ASIC Names Mythos in Urgent Cyber Warning to Financial Sector

ASIC’s open letter to the financial services industry, published 8 May, specifically names Anthropic’s Claude Mythos as the frontier AI model now capable of exposing vulnerabilities at a speed and scale that outstrips most firms’ defensive capabilities. Commissioner Simone Constant signed the 12-point action plan, warning that “the clock is at a minute to midnight.”

“Cyber risk has entered a new era,” Constant wrote in the open letter to Australian financial services licensees and market participants. “The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise.”

Constant told Reuters that the threat was no longer confined to well-resourced adversaries. “The worry is someone in a garage somewhere, not a state-based actor, can bring those things together quickly and weaponise them,” she said.

The letter’s central warning is structural: isolated cyber weaknesses that were once manageable can now cascade into what Constant described as a “system-wide domino effect” when paired with an AI model capable of probing thousands of attack surfaces simultaneously.

ASIC’s 12 action steps cover familiar ground — patch promptly, maintain layered defences, lock down third-party access — but add a new directive: use AI defensively to hunt for vulnerabilities before attackers do. The commission is effectively telling firms they cannot afford to leave AI on only one side of the cybersecurity equation.

The warning arrives with teeth. In February 2026, the Federal Court ordered FIIG Securities to pay $2.5 million — ASIC’s first civil penalty under Australian financial services licence cyber obligations — after a 2023 breach that exposed 385 gigabytes of client data affecting roughly 18,000 clients. The commission cited the FIIG ruling directly in its letter to industry as proof that cyber failures now carry enforceable consequences.

Macquarie Group chief executive Shemara Wikramanayake, whose firm has been stress-testing its systems against frontier AI models, confirmed the speed of discovery is what sets Mythos apart. “You don’t just press a button and find these vulnerabilities and Mythos has found a lot of vulnerabilities that have been there for years in so many things,” she told Reuters. “The risk for the world is if others manage to replicate that before they roll out protection.”

ASIC’s move does not stand alone. On 30 April, the Australian Prudential Regulation Authority issued a parallel letter in which APRA member Therese McCarthy Hockey warned that governance frameworks across banks, insurers and superannuation funds were failing to keep pace with AI adoption. Cambridge Centre for Alternative Finance research cited by Reuters found only two in ten financial regulators reported advanced AI adoption, while financial firms themselves were adopting AI at more than double that rate.

The intervention marks the first time an Australian financial regulator has singled out a specific frontier AI model — Anthropic’s Mythos — by name in a cyber resilience directive, and signals that ASIC intends to treat AI-accelerated cyber risk as a compliance issue, not merely a technology problem.