The Cyber Brief: A minute to midnight: ASIC Commissioner Simone Constant on cyber risk and enforcement in the age of frontier AI

Kate: So, Simone ASIC has been quite vocal over its focus on cyber risk for some time now, including most recently in the open letter you published on AI frontier models, which we'll come to. I'm interested in understanding sort of initially what prompted ASIC's focus on cyber risk, and then fast forwarding today, where does that sit now in ASIC's priorities?

Simone: Thank you for picking up on the ongoing focus. There's more questions than usual at the moment about our focus on cyber because of frontier AI, and no doubt we'll talk a bit about that soon. But, for years now ASIC has been focused on, and drawing those who lead and govern companies, particularly in financial services, but companies generally, to their responsibilities and accountabilities when it comes to cyber. Cyber being just one of a number of really important critical strategic risks in that bucket, responsibility of those who govern and those who lead organisations. We've had a couple of cases, yourselves would be well across those, and there's building up some case law in this regard, but really, it boils down to simple messages in terms of cyber. And you ask, where are we at now in the way we think about it, or what our messages are, actually, despite the size, scale, speed of the threat that Frontier AI, for example, right now, so today it's Mythos, next month it might be something different, despite the sort of almost exponential growth in that, and what that threat is and what it represents, the underlying messages haven't changed. So, the underlying message is, this is a responsibility of the board and those who lead and an organisation, this is not just the responsibility of your IT team or your cyber team, and it's the only way that we'll get change in the standard that's needed. You need to - just like with any of your other really important risks, where harm can be done, because real harm can be done when cyber risk is mismanaged, just like any other risk where real harm can be done to your customers or the community or to the financial services system, you need to understand the risk you present, so different organisations, different size, different types of data, different types of customer, different ways they participate in financial services, you know, are they critical infrastructure, are they a receiver of services - so the part you play, and understanding your business in that regard, and the risk footprint, preparing accordingly for what is almost certain. You know, over the last couple of years, I've been saying one every six minutes, so it's not a question of if, it's a question of when. I think suffice to say that one every six minutes, it'll be interesting next time we get the ACSC data and ASD data on prevalence of attacks. Who knows, you know, maybe it's one in three, maybe it's every minute, that's the way we need to think about it. So, we are agnostic about whether an entity is hit by a cyber attack... that that will happen. It's what did you do to prepare, and then having those preparations, and we can talk about what we think good looks like in that regard. Having those preparations, what did you do in the moment? So, how did you respond? Did you pick up that playbook. Did you initiate your business continuity plan? Did you know what your crown jewels were? Did you escalate things properly? Were the right people being able to make right decisions at the time? Did you make the right network decisions and tech decisions, and did they flow through? And then, of course, afterward, did you remediate? Did you communicate? Did you understand what happened? When we say communicate, you know, communicate at the right time, not just with us as regulators, but with your customers, because at the end of the day, coming back to my point about harm, the reason we care and say remind them this is an important responsibility, you can have real harm to Australians who are customers of these entities, real harm in terms of, you know, their access to important services, if you've got outages or disruption. You can have real harm in terms of what happens to data, but we often go to that from a cyber event soon comes data leakage, can soon come things like share sale fraud, for example, where we see an uptick and we see them very directly related. But also, we can have that insider threat, you know, once once we have cyber bringing the wrong bad actors inside the network, you can have enduring harm, and particularly if this is an entity that plays a part in some way in the infrastructure of our financial services. We remind ourselves of that, it's not some esoteric kind of matrix like kind of weird thing, this is at the heart of financial services and corporate services. Real harm for Australians is our message, so these are real responsibilities.

Kate: And do you think that the key sort of basic message you were talking about there, do you think that's resonating with the regulated population? How do you see that playing out?

