On 8 May 2026, the Australian Securities and Investments Commissions (ASIC) issued an open letter to industry calling on all licensees and market participants to urgently strengthen their cyber resilience measures, as frontier artificial intelligence (AI) intensifies the global cyber risk environment.
The letter emphasises the need for urgent, focused action, reminding industry that cyber resilience must be treated as a core licensing obligation, not simply an IT issue.
Steps to take
ASIC is urging licensees and market participants to take the following steps:
- Reassess cyber plans and refocus efforts on the most critical risks in today’s threat environment.
- Confirm cyber risk, governance and overall risk and decision-making frameworks and consider the cumulative impact of interrelated vulnerabilities and facilitate clear decision making and escalation at the pace necessary to manage risk.
- Identify and protect critical assets and systems, with a clear understanding of what matters most to the business and customers.
- Strengthen cyber security fundamentals by regularly reviewing and validating core controls.
- Minimise attack surfaces by reducing exposure of systems and services to untrusted networks.
- Regularly review user access and reassess privileges, to protect against unauthorised access. Insider threats are increasing and entities should monitor for warning signs and act to restrict access where concerns are identified.
- Patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation.
- Review and strengthen patch management processes, considering challenges daily patching may present to identification, testing, and governance of critical updates.
- Implement layered, defence-in-depth architectures that assume breach and restrict lateral movement.
- Prepare for incident response by maintaining and exercising incident response plans and playbooks including business continuity plans and identification of highest priority services, channels and platforms.
- Actively manage third-party risks, particularly where services introduce concentration or systemic exposure.
- Use AI for defensive purposes, where appropriate, including identifying vulnerabilities and securing software before release.
Governance
ASIC expects boards and senior executives to understand their organisation’s position, ask the right questions, and be able to evidence the basis for their assurance.
This includes:
- Being satisfied that cyber resilience measures are proportionate to the evolving threat environment.
- Ensuring cyber capability is adequately resourced, prioritised and qualified to the standard necessary for the services and risk footprint of your organisation.
- Receiving meaningful reporting on end-to-end control effectiveness, not just activity.
- Overseeing how emerging risks, including those from AI, are being assessed and integrated into risk management frameworks.
Critically, ASIC states that governance should not rely only on assurances. It should be supported by evidence – test results, audit findings, lessons from incidents, and independent validation, supported by appropriate capability and resourcing.
ASIC Commissioner Simone Constant said, ‘Appropriate cyber risk management starts at the leadership of licensees and participants. Boards and executives must ensure systems are tested, weaknesses are addressed early and that action is taken before threats can be exploited.’
ASD
The letter also reminds all ASIC-regulated entities that they should use practical guidance from trusted sources to strengthen their cyber defences, including the Australian Signals Directorate. ASIC also encourages the use of the Australian Government’s free and anonymous Cyber Health Check, which provides a tailored action plan with simple, actionable steps to improve cyber security.