ASIC warn that AI is no longer a hypothetical security risk. It’s time to get real.
ASIC has warned that AI is already reshaping cyber risk. Here’s what it means for your organisation and the actions you should take now.
When ASIC sends you a letter and advises you to table and discuss at your ultimate board and risk governance committees, you sit up and take notice.
Their message? Don’t panic – but also - don’t wait.
Panic about what? ASIC says now is the time to reinforce your cyber resilience fundamentals, not tomorrow.
So, what’s prompted this call to action?
The cybersecurity industry (Baidam included) continues to assert that AI is changing the cyber threat landscape. And it is. Not hypothetically. Not in the near future. But right in the here and now.
While we’d hope that what the industry has been saying hasn’t fallen on deaf ears, it’s gratifying to have ASIC publicly reinforce our thoughts.
To recap on what we’ve (all) been saying: As frontier AI models evolve ever more quickly, they’re also accelerating the ability of bad actors to do more – and do it more easily. For example, they have access to more sophisticated attacks. They can think big and use AI-enabled attacks at speed and scale. In addition, there will be new forms of exploitation available (straight off the shelf) to even the most junior hacker.
And as ASIC has also observed, small weaknesses now have bigger consequences, with attack chains easier to assemble (e.g., phishing + access + escalation), and seemingly minor vulnerabilities able to combine into large-scale incidents.
ASIC have made it clear that taking a wait-and-see approach won’t cut the cyber mustard, saying, “Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business.”
There’s little ambiguity in that statement.
What does this mean for your organisation?
To quote ASIC, “This [the evolution of frontier AI models] does not mean entirely new categories of risk, but it does mean existing controls are more likely to be tested, more often, and under greater pressure. This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives.”
Which boils down to this: The fundamentals of strong cyber resilience matter now more than ever. And to clarify, this doesn’t mean new tools, but:
Consistent execution of proven controls
Strong governance
Adequate resourcing
ASIC says there’s no need to reinvent your approach, but there’s every need to ensure the basics are robust, resourced, and working effectively.
In practical terms, what 7 things should you do?
As ASIC says, don’t panic or overreact. But likewise – don’t delay.
Waiting to act only once you can see the threat is the equivalent of waiting until you can see (and snap a photo of) a tsunami before fleeing the beachfront. It’s not a good stay-dry-and-alive strategy.
What is a good strategy is focusing on urgency, discipline, and accountability while you reinforce your cyber resilience fundamentals. Start with these recommended actions (the majority of which you’ll do in conjunction with your cybersecurity partner):
Do your regular housework to strengthen your cyber fundamentals: Reassess your cyber plans and focus on current, critical risks. Regularly review and validate your core controls. Reduce your attack surfaces and external exposure. And patch systems promptly and step up your patch governance game.
Improve your governance and decision-making: Ensure your cyber risk frameworks account for interconnected vulnerabilities and support rapid escalation and decision-making. Make sure your board understands cyber posture (be prepared to challenge their assumptions), and always rely on evidence, not assurance.
Protect your critical assets: Identify the systems and data that matter most to your organisation, and apply stronger controls to your priority assets.
Strengthen your identity and access controls: Regularly review user access and privileges, monitor for insider threats, and restrict access where needed.
Don’t delay in implementing stronger technical controls: Use defence-in-depth architectures, assume breach, restrict lateral movement, and manage third-party risks actively.
Prepare for and improve your incident response: Maintain and test your incident response plans, playbooks, and business continuity plans. Prioritise rapid response, effective recovery, and the restoration of your critical services.
Fight fire with fire and use AI defensively: Apply AI to identify vulnerabilities and improve your software security.
How about governance expectations?
ASIC has made it abundantly clear that they expect you to demonstrate that your cyber measures are proportionate to risk. And they illustrate this with a pointed reference to its recent case against FIIG Securities Ltd, where FIIG’s failure to protect thousands of clients from cyber security threats for more than four years resulted in a court-ordered penalty of $2.5M.
But back to expectations. They include ensuring your teams are adequately resourced and skilled, providing meaningful reporting on control effectiveness, and integrating emerging risks (which obviously includes AI) into your governance frameworks.
Your decisions need to be supported by testing results, audits, incident learnings, and independent validation.
What next?
First - if you ‘didn’t get the memo’ or you ‘filed’ it in error, let us know, and we can email you a copy. ‘I didn’t see it’ won’t be the right answer if you are asked about ASIC’s warning missive.
Next – if after you’ve tabled and discussed ASIC’s letter at your ultimate board and risk governance committees you’d like to review your cyber security basics to ensure they’re up to ASIC expectations and guidelines, we’re always happy to chat about improving your approach to defending your technology infrastructure.
In the meantime, ASIC kindly provided these useful links for further information: