Australia’s corporate regulator has warned banks, superannuation funds and insurers to tighten their cyber defences as frontier artificial intelligence makes hacking faster, cheaper and easier to scale.
The Australian Securities and Investments Commission said advanced AI models were lowering the barrier for sophisticated cyber attacks.
The warning follows concern over Anthropic’s Claude Mythos model, which was deemed too dangerous for public release and instead opened to parts of the finance industry to test their own vulnerabilities behind closed doors.
“This is not a distant or hypothetical risk,” ASIC commissioner Simone Constant said in a letter to licensees and directors.
“It is here now, evolving quickly and requires the attention of boards and executives.”
ASIC said frontier AI did not create entirely new cyber risks, but made existing weaknesses far more dangerous.
A phishing email, loose access controls or an unpatched system could now be exploited faster and chained together with other vulnerabilities.
Ms Constant said firms should not wait for “perfect clarity” before acting.
“We are not calling for panic or reactive overreach,” she said. “But we are calling for urgency, focus, and accountability.”
Anthropic said in an April 7 preview that Mythos could identify and exploit zero-day vulnerabilities in every major operating system and web browser when directed by a user.
“The vulnerabilities it finds are often subtle or difficult to detect,” Anthropic said.
It also warned non-experts could use the model to exploit sophisticated vulnerabilities, while researchers had built systems that allowed Mythos to turn vulnerabilities into exploits without human intervention.
Speaking at the Australian Shareholders Association conference earlier this week, Ms Constant said ASIC did not want to stifle useful uses of AI, but boards had to recognise how quickly the threat was moving.
“Like everyone, we see there’s lot of exciting promise with AI. The last thing we want is a chilling effect on the application of AI,” she said.
Ms Constant said the regulator was “incident and technology agnostic” when it comes to regulating AI.
“Though Mythos is arguably a game-changer, there might be another entity next month that we’re all talking about,” she said.
“But when it comes to frontier AI, I don’t want to underestimate that it’s absolutely accelerated things.”
Ms Constant warned businesses could no longer afford to look at cyber weaknesses in isolation.
“If you’re sitting around the board table and running a business that’s got these exposures thinking you can look at your issues individually, well now they chain together really quickly and are exploitable in ways you always feared,” she said.
ASIC told firms on Friday to return to the basics: protect critical systems, reduce exposure to untrusted networks, review user access, patch software quickly and test incident response plans.
It also warned insider threats were increasing and said firms should watch for warning signs and restrict access when concerns emerge.
The regulator said boards and executives must be able to show they understand their cyber position and have evidence their controls are working.
That means test results, audit findings, incident reviews and independent checks, rather than broad assurances from management.
“Too often cyber-attacks are successful because known vulnerabilities are exploited,” ASIC said.
ASIC encouraged firms to use AI defensively, including to find vulnerabilities and secure software before it is released, since criminals are already using the technology to automate attacks.
“The time to act is now,” Ms Constant said. “Not by reinventing your approach, but by ensuring the basics are robust, resourced, and working effectively.”
Get the latest news from thewest.com.au in your inbox.
Sign up for our emails