ASIC pushes brokers to boost cyber defenses against frontier AI risks

The Australian Securities and Investments Commission (ASIC) warns financial firms and market participants to step up cybersecurity protections as artificial intelligence continues to amplify cyber threats globally.

It maintained that, while cyber threats have always been a concern, sophisticated AI tools like Claude Mythos could dramatically accelerate the discovery and exploitation of vulnerabilities. 

In an open letter, the regulator advised companies to secure their systems against AI-accelerated risks now rather than depend on future AI tools. Primarily, it advocated a technology-neutral, principles-driven approach to the urgently needed cyber upgrades.

What does the ASIC expect from licensees across the country?

Frontier AI has pushed cyber risk into a “new era,” cautioned ASIC Commissioner Simone Constant. She noted that, despite the potential perks of advanced AI models, they can still exploit vulnerabilities much faster than most anticipate.

That means isolated gaps can now cause a total system collapse, with average attackers gaining access to high-level hacking techniques. 

This communication follows evidence from Connective that brokers are integrating AI tools without the necessary defensive frameworks. Connective chief executive Glenn Lees contended that the broker industry is currently buzzing with AI excitement but lacks the structure needed for secure, steady deployment.

Nonetheless, he urged brokers to build a solid foundation of strategy, systems, and governance, asserting that this is probably the only way to make AI adoption work. 

ASIC’s open letter also asked licensees to address their security gaps now, rather than waiting to see how AI threats evolve. Constant explained that a ready-to-go response plan is essential, since the basic rules of cyber safety don’t change just because the technology does.

She added that top-level management must take ownership, ensuring that rigorous testing and early remediation happen well before a threat becomes a crisis. 

She further commented, “The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now.”

Additionally, aside from the ASIC, the Australian Prudential Regulation Authority (APRA) cautioned banks that their governance and control measures for artificial intelligence are lagging behind the rapid expansion of AI tools. 

APRA member Therese McCarthy Hockey stated: “The AI revolution presents tremendous opportunities for banks, insurers, and superannuation trustees to deliver improved efficiency and enhanced customer services. But we cannot be blind to the risks of such powerful technology.”

ASIC took action against FIIG Securities

The ASIC recently moved against Australian fixed-income specialist FIIG Securities Limited (FIIG) for failing to implement proper cyber safeguards for its massive client base for years. Consequently, the firm was directed to pay pecuniary penalties totaling $2.5 million and about $500,000 towards ASIC’s costs. 

Reportedly, FIIG’s security weaknesses played a role in the scale of a 2023 cyber breach that exposed confidential data, including tax file numbers, bank account details, and identification documents. About 18,000 clients received notice that their sensitive personal details may have been leaked.

At the time, the FIIG even conceded that its cybersecurity arrangements were inadequate under its Australian Financial Services (AFS) license requirements and that better safeguards may have reduced the impact of the breach. By their own admission, the company also failed to follow its own policies designed to prevent exactly this kind of data leak. 

The Federal Court also mandated an independent audit to bring its cyber resilience up to a professional standard. 

Following the case’s outcome, ASIC Deputy Chair Sarah Court even commented, saying, “ASIC expects financial services licensees to be on the front foot every day to protect their clients. FIIG wasn’t – and they put thousands of clients at risk. In this case, the consequences far exceeded what it would have cost FIIG to implement adequate controls in the first place.”

If you're reading this, you’re already ahead. Stay there with our newsletter.