Simone: Of course, in this regard, you know, the letter that we wrote, the communication last week, was to sort of licensees, but corporates generally, so we think about the regulated population here, we're talking a really broad church, so as opposed to our sister regulator, APRA, who've also recently communicated, for example, about Frontier AI, as we have - They have a very defined set of regulator population. Our communication is to, you know, broad reaches and parts of the economy, in particular financial services, but corporates generally, when we're thinking about directors' responsibilities. So it's absolutely not the case that it will have resonated properly, fully been fully understood in a comprehensive and universal way. We've got to keep at that, because the message is for everyone running a financial services entity, or indeed governing a company that can present some risk, and that's most companies. And the one thing I would say as well is we need to think about the whole supply chain, even if we come step back up and think about very large entities that may even be APRO regulated, for example, like a bank or a super fund or an insurer, which is where folks often go to when they think about these responsibilities. Those companies rely on so many other companies in the chain, and that third party supplier risk, we are only as good as our weakest link in the chain these days, and that is what Frontier AI is showing us. So, whilst we've had, particularly in recent days, nothing but positive reception for those who've acknowledged our letter, and in meetings I've had with those, I was just with the Chair and CEO of a very large financial services organisation, about other things, just before this discussion, and we were talking about very different subject matter, but they did lay out, actually, we've been in board meetings today, and we've absolutely had your letter on the table, and yet, well, you know, we're really focused, and we're really worried, so had nothing but kind of positive reception to the most recent communication. That's a very tiny sample of a very broad church that we need to hear this message, so we will need to keep at it and make sure we're communicating in ways these different corners of the economy can understand. They've got different risk footprint, different exposure responsibilities may be bigger or smaller, equally we have to make sure we're communicating so that even the small and medium-sized enterprises in financial services and the economy understand what they can do, and we don't over complicate this.

Valeska: and especially when they form part of the supply chain as well.

Simone: Absolutely, and I think whilst it can feel complex, what we're talking about here, it's really important we get down to the fact there are actually some simple steps, like they're important steps, they're not easy. I'm not saying they're easy, but actually some simple steps that businesses can take, and financial services entities can take to really address the growing cyber risk.

Kate: You mentioned APRA there a moment ago, and there are different regulators across the board that have responsibility for cyber risk management, operational resilience, incident response. How does ASIC, I guess, coordinate with those different regulators? You know, when you're across different multiple regimes and different incidents and risks emerging, and sort of what does that look like in practice?

Valeska: And how do you decide who takes the lead?

Simone: So, if they're upper regulator when it comes to cyber or something that's within their standards, APRA takes a lead that's really clear, so we are under no, it's no confusion, no misunderstanding. APRA takes a lead where it responds to their standards and their lead responsibility. That doesn't mean that even where it's APRA regulated, there isn't a really important part and role for ASIC to play. We're the conduct and disclosure regulator, and when we think about disclosure, that also includes communications. So, an example of how we work together in an event, you've asked about an event, but we can also talk about in the, in terms of the threat management more generally. In an event, APRA will take the lead in terms of sort of the technical and working with the entity about what are they deploying, informing other regulators, talking and communicating with the board will be focused, for example, on what's customer communication like? How is the member or the customer, the financial services entity, experiencing this? Is it the right point for there to be some communication? How do they navigate that when they might have limited information? So we often very quickly go to, okay, but, what are the customers of this entity experiencing, and how they're being communicated with, so that there is confidence,

Valeska: And how does that then intersect with the IRC, for example, where there's disclosure obligations under the Privacy Act?

Simone: Yeah

Valeska: Including many cases that will be to customers as well.

Simone: So, when APR regulated, you know, be respectful of APRA taking the lead in some of those discussions, but also we're party to that. One thing regulators are very practiced at is working together, especially, and you see it in the kind of micro or immediate moments, like for example a cyber event. You also see it in the big moments. Think about COVID. I think we all work together. The system. Australia is good at that. It's one of the many things to love about Australia, including Australian Financial Services. So regulators are very practiced at coming together in moments of potential crisis, certainly event for that management and that respectful, and we actually have established forums and actually our own escalation and information protocols that we activate. So it would be wrong for us to be saying to entities across the economy, you need to have your own BCP, you need to make sure you adhere to it, that you know your governance and decision rights. If we didn't, we're absolutely the same, and we embed those through the right practices in terms of our own preparation. So we also have to think about preparation and preparing for what these events might be, preparing for sort of and acknowledging their rising threat levels like we are at the moment. So we actually have established committees and groups that work together at the different levels and communicate those different levels, so whether it's in the sort of security and cyberspace or also a very powerful, obviously, organ of government is the Council of Financial Regulators, and I don't mean powerful in terms of we've got a lot of power to wield sticks and make decisions, and maybe we do, I mean powerful in terms of as a communication governance agreement, dealing with really important stuff, like when you need them dealt with instrument and organ of government. CFR plays a really important part, and that's for those who don't know, that's ourselves, that's our pro, that's the RBA, and of course the Treasury, who sort of sit in the middle of all of these things across the economy.

