Regulators and security agencies sound alarm on frontier AI threat
Make us a preferred source
Make us a preferred source on Google
The news: The Council of Financial Regulators (CFR) has warned frontier AI models are compounding risks for Australian institutions, convening briefings from government and an Australian spy agency, just hours after the Five Eyes security alliance issued a similar alert.
What they said: “The council observed that the development of frontier AI models represented a step change in the threat landscape for the financial system, and has intensified cyber risk for financial institutions,” the CFR said in its quarterly statement on Tuesday.
“This has occurred in an environment of already heightened cyber threats, given ongoing technological developments and elevated geopolitical tensions.”
The CFR revealed it had brought in Home Affairs — the agency coordinating between AI lab Anthropic and industry — as well as the Australian Signals Directorate (ASD) for briefings.
They “discussed ways in which CFR agencies and security agencies could strengthen strategic engagement and coordination on incident response, mitigate third party risks and the importance of Australian financial institutions strengthening their cyber defences, including through accelerated patching, reducing attack surfaces and maintaining robust baseline cybersecurity practices”.
The CFR instructed financial institutions to continue building out contingency plans, including “back-up payments arrangements, security controls and communication protocols” to prepare for a crisis.
The context: Council members APRA and ASIC have written to industry over recent weeks, with the prudential regulator telling banks, super funds and insurers their defences are not up to scratch.
Earlier on Tuesday, Five Eyes — the security alliance between Australia, New Zealand, the United States, Canada and the United Kingdom — urged governments and businesses to act immediately to strengthen cyber resilience.
The agencies said frontier AI models are developing faster than expected and will transform both cyber-attack and defence, while the gap between a vulnerability being discovered and exploited is rapidly shrinking.
The statement said cyber risk can no longer be treated solely as a technical issue, adding it should instead be considered a core business risk and leadership responsibility. It urged boards and executives to ensure cyber resilience measures are in place and capable of operating effectively under pressure.
The agencies also encouraged organisations to use AI as a defensive tool, arguing that AI-embedded security operations can identify vulnerabilities earlier, detect unusual activity faster and improve incident response times, reducing both the cost and impact of cyber-attacks.
The joint statement concluded that governments and corporations can no longer consider cybersecurity as an IT issue, warning that cyber resilience is increasingly critical to economic and market confidence.
