Australia warns financial firms frontier AI could raise cyber risk sharply

Australia’s corporate regulator has told banks, insurers and funds not to wait for perfect AI rules before hardening their cyber defenses, warning that frontier models could help attackers find weaknesses faster than many firms can fix them.

The Australian Securities and Investments Commission sent an open letter to the financial services industry urging urgent action on cyber resilience, with commissioner Simone Constant saying cyber risk has entered a new era. Constant said frontier AI models create opportunity but also materially increase risk because they can expose vulnerabilities faster than many realize, and she pressed firms to focus on the fundamentals of resilience rather than delay action until more evidence arrives.

That warning is aimed squarely at boards and chief executives, not just technology teams. ASIC said cyber risk management must be demonstrably effective and proportionate to the size, nature and complexity of a business, and that cyber resilience should be treated as a core licensing obligation, not simply an IT issue. Constant said the clock is “at a minute to midnight” for organizations that are not on top of resilience already.

The regulator’s intervention comes as frontier AI systems move closer to the kind of code-heavy work that can matter most in financial services. Anthropic has launched Claude Mythos Preview under its restricted Project Glasswing access program, which the company says is meant to secure critical software for the AI era. Launch partners listed for the program include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks and the Linux Foundation.

The broader supervisory concern is that firms are adopting AI far faster than regulators can fully match. A Cambridge Centre for Alternative Finance study found 81% of surveyed financial-services firms are using AI at some level, while 40% report advanced adoption. Only 20% of regulators said the same. Just 14% of industry respondents said AI was transformational to organizational strategy and competitive advantage, underscoring how quickly the technology is spreading even before many firms have fully mapped its risks.

Australia’s prudential regulator raised a similar alarm on April 30, saying governance, risk management, assurance and operational resilience practices were not keeping pace with AI adoption. Its targeted review, conducted late last year across all regulated industries, found AI use accelerating across banks, insurers and superannuation trustees while governance had not matured at the same pace. APRA also warned that some entities are becoming heavily dependent on a single AI provider, creating concentration risk.

ASIC’s warning lands against a tougher enforcement backdrop. On February 9, 2026, the regulator won a $2.5 million civil penalty against FIIG Securities Limited after the firm failed to protect thousands of clients from cyber security threats for more than four years. Taken together, the two regulators are signaling that AI is no longer a distant policy problem. In Australian finance, cyber readiness is becoming a live test of board competence now.