Valeska: And in the actual crisis itself, thinking practically when organisations are trying to contend with a whole range of questionnaires from different regulators, other stakeholders, are you, are you also speaking with the other regulators then about how you coordinate or sequence absolutely questions that you're asking

Simone: Absolutely, and every time there's an event, we will seek and receive feedback on how it might have, could have been experienced a little differently, or a little better, for sure. Everyone must learn from an event, right? So, the whole point of kind of risk management and crisis response, and then learning from it. That said, I think it's a pretty well established sequence, and it's really important that we all know our core roles and where we have lead roles, and that you can hear how easy it is for me to answer, what's it like, for example, when it's APRA.

Valeska: Can we talk a bit about AI? Absolutely, very front of mind,

Simone: The good and the good and the good, but also quite scary.

Valeska: Yeah, yes, right, yeah. And it's fundamentally changing the cyber threat landscape. We're seeing you mentioned before, Anthropics, Lord Mythos preview, which is autonomously finding and exploiting vulnerabilities at scale and at speed, and I think we need to assume that that kind of technology is also going to be in the hands of threat actors as well, if it's, if it's not already, and APRO has warned that really organisations AI governance is not necessarily, and maturity is not necessarily keeping pace, and obviously ASIC has come out with its letter, which called for urgent cyber uplift… and I think what was really interesting is is the wording around urgency, which I'm sure was very, very carefully selected, and the fact that this is not a distant or hypothetical risk, it is here now. And I wanted to ask about a specific statement that you made in the letter, which is that organisations shouldn't be waiting for perfect clarity, they should be acting now. And I was wondering if you could elaborate on what your chief concern is.

Simone: Yeah, so you're absolutely right about the urgency, I have used the language we're at a minute to midnight.

Kate:

Yes, I like that language. 

Simone:

I'm very relaxed talking about these things, but I'm careful when you use terms like that. Yeah, so thoughtfully, deliberately, unequivocally, unambiguously, we are at a minute to midnight. You described it beautifully. Obviously, it's an area you're a subject matter expert. Unsurprisingly, not everyone can describe the challenge and the point we're at as clearly and simply. Hence, the need for really crystal clear language about where we're at in terms of this is the time to deal and what folks need to do in governance and leadership positions, because we absolutely now have no time to waste, we would agree with the statements you've made in terms of the assessment today it is the frontier AI is mythos. There'll be another, and there'll be another again, and quickly the cost of operating and running these things will run down. They'll be mimicked, get to a point where someone in their garage can do things at once upon a time we thought only state-based actors can do right?

Valeska: Barriers to entry alone.

Simone: Absolutely, barriers to entry in a criminal watching that is a criminal world, right? If it's deployed the wrong way. So we can see that threat, everyone can see that threat, make that threat crystal clear. When I use the language, I think you're talking about sort of urgency, and, and thank you for picking up on the particular tone, I would say that for about 24 hours, I, alongside my some of my team, I was sweating over whether that tone was right, and speaking across the economy to some other organisations, and hearing things like folks saying, you know, this kind of could put us on a war footing, right, or like, are we already initiating BCP with what we know, that's actually terrific to hear some of the bigger entities seeing it that way. That's the tone we're trying to convey. I go back to the broad church that we regulate, APRA able to be a bit more fine in their message, a bit more specific, and their letter was fantastic. And you can probably tell we sequenced ours to build and support. We have that broader church, so even more specifically, in terms of the tone and directness of language, I think I use words like, act with discipline, act with commitment, quite instructional, given the board is the audience, and it's, it's not unique, but it is unusual for the letter to say, and you must table this at your board,

Valeska: Yes.

Simone: And that also is deliberate, because if this is not seen and understood at top of house and directors are under any ambiguity about their ownership and responsibility here, then we'll have a problem. Organisations aren't going to rise to the challenge. Now, when you ask the sort of extension, the question about, you know, don't wait for perfect, I mean, it should be clear, but there'll be no perfect, like these are designed to exponentially grow, create like challenge. They will never be perfect. So act now, act with what you have. And if you get back to what I said at the kind of beginning of this conversation, some of the steps are actually simple with what we're talking about. For example, we don't even need to go to sort of talking about access management, for example, you know, things which are relatively well understood now, nevertheless, but have a technical layer to them. Think about the our message about what's your BCP, what's your governance, what is your playbook, what do you do if you have this event, and have you tested it, and have you made sure it is still match fit? Do you know who's going to take decision rights? Do you know who? Do you know what your crown jewels, what your critical systems are? These are things that you can do just with good people leading and governing the organisations to prepare now. So, it don't, you don't need perfect, you don't need perfect information, you don't need to be in glass wing, right, to be able to get your head around what this could be like if you have a system that has, and systems that will really exponentially increase that threat of drawing vulnerabilities together, so that's why that tone, it's a little bit trying to just demystify it, and I don't want to underestimate just the complexity of all this and the technical expertise that cyber experts hold, nor how difficult it is for us all to get our minds around what's happening here, but in moments of like serious event and serious threat, sometimes you've got to strip it back to what's simple, doable, and important, and oftentimes that's enough. That's enough for the improvement, and that's sort of our message.

