Skip to main content
Regulatory Response · ASIC 26-092MR

ASIC’s cyber
letter to AFS
licensees: the
practical response.

On 8 May 2026 ASIC Commissioner Simone Constant issued an open letter (reference 26-092MR) to AFS licensees, market participants and their directors. The headline is frontier artificial intelligence and its effect on the cyber threat environment. The substance is a 12-point action list, four governance expectations directed at boards, and an instruction that the letter itself be tabled and discussed at the ultimate board and risk governance committees.

The letter is unusually direct. ASIC tells regulated entities to "act now, and act with discipline" and warns that small weaknesses, in this environment, can have "serious, cascading consequences". It does not call for novel tools. It calls for evidence that the fundamentals are robust, resourced and working.

This guide translates the letter into a practical response for AFS licensees and market participants. Written by practitioners who hold ISO 27001 certification, advise APRA-regulated entities, and routinely sit on the same side of the table as boards being asked the questions ASIC is now asking.

Book a Consultation → Security Governance
CC
Cliffside Cybersecurity ISO 27001 Certified · APRA CPS 234 Practitioners · Sydney · Est. 2014
Updated May 2026
On this page
01 / What ASIC said, in 60 seconds

The frontier-AI threat is here now, the cyber fundamentals must be evidenced, and the board owns it.

Commissioner Constant's letter does three things at once. It tells AFS licensees and market participants that frontier AI is materially changing the threat environment, not by creating new risks but by intensifying existing ones. It re-asserts that the legal standard for cyber risk management is proportionality to the size, nature and complexity of the business, anchored in the recent FIIG Securities judgment. And it puts accountable individuals on notice that boards and senior executives are expected to be able to evidence their cyber position, not merely assert it.

"ASIC's message is straightforward: do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business."

Simone Constant, ASIC Commissioner · Open letter 26-092MR, 8 May 2026

The instruction that follows the headline is explicit. The letter is to be tabled and discussed at the ultimate board and risk governance committees. ASIC does not ask for a written response, but the letter is now a regulatory artefact. The next time ASIC engages with your entity, on a licence review, a supervisory visit, a breach notification, or an enforcement matter, your response to 26-092MR is part of the record.

What ASIC is not asking for is novelty. The letter explicitly states "these are not new expectations". What has changed is the environment they operate in, and the regulator's tolerance for entities that cannot evidence consistent execution of well-established controls.

02 / The FIIG Securities anchor

The first Australian court-tested standard for proportionate cyber risk management.

ASIC's letter cites its own enforcement action against FIIG Securities (26-021MR) as the legal benchmark for cyber risk management going forward. This is the first time an Australian court has applied a specific cyber-risk test to an AFS licensee, and the court's framing is now the framing ASIC will use.

Cyber risk management "must be demonstrably effective and proportionate to the size, nature and complexity of a business".

Court judgment, ASIC v FIIG Securities Limited · cited in 26-092MR

Three words in that sentence carry the weight of the new standard. Demonstrably: assertions and self-assessments are insufficient; the entity must be able to show, with evidence, that controls are operating. Effective: controls must achieve their intended risk reduction, not just exist on paper. Proportionate: the test is calibrated to the entity's size, nature and complexity, not a uniform industry standard.

The practical effect for AFS licensees and market participants is that "we have policies" is not a defence. The bar is whether your information security programme is demonstrably effective and proportionate, and whether you can produce the artefacts that prove it. For larger entities, that means richer evidence of independent testing, third-party assurance, board-level oversight, and incident readiness. For smaller entities, the standard is not lower in principle, but the depth of evidence is proportionate to their footprint.

This is also the doctrine that underwrites the rest of the ASIC letter. Every one of the 12 actions and four governance expectations sits inside the FIIG frame. The question ASIC will ask, when it next engages with your entity, is not "did you do X" but "can you demonstrate that X is effective and proportionate to your business".

03 / The 12 actions, translated

What ASIC wants entities to do now, with the practitioner translation.

The letter sets out twelve specific actions for entities to take. The actions are reproduced verbatim here, alongside the practical translation: what the action looks like when implemented in a way that a regulator, a court, or an auditor would accept as evidence.

