ASIC warns brokers to bolster cyber defenses against AI

The Australian Securities and Investments Commission has told brokers and financial firms to improve cybersecurity now, warning that advanced AI models can accelerate the discovery and exploitation of system vulnerabilities. The regulator issued an open letter urging licensees to fix security gaps rather than wait to see how AI threats develop.

ASIC highlighted models such as Claude Mythos as tools that can make isolated weaknesses far more dangerous by speeding up vulnerability discovery and attack techniques. The letter described a shift in cyber risk and called for immediate action on governance, testing and incident response readiness.

ASIC Commissioner Simone Constant wrote that frontier AI has pushed cyber risk into a “new era,” and added that attackers will gain access to techniques once used only by highly skilled groups. She said organisations must have ready-to-go response plans, routine testing and prompt remediation so weaknesses are fixed before they become crises. “The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now,” the letter quoted.

The regulator asked firms to take a technology-neutral, principles-driven approach and ensure top-level management accepts responsibility for cyber resilience. ASIC’s guidance focuses on governance, testing, incident response readiness and clear executive ownership.

The warning followed evidence from broker technology provider Connective that many brokers are adopting AI tools without defensive frameworks. Connective chief executive Glenn Lees told the regulator the broker industry is excited about AI but lacks the strategy, systems and governance needed for safe deployment and urged firms to build those foundations before wider rollout.

The Australian Prudential Regulation Authority has raised similar concerns about banks, saying governance and controls for AI are not keeping pace with rapid adoption. APRA member Therese McCarthy Hockey noted AI can deliver efficiency and better customer service but warned firms must also manage the risks.

ASIC pointed to its recent action against FIIG Securities Limited as an example of regulatory consequences for weak cyber controls. After a 2023 breach that exposed tax file numbers, bank account information and identity documents for about 18,000 clients, a federal court ordered FIIG to pay A$2.5 million in pecuniary penalties and about A$500,000 toward ASIC’s costs. The court also required an independent audit to raise FIIG’s cyber resilience to professional standards. FIIG had admitted its cybersecurity arrangements fell short of obligations under its Australian Financial Services licence and that it had not followed its own policies designed to prevent data leaks.

ASIC Deputy Chair Sarah Court noted licensees must be proactive every day to protect clients and pointed to the FIIG matter as an example of the costs of failing to implement adequate controls. The regulator said firms that fail to adapt governance and controls could face enforcement action, fines and mandatory audits.

Regulators are asking firms to show an organisation-wide approach to cyber risk, including how they assess AI use, monitor external threats and remediate vulnerabilities. ASIC reiterated that basic cyber safety rules still apply even as tools change, and urged immediate remediation of known gaps rather than reliance on future AI defenses.