Valeska: And speaking of glass swing, do you have higher expectations for those organisations that do have earlier access to some of these technologies?

Simone: It's no question I've, or we've turned our mind to, because I don't think we necessarily need to. I think what we need to turn our mind to is what I said about understand your business, so without kind of drawing out particular entities or individualising them, if you're an entity that's of a sufficient size and sufficient capacity, and prevents present such a sufficient risk, because you're plugged into critical infrastructure, you provide a critical service, you have a volume of data, you have a large customer base, you may have an international presence and footprint and reach, then we expect the highest standard, because the potential, going back to, you know, why do we care? The potential for harm, the potential for harm to your customers, to other Australians, to push back into critical infrastructure, to those who you provide services to, to confidence generally, right? Confidence in kind of our markets and system will be immense if that's the case. So our expectations will be set accordingly, and in that sense, I think, whereas today the question might be, are you in or not in Glass-Wind? Does it change it? The question will be different in a week, in probably a way my imagination can't capture, which is what I'm finding with a lot of this. So that's why we keep coming back to that. What is the threat your organisation can present if you're not managing this risk properly?

Valeska: And then what are the capabilities that your organisation might have access to?

Simone: Absolutely, and that's a really good point, in terms of, you know, other steps we laid out in our letter, or that I talk about. Capability is really important in terms of, again, that preparation, and capability needs to be proportionate to the risk and the threat and the potential for harm. As a director or a leader, when we talk about capability, it's not enough to simply say you have. Have a siso, you need to think about firstly. We always say it's got to be kind of capability across the organisation. This is a whole of organisation tasks. This is not just for the size of poor old sisos, right? Also, it's not enough to say you have a SISO, because you need to know the size of is good and equipped and able to deal with what you're dealing with, and it's such a critical role. I would expect boards are knowing their SISO, hearing from their SISO, and know how they came to be the right person, the right fit, the right capability for what the organisation needed. That's really important. Similarly, if you're a board who's measuring yourself against benchmarks or standards, and whether it's Essential A, whether it's NIST, whether you found your own other benchmark, and you're getting third parties to make assessments. Why is that third party the right party to rely on? How have they been engaged? How are they incentivized to give you honest, honest answers here, and why is their capability what you should be relying on in terms of getting back to your responsibilities?

Valeska: Yeah, we were talking about this earlier, because we've noticed there's really strong emphasis coming out of ASIC recently on adequate resourcing, including in the context of FIG, as well, and the commentary in that decision, too, on making sure that that people also have the capacity to allocate the right amount of time to these sorts of areas as well, and look at what else they have on their plate and how roles are apportioned,

Simone: That's right, that's right. It's not, it's not enough to say we have someone in that role.

Valeska: Yeah.

Simone: Are they equipped? Are they capable? Are they equipped? Do they have the right access to the board? Are they able to report the right wage? Do they have the right channels? And do you know enough about, you know, how that's been verified to support again what your risk of harm is?

Valeska: Just quickly back on AI governance, interested to hear whether there are any AI governance behaviors or lack thereof that are concerning you in particular, and also whether ASIC is investigating any of those?