01
Reassess your cyber plans against today's threats
"Reassess your cyber plans and refocus efforts on the most critical risks in today's threat environment."
Practitioner translation
If your strategy or roadmap predates the publication of this letter, you should be able to evidence a documented review against the current threat environment, including the AI-accelerated shifts ASIC calls out. Re-baseline the plan, do not just restate the previous one. Expect to be asked when this review occurred and what changed.
02
Confirm risk and governance frameworks handle interrelated vulnerabilities
"Confirm your cyber risk, governance and overall risk and decision-making frameworks consider the cumulative impact of interrelated vulnerabilities and facilitate clear decision making and escalation at the pace necessary to manage risk."
Practitioner translation
Most risk registers treat vulnerabilities as discrete items. ASIC is explicitly warning that this is no longer adequate. Frameworks must consider cumulative impact and combinatorial risk, where two or three "low" issues compound into a high one. Decision-making and escalation must operate at the pace of the threat, not the calendar of the next risk committee.
03
Identify and protect critical assets and systems
"Identify and protect critical assets and systems, with a clear understanding of what matters most to your business and customers."
Practitioner translation
A current, accurate, classified asset register is the foundation. APRA's tripartite findings showed this is where many entities fail first; ASIC has now put the same expectation on entities outside APRA's perimeter. An asset register that has not been refreshed in twelve months is a finding waiting to happen.
04
Strengthen cyber security fundamentals through regular validation
"Strengthen cyber security fundamentals by regularly reviewing and validating core controls."
Practitioner translation
"Validating" is the load-bearing word. Reviews are insufficient; controls must be tested. That means independent control testing on a defined cadence, not annual sampling. For AFS licensees, this maps cleanly onto Essential Eight maturity assessments and ISO 27001 internal audit. The output is evidence, not a tick-box.
05
Minimise attack surfaces and exposure to untrusted networks
"Minimise attack surfaces by reducing exposure of systems and services to untrusted networks."
Practitioner translation
Cloud sprawl, legacy systems exposed to the internet, and unmonitored remote access are the typical findings here. Conduct an external attack-surface assessment and act on the results. ASIC will not accept "we have a firewall" as a substitute for documented exposure reduction.
06
Review user access and reassess privileges, including insider threats
"Regularly review user access and reassess privileges, to protect against unauthorised access. Insider threats are increasing and entities should monitor for warning signs and act to restrict access where concerns are identified."
Practitioner translation
Privileged access management is the highest-leverage area. Identity is the new perimeter; orphan accounts, over-permissioned service accounts, and stale federated trust relationships are common failure modes. The explicit reference to insider threats matters: access reviews must consider behavioural signals, not only entitlements.
07
Patch promptly, recognising AI accelerates exploitation
"Patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation."
Practitioner translation
The shift here is the time available between disclosure and exploitation. Patch SLAs calibrated to 30-day cycles are no longer defensible for internet-exposed or business-critical systems. Set a tighter SLA for critical patches and track adherence, not intent. Expect to be asked for actual patch-cycle metrics in your next review.
08
Strengthen patch management processes for higher cadence
"Review and strengthen patch management processes, considering challenges daily patching may present to identification, testing, and governance of critical updates."
Practitioner translation
If you increase patch cadence without strengthening testing and governance, you will break production. ASIC is acknowledging this and asking for process maturity, not panic. Implement automated identification, staged testing, and clear governance for emergency patches, with documented rollback paths.
09
Implement layered, defence-in-depth architecture
"Implement layered, defence-in-depth architectures that assume breach and restrict lateral movement."
Practitioner translation
"Assume breach" is the doctrine. Architecturally, this means segmentation, micro-segmentation where warranted, identity-based controls between zones, and detection logic for lateral movement. A flat network with perimeter controls is no longer an acceptable architecture for an AFS licensee. A security architecture review against zero-trust principles is the fastest way to evidence progress here.
10
Prepare for incident response through exercised plans
"Prepare for incident response by maintaining and exercising incident response plans and playbooks including business continuity plans and identification of highest priority services, channels and platforms."
Practitioner translation
An untested plan is not a plan; it is a document. Tabletop exercises and breach simulations must be scheduled, executed, and the lessons captured in updated playbooks. Critical services must be identified with reference to customer impact, not internal organisational structure. If your plan has not been exercised in the last twelve months, it has aged out.
11
Actively manage third-party and concentration risk
"Actively manage third-party risks, particularly where services introduce concentration or systemic exposure."
Practitioner translation
Vendor security attestations alone are insufficient. ASIC is calling out concentration risk explicitly, where multiple critical services depend on a single provider or platform. Map your fourth-party dependencies, not only the direct suppliers. Third-party assurance evidence must be current and specific to the services in scope, not generic SOC 2 reports.
12
Use AI defensively, including in software development
"Use AI for defensive purposes, where appropriate, including identifying vulnerabilities and securing software before release."
Practitioner translation
ASIC is explicitly endorsing defensive AI use. The expectation is that entities are not just protecting against AI-enabled threats but using AI in the defensive stack where it materially improves outcomes: vulnerability identification, code review, log analysis, threat intelligence triage. Adoption should be governed and assessed, in line with secure AI adoption practice.

