Australia’s corporate regulator has urged the financial sector to move faster on cyber risk controls as frontier AI systems such as Mythos raise new threats for banks, insurers, brokers, and other financial firms.
The Australian Securities and Investments Commission published a letter to the financial services industry on Friday, warning that cybersecurity practices need stronger safeguards as AI capabilities advance.
ASIC Commissioner Simone Constant said preparedness across Australian financial services organisations varies widely. She said firms need to keep pace with rapid changes in frontier AI, rather than relying on slower risk review cycles.
Constant told Reuters that ASIC has long expected firms to examine their end-to-end risk profile, including aggregate risks and vulnerabilities. Risks that once fit a 12-month planning horizon might emerge far faster.
She said ASIC worries about a scenario where an individual, not a state-backed actor, gathers available tools quickly and weaponises them.
Macquarie chief executive Shemara Wikramanayake said the bank is running substantial technology programmes to test potential exposure to frontier AI models.
She said firms do not simply press a button and locate every weakness. Mythos has identified many vulnerabilities that had existed for years across systems. The global risk, she said, is that other actors replicate those capabilities before protections are deployed.
Anthropic has launched Claude Mythos Preview under Project Glasswing, a restricted-access programme involving major technology companies including Amazon, Microsoft, Nvidia, and Apple.
Wikramanayake said Anthropic is working with some of the world’s largest companies to test Mythos, but large businesses outside Project Glasswing have to work through their own systems and patch exposed areas themselves.
The concern centres on Mythos’ advanced coding capabilities. Experts have warned that those capabilities give the system unusual strength in finding cybersecurity vulnerabilities, which raises both defensive and offensive risk.
Anthropic did not immediately respond to a request for comment on ASIC’s letter. ASIC’s warning follows a similar concern from Australia’s banking regulator last month. That regulator said the domestic financial services industry’s information security practices were struggling to match the speed of AI change.
Constant said the clock is close to midnight. Financial firms that have not already built cyber resilience need to act now and prepare.
According to Beinsure analysts, the issue matters for insurers because frontier AI changes both the frequency and severity assumptions behind cyber risk. Faster vulnerability discovery, automated exploitation, and weaker control maturity all feed into underwriting, aggregation, claims, and reinsurance decisions.
The warning also raises questions about whether central banks and financial regulators have enough capability to monitor AI-driven risks. A survey from the Cambridge Centre for Alternative Finance found authorities trail financial firms in AI adoption and lack enough data on emerging harms.
The April research found financial institutions are adopting AI at more than twice the rate of their supervisors. Only two in 10 watchdogs reported advanced AI adoption.
For Australian financial firms, the message is direct: assess exposed systems, test defences against frontier AI models, patch old vulnerabilities, and tighten governance before attackers move faster than boards and regulators.