Simone: So, we don't talk about live investigations, but it's no secret that we have had some investigations, and of course they've come through, and in terms of court decisions, we absolutely do pay attention to AI governance, and I think, though, and it's not just about talking about guardrails, although that's really important. So, we would expect boards to know what their guardrails are and why those guardrails are there. So, are the guardrails there because of the potential for harm of deployment to your customers in a way, and a thing it can do, are the guardrails there because a human at this point in a loop is really important, because of the nature of this service. Are the guardrails there because you've got vulnerabilities, like, you know, going back to, we're just talking mythos and the frontier AI, in terms of picking out the vulnerabilities, because this is a space in which too much internet facing, too much openness, you know, you can draw things together. So, is it actually because of protection of the enterprise from a cyber perspective? So, it's not just enough to have the guardrails, understanding why the guardrails are there, like being curious and asking those questions, and again, knowing why you should be relying on the people answering the questions. I think you were kind of getting at board then, like, why are you relying on them? Why is that capability there? So, when we talk about explicability, being able to explain it, right, explain what sits beneath it's not, you can, you know, vibe code it and reproduce it yourself, necessarily. It's actually explaining why this is a good decision, and you're okay with the decision for AI to be deployed there, right? So, their principles, reasonable steps that directors are really used to taking, or should be used to taking in all their other endeavors. Think about it that way. Why, why am I okay with that? Why can I rely on that? Why does that guard rail require that? And therefore, okay, I can see that guardrail is appropriately in place there, and those sorts of keeping again to those simpler principles, reasonable steps will hold them in good stead as they face into, you know, the kind of exponential challenge we all are, of keeping up with what AI can offer. You know, I never want to be a chilling effect on what AI can offer, but what AI can harm.

Kate: Just on that, how is ASIC using AI internally to assist with its, you know, various functions and operations?

Simone: Yeah, it's actually kind of exciting for a regulator. We don't often get to smile and say we're exciting, but because we receive a lot of data, and you'll have, there'll be a lot of people watching this who think, yeah, you do, you take a lot of data from us, it's our responsibility to make use of that, you know, the ASIC Act requires us to, so one way in which we must make use of it, and we're thinking about how we can use AI and, and how we can use digital technology generally, is we maintain the company's registers now, you know, the registers, so we're required by law to make that information available as well, and to make it in kind of readable form for the public, so how do we think about our customer service responsibilities and making things safer and more accessible? Because, of course, we got to think about our part in safety within the system too. When we maintain systems and registers like that, another way where it's like obviously pretty exciting is bringing our way to bring data together with the benefit of AI. And whereas once we might have had teams of people reading, for example, reports of misconduct, and reading them in isolation, and trying to triage it, and then sending it off to great people who come up with a decision on whether we kind of take this forward, which is a bit of how things start to make their way into an investigation. AI, the potential that has to bring together, like, and not just the kind of at machine speed, receiving and bringing those together, but bringing it together, of course, with a volume of other data points, and actually getting a sense of what are leading indicators of where there may be misconduct and emerging harm, so that you know, for where we see large scale and the systemic, which is where we get really, really animated, can see, can see those pockets coming, and where we should be looking more deeply and looking more closely. This is something we've been actually thinking about for the last couple of years, certainly since I've been at ASIC. We've also been deploying it already. I mean, it's not AI, but we were very early with our Artemis kind of hunt and hunting for the threat of insider trading, bringing together different data points, so that's kind of a bit more a digital rather than AI, so we've been early in some spaces in those sorts of pockets of ASIC, actually getting a grip on how AI could help us, for example, to mine the dark web better, so again, so we can be more predictive in at least where we should be looking, so not just being reactive, okay, we've got this information, draw it together and act more quickly, which is really critically important, and not just, you know, we're getting this information we need to share it with the public. How can we do that in a way that is safe and works well? Trying to be ahead of things as well, being predictive, and that's where it's going to be really quite powerful. And hopefully we can, you know, get get ahead of things more and be more in the deterrent space.

Valeska: You've spoken a bit about some of the evidence that might be providing using AI, some early indicators of behavior, and your letter also spoke, I think, on a number of occasions on the importance of having evidence of assurance that has been undertaken. What kind of evidence is the most important do you think in demonstrating adequate assurance or evidence that you would be looking at that might be a good indicator one way or another as to the adequacy of those governance behaviors?