None of these actions is novel in isolation. What is new is the cumulative weight: ASIC is telling AFS licensees that the regulator now expects evidence of all twelve, calibrated to the entity's size, nature and complexity, and presented to the board with appropriate challenge. The cost of inaction is no longer hypothetical. The FIIG judgment, the imminent enforcement programme, and the explicit linkage of these actions to board accountability set the new floor.

04 / The four governance expectations

What ASIC expects from boards and senior executives, in practice.

The letter sets four governance expectations directed at boards and senior executives. These are the questions a director should be able to answer with evidence at any board meeting from May 2026 onwards.

Expectation 01
Proportionate to the evolving threat
Boards must be "satisfied that cyber resilience measures are proportionate to the evolving threat environment". The board paper must show how the entity's controls have been recalibrated against the current threat landscape, not the threat picture from the last strategy refresh. Evidence: documented threat assessment, mapped to controls, dated in the last twelve months.
Expectation 02
Adequately resourced and qualified
Cyber capability must be "adequately resourced, prioritised and qualified to the standard necessary for the services and risk footprint of your organisation". Boards should be able to evidence sufficient internal headcount, qualifications, and budget, and where capability is sourced externally, the qualifications and oversight of the providers. Evidence: capability assessment, vendor governance pack, board-approved budget.
Expectation 03
End-to-end control reporting
Boards must receive "meaningful reporting on end-to-end control effectiveness, not just activity". This is the single most under-served expectation in our experience. Dashboards full of activity metrics (tickets closed, scans run) do not evidence control effectiveness. Evidence: reporting that shows control coverage, control effectiveness, and residual risk by domain, signed off by independent assurance.
Expectation 04
Oversight of emerging risk, including AI
Boards must oversee "how emerging risks, including those from AI, are being assessed and integrated into risk management frameworks". This is a positive obligation on the board itself; it cannot be delegated to a working group. Evidence: board minutes recording active challenge of management's AI risk position, with reference to defensive use and supply-chain exposure.

"Governance should not rely only on assurances. It should be supported by evidence: test results, audit findings, lessons from incidents, and independent validation, supported by appropriate capability and resourcing."

26-092MR, governance and accountability section

The phrase "evidence, not assurances" is the line directors should commit to memory. ASIC is signalling that the next supervisory question will not be "are you satisfied with cyber" but "what evidence supports your satisfaction". The answers that survive scrutiny are those grounded in independent testing, audit findings, real incident lessons (including near-misses), and assurance from external specialists who have no incentive to report green.

05 / Frontier AI: where it actually shifts the threat model

The headline is AI. The substance is the speed and scale of pressure on existing controls.

ASIC is careful with its framing on AI. The letter is explicit that frontier AI does not create entirely new categories of risk. It does, however, mean existing controls "are more likely to be tested, more often, and under greater pressure". For practitioners, the useful exercise is to identify which existing controls are most affected and by how much.

Control area How frontier AI shifts the pressure What changes in practice
Phishing and social engineering Content quality, personalisation, and language fluency converge with native-speaker quality. Voice and video deepfakes are now within reach of low-skill actors. Awareness training must update past "look for poor English". Verification protocols for unusual financial requests must be technical, not behavioural.
Vulnerability discovery Time-to-exploit on disclosed vulnerabilities is collapsing. AI-assisted exploitation lowers the skill floor for attackers. Patch SLAs need to compress for internet-exposed and business-critical systems. Expect a window of hours-to-days, not weeks, for critical patches.
Lateral movement and post-exploitation AI lowers the cost of mapping internal environments, identifying high-value targets, and chaining low-severity weaknesses. Segmentation, identity controls, and detection logic for lateral movement become higher leverage. A flat network is a higher-cost design than it was.
Shadow AI and data exposure Staff using public AI tools without governance expose sensitive data into systems the entity does not control. Acceptable use policy, sanctioned tooling, and DLP controls for AI prompts. Train staff on what cannot leave the corporate boundary.
Supply-chain AI risk Vendors are embedding AI into their products. The entity inherits the AI risk of every supplier that uses AI to deliver the service. Third-party assurance questionnaires must update to ask explicitly about AI use, model providers, data flows, and human-in-the-loop controls.

