal Court judgment in Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92 (which we covered in a case review), in which AFSL holder FIIG Securities Ltd (FIIG) was ordered to pay A$2.5 million in penalties for inadequate cybersecurity measures. 

The Federal Court ruled that FIIG failed to protect thousands of clients from cybersecurity incidents across four years, which saw around 385 gigabytes of confidential information stolen and sold on the dark web, including tax file numbers, bank account details, passport information and driver’s licences. FIIG admitted to failing to comply with its AFSL obligations and its own policies and procedures. Examples of FIIG’s shortcomings included failing to:

  • Have an appropriate cyber incident response plan that was tested annually
  • Provide cyber security awareness training to staff
  • Monitor threat alerts
  • Implement adequate cyber security measures, including multi-factor authentication, strong access controls, appropriate firewall and security software, and vulnerability scanning; and
  • Allocate the necessary funds to have qualified personnel and technological resources available. 

ASIC highlighted that cyber risk management must be proportionate to the size, nature and complexity of the business. It requires consistent use of well-established controls, supported by adequate resource allocation and effective governance. 

ASIC’s letter outlines the following practical steps that should be taken by all AFSL holders to meet their obligations: 

  • Prepare for cyber incident response by maintaining and exercising an incident response plan
  • Reassess existing incident response plans, focusing on the most critical risks today
  • Confirm that current frameworks consider the cumulative impact of interrelated vulnerabilities
  • Identify and protect critical assets and systems
  • Strengthen cybersecurity fundamentals through regular review
  • Minimise attack surfaces by reducing exposure of systems and services to untrusted networks
  • Regularly review user access and reassess privileges
  • Patch systems promptly, and review and strengthen patch management processes
  • Implement layered, defence-in-depth architectures that restrict lateral movement in the event of a breach
  • Actively manage third-party risks; and
  • Use AI for defensive purposes where appropriate, including identifying vulnerabilities and securing software before release.

For further practical guidance, ASIC encourages AFSL holders to review the insights published by the Australian Signals Directorate.

ASIC notes that while frontier AI models have increased cyber risk, they have not changed the fundamentals of effective cybersecurity and cyber resilience. Robust, current, and well tested planning that tackles the entire cyber incident life cycle remain critical to an organisation’s cyber safety. 

While ASIC’s advice is targeted to the Australian financial service providers it regulates, the risks posed by frontier AI models is global and affects all industries. ASIC’s message should be considered a priority by all businesses. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More