Simone: It'll be fact specific and it'll be organisation specific, which is not to hedge. So, let me give some examples of things that we'd be looking for. I think again, it will seem like I'm laboring the sort of prepare, but again, it's that preparation. So, if you want true assurance, you need to know that you had the framework that was there, and that when things really changed, like they've just just changed, that you test it against the fact that it's changed, right? So, the framework is there. You want to make sure that the key people in the key roles that you've got the key roles right. So you want to be benchmarking yourselves. Everyone should be benchmarking, and there are some standards, and for example, for small organisations, we reference the ASD and ACSC tools, which reference out to Essential Aid. So again, broad church for us, but what are you benchmarking against, right, in terms of that when you're looking to get assurance, and why is that right? Which people internally, again, going back to why are you okay, you got the right people in the right roles, and they're capable for this. And then, if you're getting that third party, why are you relying on that third party to give you that assurance? And how much did they test? What did they do? What did they deploy? Why are you okay with that? And one thing you wouldn't be thinking this is not like set and forget, you don't kind of do it once, it doesn't change equally the way you think about assurance, you can't set and forget on that, that's going to change, right? Because the capability required is really changing, and I mean the Frontier AI, I think that's why it's really got us, Mythos, has really got us all, because we're thinking, wow, I used to have an approach to assurance that looked at, you know, a framework that said, well, that's a low-rated issue, and you'd get all sorts of sign-offs, so low-rated issue, you can, you know, in places I've worked 1220-four, months for for fixing them, that assurance has gone out the window.

Valeska: Yeah

Simone: So that's why you just need, need to refresh. I would say something on in that regard, though. It has always been the case that we've said to organisations, you cannot look at risks in isolation. APRA say the same thing. You need to think, look at your aggregate risk profile, your cumulative. So, if you've got areas in the tech world where clusters where you're getting a whole lot of bad things coming together, you're not patching, you know, it's gone well beyond end of life. Your internet facing like all those risk factors are good tech people across, like even if you're low rating them, it's been forever that we would have said you need to be thinking about that bringing that together, is that reasonable, is that proportionate and appropriate given the kind of risk that might sit around that service or that product or that line. Well, I guess we just 1,000x to that, didn't we, with mythos.

Kate: The FIIG decision, and your most recent letter made clear that managing cyber risk is a fundamental part of sort of licensing conduct obligations, and FIG, of course, was the first time that the federal court imposed civil penalties for cyber security failures. I think I'd be interested in your take on what the key lessons are for that from that decision for the regulated population?

Simone: I think I think you can almost lift some words from the judgment..

Kate: Probably

Simone: the proportionality. Like this preparation message that I'm giving that's directly consistent with the judgment, and it's also consistent, I think, with the RI advice case, the proportionality, like know your risk, like you've got responsibilities to your customers, particularly for the sensitive data you hold, which was part of the FIIG decision. So, if you're not investing in resourcing in setting up the right capability to manage that in your preparation, then you'll be accountable, just as if you didn't prevent some other harm to your customers. In this case, it was harm to the data. So our messaging, and indeed, I think you did sort of talk about the letter. It's deliberate that the letter brings together both the FIIG decision, I think we reference it, because it's so consistent with the idea of you got to prepare with proportionality, but also what I was saying earlier, not everyone's going to know what that means, and in this one, this is one where, well, most things, you know, that as a regulator, you don't want folks to fail, like you don't want to have to take people to court, we do it, required by law to do it, and we, and it works for deterrence and holding people to account, you don't want to end up there, especially if it's kind of because the folks didn't understand what the responsibilities were. Now it's on them, you take on the responsibility to be a board, or on the board, or a leader of an organisation, that is responsibility. But we're trying to make it simple, hence the steps we lay out are simple steps that that match back to that kind of, well, what is a proportionate preparation and response look like? So trying to draw those things together.

Kate: One of the features of FIIG, as well, was some of the failures in incident response, and I think that that was also something that was a theme of the earlier RA advice case as well. Do you have any reflections on the importance of great incident response?

Simone: Yep, absolutely. That's why we say you got to have the playbooks, that you know, whether you call it a business continuity plan and incident response plan or a playbook. What is it that you're going to do, and what's it based on? And something that I think, probably in the mythos era, frontier AIO, that's really important. I've kind of already mentioned this, but maybe should emphasise more, is what's your crown jewels in an incident response? What's your crown jewels, and where's your super threats? So, whether it's because you're providing a service you absolutely have to kind of protect and make available, or if it's going to be breached, you need to bring down right, because you can't have that threat, or whether it's a data set that actually, like, you know, has serious can have serious consequences if it's, if that leaks, knowing those really material exposures, knowing those crown jewels, and then making sure that that play book or incident response matches to that accordingly, and then, of course, that you use it, that you use it, and I know that sounds trite, but actually, in the moment, having that muscle, because you've practiced and rehearsed, and understand why it's important, using it, and respecting those decision rights that are in there, decision rights are going to become pretty important, if you think about in, say, a large organisation, whose decision is it? Is it the sizer or is it the owner of that sort of customer, that customer-facing channel, whether that stays up or gets brought down because of the threat of some vulnerabilities that have been observed? That's incident response. So we're not just talking about, oh, we've had a ransomware demand, and what are we going to do, we're talking about the whole idea of incident responses change, and I would be surprised, and maybe even disappointed, if some of the larger, if not, you know, smaller, medium-sized enterprises that you know we've communicated with, if they haven't gone back to their incident response plans and asked the question, we're potentially at some level in of that incident response plan now. If you think about the changing threat.

