In a release posted today (8 May 2026), ASIC warned that the malicious use of major AI models like Anthropic’s Mythos could lead to a new wave of vulnerability discovery by threat actors, posing greater cyber threats that undermine and cripple the financial sector.
“Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise,” ASIC commissioner Simone Constant said.
“In this new world, weaknesses that once seemed isolated can now have a system-wide domino effect, enabling new forms of exploitation that were previously out of reach for most malicious actors.”
Constant added that action needs to be taken urgently, and reminded the sector that cyber resilience is not just an IT issue, but should be treated as a core licensing obligation.
“Entities need to have robust incident response plans. Whether an entity faces a basic phishing attempt or a more sophisticated cyber attack, the underlying cyber risk management principles of govern, protect, detect, respond remain the same,” she said.
“Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early, and that action is taken before threats can be exploited.
“The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now.”
ASIC has said that financial institutions should reassess cyber plans, ensure that cyber risk, governance and overall risk and decision-making frameworks are appropriate and consider the impact of entities like AI, to strengthen cyber fundamentals within organisations, minimise attack surfaces, patch promptly when vulnerabilities are discovered, regularly review access privileges, identify assets that are the most critical and protect them, prepare relevant incident response, manage third-party entities and access, use AI defensively if appropriate and more.
“These are not new expectations, but the environment in which they must operate has changed,” Constant said.
“Small weaknesses can have serious, cascading consequences. For example, a ‘simple’ phishing email can now more easily provide access to critical platforms or sensitive data, and a weakness that in isolation may be remote from being a conduit for a cyber incident can now more readily be drawn together with other weaknesses into an incident.
“Strengthening the basics is imperative, as they shape the baseline for your overall resilience.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
