'Do not wait for perfect clarity to address the threat posed by new AI models'
The Australian Securities and Investments Commission (ASIC) is urging employerss to strengthen their cybersecurity measures amid the greater threat of cyber attacks due to artificial intelligence tools.
ASIC Commissioner Simone Constant wrote to licensees and directors warning that frontier AI models are increasing the speed and scale of cyber attacks, which are accelerating both in capability and accessibility.
"ASIC's message is straightforward: do not wait for perfect clarity to address the threat posed by new AI models," Constant said in the letter.
"Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business."
The ASIC also recommended various measures to employers to strengthen their cyber resilience. They include:
- Reassessing cyber plans and refocusing efforts on the most critical risks
- Confirming an organisation's cyber risk, governance, and overall risk and decision-making frameworks
- Identifying and protecting critical assets and systems
- Strengthening cybersecurity fundamentals by reviewing and validating core controls
- Minimising attack surfaces
- Regularly reviewing user access and reassessing privileges
- Patching systems promptly
- Reviewing and strengthening patch management processes
- Implementing layered, defence-in-depth architectures
- Preparing for incident response
- Actively managing third-party risks
- Using AI for defensive purposes, where appropriate
"These are not new expectations, but the environment in which they must operate has changed. Small weaknesses can have serious, cascading consequences," Constant told employers.
Role of boards, senior executives
Meanwhile, the commissioner also told boards and senior executives that they are expected to understand their organisation's position as a core part of their obligations as a licensee and a market participant.
They are also expected to ask the right questions and be able to evidence the basis of their assurance. This means:
- Being satisfied that cyber resilience measures are proportionate to the evolving threat environment
- Ensuring cyber capability is adequately resourced, prioritised, and qualified to the standard necessary for the services
- Receiving meaningful reporting on end-to-end control effectiveness
- Overseeing how emerging risks are being assessed and integrated into risk management frameworks.
"Governance should not rely only on assurances. It should be supported by evidence - test results, audit findings, lessons from incidents, and independent validation, supported by appropriate capability and resourcing," Constant said.
The letter from ASIC comes after FIIG Securities Limited was recently ordered to pay $2.5 million in pecuniary penalties for failing to protect thousands of clients from cyber security threats for more than four years.
The case, brought forward by ASIC, marks the first time that the Federal Court imposed civil penalties for cybersecurity failures under the general AFS licensee obligations.
"Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited," Constant said in a separate statement.
"The clock is at a minute to midnight – if you aren't on top of your cyber resilience already, the time to act and prepare is right now."