Valeska: I think organisations are absolutely going back and looking not just at the risk frameworks, yet the incident response plans and playbooks, but you raise a point that we've seen coming up much more frequently lately, which often comes out of the lessons learned of incidents, which is much more clearly defining in the plans and playbooks, what are the key trade-offs that need to be made, having regard to critical systems and operations, and we often see it in the context of the tension between containment activity that needs to be undertaken, and then unplugging the thing, it would take taking it offline, and often you'll have two separate owners of those things, and so baking in who actually has the authority to make that call, when you've got to competing things that you're trying to implement. So, yeah, I think we're seeing organisations become a little bit more prescriptive about some of those really key trade-off decisions that need to be made..

Simone: And whether your principles-based or more prescriptive, it'll be horses for courses for organisations, but

Valeska: It's the decision..

Simone: You got it, yeah, you got to have it set up, because we're talking about machine speed, yeah, so the decisions are going to need to be made at machine speed, and humans maybe cannot quite be machine speed, robots even beating this in running races now, like fast people, faster than me. But we might not be at machine speed, but if we have it hard coded and we know in the moment, and it's part of our muscle memory, because we have practiced and we have rehearsed and we respect that document, that document takes over when we're in that moment, then we can do this right, and I'd also say this isn't new, I mean, my before I was at ASIC, I've spent like a lot of time in large organisations, particularly in recent years, in chief risk officer roles, think liquidity management, think credit management in crisis moments. We know, like, we all, we've, we have for many years done liquidity crisis scenarios and risk crisis stress scenarios, and you get everyone together, and who's got the right on whether you turn that credit on or keep it off, and who's got the right on where you get that liquidity from, and where does liquidity go to first, and we have the muscle that, particularly the bigger organisations that might present more of a threat, or can at least have more of an impact, have that footprint. It's just using those muscles, and those experiences for cyber, and knowing that, you know, this is, you know, I just want to say it again, that minute to midnight, the need to act now, and that machine speed, that's what we're dealing with. So, we've got to be prepared.

Valeska: What are your expectations for multinational organisations whose cyber functions might be centralised offshore? What are the expectations in terms.. I think I know the answer to this, but it would be good, good to hear your thoughts on the Australian organisation, especially where it might be, for example, a wholly owned subsidiary of a global entity.

Simone: If they're licensed here, operating here, having impact here, they've got responsibilities here. Now, hopefully, wherever they're headquartered is amazing, and you know, has the same standards as we do, but if not, that's their problem for having operations here. We have expectations. We are proportionate, small to medium sized entity, or a small financial advisor, for example, who doesn't have much of a footprint. We'd be reasonable, and indeed we try to be helpful with this is what you can do. Large bank, you know, super large bank. We have one of the world's largest banks, right in amongst our big five, we're proportionate there in terms of expectations, but if you've got an impact on, you can call it harm in Australia, you've got Australian customers, Australian services, part of the Australian network, it's a level playing field.

Valeska: And just going back to the proportionate point, you're talking about proportionality to the risk and the threat landscape, as opposed to the size of the organisation necessarily.

Simone: Absolutely, absolutely, I think if you folks actually look at how many people really work in anthropic itself, it's not that many people, is it? It's probably less than the firm you work for, so it's absolutely not about employee number, and it's not about market cap, because, like, you can be listed, unlisted, who knows? No, it's about the threat… and there may be just one channel or one service you have, or one product, or one exposure, or one type of customer, but it might present a serious threat, right? So it's absolutely about the threat that have harm that flows from the risk footprint you represent in terms of this space.

Valeska: Should we talk about directors?

Kate: Yeah, let's talk about directors. ASIC announced back in 2024 I believe it was, that it was actively investigating or looking at potential claims against directors around cyber risk oversight. We haven't seen any proceedings to date, but I guess in the wake of that, many directors are really keen to understand how they should think about their obligations in relation to cyber risk and how they should be exercising those duties in, in practice. So, are you able to share some reflections on that, and sort of what behavior might put an individual director on ASICs radar perhaps?