Importantly, the letter also endorses defensive AI use. Cliffside has documented its position on this in the secure-AI-adoption guidance: AI in the defensive stack is appropriate where it materially improves outcomes, is governed by a documented risk-based approach, and is subject to the same control testing as any other security capability. The board test ASIC will apply is whether the entity is aware of, governing, and where appropriate using AI on both sides of the equation.

06 / What to do this quarter

A pragmatic sequencing of the response, designed for a Q3 26 board cycle.

The letter is dated 8 May 2026. Most boards will table it at the next ultimate board or risk governance committee meeting, typically within four to six weeks. The right work, sequenced honestly, looks like this.

  • Week 1. Table the letter at the next board meeting alongside a one-page management response that maps the 12 actions and four governance expectations to the entity's current state. Be honest about gaps; do not green-wash.
  • Weeks 2 to 4. Commission an independent assessment against the 12 actions, calibrated to your size and complexity. Cliffside calls this a Lighthouse Assessment; the principle is the same regardless of provider. The output is a transferable evidence pack the board can rely on at the next meeting.
  • Weeks 4 to 8. Refresh the asset register, exercise the incident response plan, and complete a privileged-access review. These are the three actions with the highest probability of being asked about in any subsequent regulatory interaction.
  • Weeks 8 to 12. Update board reporting to evidence end-to-end control effectiveness, not activity. Replace red-amber-green dashboards with control-coverage and effectiveness scoring, signed off by independent assurance.
  • Continuous from week 12. Embed quarterly evidence cycles: control testing, third-party assurance refresh, threat-environment recalibration, and AI-risk position statement. Make the response to 26-092MR a programme, not an event.

The risk to manage is over-reaction as much as under-reaction. ASIC is explicit that this is "not calling for panic or reactive overreach". A board that approves a large novel tool spend in response to the letter, without first evidencing fundamentals, is responding to the wrong signal. The fundamentals are the work.

07 / How Cliffside helps

Independent, evidence-led response work for AFS licensees and market participants.

Cliffside has worked with APRA-regulated and ASIC-regulated entities since 2014. We are ISO 27001 certified, hold Microsoft Partner status, and our practitioners are CREST and OSCP qualified on the offensive side and SABSA, CISSP and ISO 27001 Lead Auditor qualified on the defensive side. We do not sell software; we sell judgement.

  • 26-092MR readiness assessment. An independent assessment against the 12 actions and four governance expectations, calibrated to your size and complexity, producing a transferable evidence pack for the board.
  • Security architecture review. Assume-breach assessment against your current network, identity, cloud, endpoint and detection architecture, with a risk-ranked remediation roadmap. Direct fit for actions 5, 6 and 9.
  • Security governance build. Board reporting, risk frameworks, and policy uplift that evidences control effectiveness rather than activity. Direct fit for the four governance expectations.
  • Tabletop exercises and breach simulations. Scenario-based incident response exercising, with realistic AI-enabled threat injects. Direct fit for action 10.
  • Third-party risk assessment. Vendor and concentration risk programme design and execution, including fourth-party mapping. Direct fit for action 11.
  • Penetration testing and red team. Independent control testing, including AI-system testing for entities adopting defensive or productive AI. Direct fit for actions 4 and 12.
  • Virtual CISO. Senior security leadership available on a fractional basis, where the entity needs continuous board-level engagement without a full-time hire. Direct fit for the governance expectations as an ongoing capability.

Our engagement model is assessment-first. We start with a free consultation, scope the work to your actual position, and deliver transferable outputs you can use with our team, take to a competing provider, or present to ASIC. There is no lock-in. There are no margin-driven tool recommendations. The advice you receive is the advice we would give if your business depended on it, because, for our regulated clients, it does.

ASIC 26-092MR

Evidence,
not
assurances.

The Cliffside 26-092MR readiness assessment delivers an independently verified position against ASIC's 12 actions and four governance expectations, calibrated to the size, nature and complexity of your business. The output is a transferable evidence pack your board can rely on at the next meeting and your supervisory team can rely on at the next interaction.

Book a Free Consultation → Security Governance
What you get
  • Independent assessment against ASIC's 12 actions, calibrated to your business
  • Position statement against the four governance expectations, evidenced
  • Frontier-AI threat assessment mapped to your existing controls
  • Third-party concentration risk review against action 11
  • Board paper ready for tabling at the next risk governance committee
  • Transferable report, yours to share with auditors, ASIC, or a competing provider

Not sure where to start?

Book a free 30-minute consultation. Honest, no lock-in, no sales pitch.

Book a Free Consultation