ASIC demands urgent cyber uplift as frontier AI Mythos accelerates threats

The corporate regulator on Friday told every Australian financial-services licensee and market participant to lift cyber defences urgently, naming Anthropic’s withheld Claude Mythos model as the kind of AI now shifting the threat baseline. The Australian Securities and Investments Commission published the open letter to industry under the signature of Commissioner Simone Constant, and instructed regulated entities to table it at their ultimate board and risk governance committees.

Misuse of frontier AI, ASIC said, “could expose cyber security vulnerabilities at an unprecedented speed, scale, and sophistication”. Cyber resilience is a core licensing obligation, the letter said, not an IT issue, and the regulator’s approach is principles-based and model-agnostic.

What ASIC said

Constant did not soften the framing. “Cyber risk has entered a new era,” she said in the release accompanying the letter. “The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise.”

She went further on systemic exposure. Weaknesses that once seemed isolated, she said, “can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors.” On urgency, her closing line was blunter: “The clock is at a minute to midnight. If you aren’t on top of your cyber resilience already, the time to act and prepare is right now.”

Why now: Mythos

ASIC named Anthropic’s Claude Mythos as the kind of model that has shifted the threat landscape. Anthropic withheld the public release of Mythos this year on cyber-security grounds. The lab said in its own withholding statement, as reported by Insurance News Australia, that AI models have reached “a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities”. Internal red-team runs of Mythos surfaced thousands of high-severity vulnerabilities across major operating systems and web browsers, Anthropic has said.

That capability is what ASIC’s letter pivots on. A model that can scan codebases for unpatched flaws faster than any human team narrows the window between vulnerability disclosure and exploitation. ASIC’s open letter is in effect a regulatory acknowledgment that the FIIG Securities precedent, in which the regulator won a court finding that cyber controls must be demonstrably effective and proportionate to a business, now needs to be lived up to under tighter time pressure.

What ASIC wants entities to do

The letter sets out twelve concrete steps and tells boards to action all of them. Entities should reassess their cyber plans against the current threat environment, make sure governance frameworks treat interrelated vulnerabilities as cumulative rather than isolated, and identify the critical assets and systems that matter most to the business and its customers. Core controls should be reviewed and validated regularly, attack surfaces minimised by cutting exposure of systems and services to untrusted networks, and user access and privileges reviewed often enough to spot insider threats early.

On patching, the letter is direct. Patch promptly. Strengthen patch-management processes for daily-cadence work. Recognise that AI is now accelerating both vulnerability discovery and exploitation. ASIC also told entities to architect for defence in depth and assume breach, exercise incident response and business continuity playbooks, actively manage third-party concentration risk, and use AI for defensive work too, including vulnerability discovery and pre-release software hardening.

Constant’s framing across all twelve was that the underlying principles, “govern, protect, detect, respond”, do not change. What changes is the speed and the scale at which a missed control becomes an exploited control.

Reach into the boards

ASIC’s instruction that the letter be tabled at boards and risk governance committees is the lever that gives the action teeth. Board minutes that show the document was not received and considered will be a regulatory finding waiting to happen if a cyber incident follows.

“Appropriate cyber risk management starts at the leadership of licensees and participants,” Constant said. “Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.”

ASIC pointed entities at guidance from the Australian Signals Directorate and the Australian Cyber Security Centre, and at the federal government’s free Cyber Health Check. The regulator said it would continue to work with global peer regulators to monitor AI-related vulnerabilities in the local market.

Wider AU AI policy week

The letter lands in a busy week for AI policy in Australia. The National AI Centre on Friday launched AI.gov.au, the federal government’s consolidated AI guidance portal aimed at SMEs and not-for-profits. The Australian Prudential Regulation Authority earlier in the week wrote to mortgage brokers about AI-driven fraud detection and the consumer protections required when banks deploy fraud agents at scale, which digitalblog covered when APRA flagged the CBA fraud-detection rollout.

Read together, the three letters paint the federal regulator stack lifting cyber and AI expectations across enterprise IT, consumer banking, and frontier-model risk inside the same five-day window.

For ASIC-regulated entities, the practical question is now whether incident response plans and patch cycles can hold up against a threat actor armed with model capabilities that, by Anthropic’s own account, can outperform expert human security researchers on coding-flaw discovery. Constant’s “minute to midnight” framing suggests ASIC’s answer is: not yet, in many cases.

Sources

Reporting drew on the ASIC media release 26-092MR and the open letter to industry it published, the Insurance News Australia coverage on the Anthropic Mythos withholding, and Reuters and MLex wire reporting on the regulator’s call for urgent action.