Keeping pace with AI-driven threats: ASIC's message to industry

By: Matt O’Keefe, Josh Simonis and Jarod Inzitari

Introduction

The Australian Securities and Investments Commission (ASIC) has issued a clear call to action for licensees and directors in response to the rapid evolution of frontier artificial intelligence. These technologies are reshaping the cyber threat landscape and introducing new, complex risks that extend beyond traditional security concerns. The open letter clarifies the regulators’ expectation on cyber resilience and foreshadows stronger scrutiny of Boards’ oversight, decision‑making and assurance.

ASIC’s message is straightforward:

“Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business”¹

ASIC joins other Australian regulators, including the Australian Prudential Regulation Authority, by warning its regulated entities in open correspondence on the rapid evolution of emerging AI risks. AI and cyber maturity will increasingly influence supervisory outcomes, enforcement action and stakeholder confidence. ASIC emphasises the critical need for Boards and executives to sharpen their focus on the implications of AI, ensuring sustained attention on building and maintaining resilience.

Understanding AI-driven attacks

The evolution of advanced AI models represents a step change in both the scale and sophistication of cyber threats. ASIC highlights the growing cyber risk associated with frontier AI models, such as Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber, which represent an uplift in both capability and usability.²

These models are accelerating the speed, scale and sophistication of attacks while also introducing new attack vectors that challenge conventional security approaches. Threat actors are now able to automate reconnaissance, generate highly targeted and convincing phishing campaigns, rapidly identify and exploit vulnerabilities, and adapt their tactics in near real‑time. The result is a material reduction in the cost and skill required to execute complex attacks, significantly broadening the threat actor landscape.

At the same time, many organisations are still developing the technical expertise required to effectively oversee emerging AI risks. ASIC expects Boards and senior executives to move beyond general awareness, demonstrating a clear understanding of risk exposure, asking informed questions and ensuring robust, evidence‑based assurance.

Strengthening board oversight and accountability

ASIC’s open letter reinforces a clear message: organisations must return to first principles and ensure their cyber resilience is robust, proportionate and focused on what matters most.

AFS licensees and directors are expected to ensure that cyber governance and accountability frameworks are effective, embedded and evidence‑based. In practice, this requires Board directors to ask:

Do we understand whether our cyber resilience capabilities, resourcing and skills are proportionate to the evolving threat environment?
Do we have clear visibility of how emerging cyber and AI risks are identified, assessed and integrated into enterprise risk management frameworks?
Are we receiving meaningful, outcome‑focused reporting on end‑to‑end control effectiveness?
Is our governance supported by tangible evidence, including testing results, lessons learned from incidents and independent validation?

These questions reflect ASIC’s expectation that Boards move beyond passive oversight to actively validating that cyber resilience is credible, tested and aligned to the organisation’s risk profile.

Evolving cyber capability to meet emerging threats

These expectations extend directly to the cyber security function. ASIC highlights a growing gap between the pace of threat evolution and the maturity of many organisations’ cyber capabilities, particularly in the context of AI‑driven threats and increasing operational complexity.

For CISOs and Heads of Security, this requires a reassessment of whether current capabilities remain fit for purpose. Key questions include:

Does our cyber security strategy, and the associated risk assessments, reflect the current and emerging threat environment?
Do we have a clear, prioritised view of our most critical assets and systems, and are they appropriately protected?
Are our core security controls regularly reviewed, tested and demonstrably effective?
Are vulnerabilities continuously identified, prioritised and patched, supported by a patch management process that can keep pace with rapidly evolving, AI-enabled threats?
Are we prepared to respond to a cyber incident, with well‑tested incident response and business continuity plans?
Are third‑party and supply chain risks actively managed, including visibility over dependencies and concentration risk?
Are we leveraging AI and automation effectively to enhance our defensive capabilities and improve security outcomes?

These questions reflect ASIC’s expectation that cyber security capabilities must remain adaptive and continuously aligned to an evolving threat landscape, increasingly shaped by frontier AI models.

Further, getting the basics of cyber security right has never been more important, as observed by ASIC, this provides the baseline for resilience against attack. Crucially, ensuring those basics are operating requires testing backed by evidence.

A clear regulatory benchmark

ASIC’s open letter establishes a clear benchmark for regulatory expectations. Organisations must be able to demonstrate that cyber resilience is not only designed appropriately but operating as intended in an environment shaped by rapidly evolving AI‑driven threats. This reflects a shift from assessing frameworks on paper at a point in time, to scrutinising how effectively Boards and management continuously translate awareness into action.

For ASIC‑regulated entities, the implication is clear. Cyber and AI risk management must be anchored in strong fundamentals, supported by robust governance, and evidenced through testing, validation and meaningful reporting. Organisations that take a proactive approach by strengthening oversight, sharpening risk prioritisation and continuously validating control effectiveness will be better positioned to respond to heightened supervisory focus. Conversely, those that rely on static frameworks or untested assumptions are likely to face increasing challenge. In this context, the open letter should be seen not just as regulatory guidance, but as a practical roadmap for building resilient, defensible cyber capability in the face of accelerating change.

How we can support you

WK Advisory supports ASIC‑regulated organisations to translate these expectations into practical, defensible outcomes. We have extensive experience advising boards and senior executives, helping strengthen governance, uplift oversight of cyber and AI risk, and ensure focus remains on what matters most from a regulatory and risk perspective.

Complementing this, our Cyber, Data and Technology team works closely with security and technology functions to uplift cyber capacity and validate control effectiveness. We bring together senior cyber, data and risk specialists in Australia, working alongside Wotton Kearney’s broader Cyber, Data and Technology legal practice. This integrated model combines practical advisory capability with deep cyber law and incident response expertise.

Key Contacts & Updates

For insights or questions about this article, please reach out to our authors.

To receive similar future updates around WK Advisory, please complete the form below.

[1] Open letter to AFS licensees and market participants

[2] Frontier AI models and their impact on cyber security

Keeping pace with AI-driven threats: ASIC’s message to industry