Simone: I think I shared some reflections last Friday, so I think I wrote a letter to them, all really, that said this is like what we expect, and I think that's as much as we can do. So, being responsive to directors' concerns, I should say, by the way, there are many directors on large and small, but some on some very large companies with serious reputations who actually say, well done, ASIC, for continuing to say this is a priority, and to bring cases, and to be very clear about our expectations on directors, that might surprise you, but that's because if you're sitting on a board and you're looking to do the right thing in this regard, and it's not the only risk, like it's one of dozens and dozens that they, and I've reported up to boards of really large Australian companies, and like, it's a really significant and demanding job, right? And, but it's a really important job, so not the only risk, but at the moment it's a pretty acute risk. The response we get from, you know, some directors is, you got to keep going, because I don't want to be the only person on that board who takes this so seriously. I need to know this is truly a board team sport. So, it's one important point I'd make is it's not enough to say, "Oh, we've got this cyber expert, this person's got a tech background". In the same way, it's not enough to go, "Oh, we've got a SISO". Oh, you have to know that when you pull it all together as an organisation, that's the capability to respond, to prepare, respond in the moment, and then you know, remediate and deal afterward. It's the same for the boards. So, absolutely, it's great if you have people with tech experience and can bring that to bear, but it's actually it's on the board, but you know, the board responsibility, and that's the way we think about it. How does that board come together to have the right capability? That said, in you know, response to there being no ambiguity about how seriously we take things at the moment, and actually no ambiguity about some steps that most organisations can take to respond to this threat, and thinking about the case law we have as well, and working with the security and defense and home affairs folks, and working with COFA. We wrote the letter on Friday that actually is trying to be the reflections. This is what you can do, as said in the letter, in my sign off, table this at your board, discuss it, and be sure you're meeting it.

Kate: Yeah, I mean, one thing in the letter it refers to boards receiving meaningful reporting on end to end control effectiveness, not just activity. Are you able to explain that distinction to us?

Simone: I can talk about that all day long. You know, it doesn't matter what area of fail I look at since I got to ASIC, and to be honest with you, it was probably the same when I was a chief risk officer. One of the common vectors is the absence of good reporting that looks at things on that end to end for that end to end picture. Whether it is so death benefits, I spend a lot of time working with super trustees about their delivery of member services, and put out a report 18 months ago, or just over a year ago, actually, about failures in meeting death benefit claims and servicing members appropriately, and they're grieving families. It was terrible, like terrible. Some of the stories I heard, one of the main drivers of those failures was at top of house at the board, they weren't getting the right reporting to know how bad this problem was, and actually what this impact was, and they certainly weren't looking at it end to end. They weren't looking at it end to end in the sense of, oh, we might have many different service providers in the chain of service to our member, but me on board, I'm accountable to end member here. Equally, they weren't looking at it end to end, in terms of actually the way someone claiming a death benefit thinks about this is not the time that it's taken is from when they've been 27 times around the roundabout trying to get the form in, and they've been told one day they'll get paid, they think about the moment they first contacted their super fund through to when they were paid, because they've just lost a loved one, right? That's how they're feeling it. That end to end picture, it's the same with when you think about cyber controls and cyber pictures. The need to, firstly have the insightful reporting, so boards can keep on top of things and contract change, and can truly see through the risk. Secondly, that it looks at the end to end picture of the controls and the service delivery, and that's not just a, like, a, you know, nice pretty controls dashboard, that's actually thinking about each step in the chain, and if that is not happening, then the Mythos Frontier AI is going to expose those who don't think about it this way, because what is probably the number one thing we're all, apart from the kind of machine weaponised speed of this, that we're thinking it is the way it can chain vulnerabilities from all over different parts of an organisation and bring them together into a chain that can be harmed, right? So it can show how that can be harmed. So, if you're not on a board thinking about that end to end, so the end to end of the service delivery and the end to end of the different risks and controls that come together, then you are going to be found wanting.

Valeska: So it's the accumulation of those risks, and then

Simone: its both

Valeska: charting a path through the maze to see how it gets chained together, definitely

Simone: Definitely, its understanding your systems and your architecture, and what the chain looks like. It's also thinking about where the control points are along there that create that chain of controls, and it is that cumulative risk profile, and as I said, that's actually always been something that organisations have been required to keep in focus. Don't just see your vulnerabilities and risks as being in isolation; they can be brought together, and we've just been shown how the

Valeska: The Ministerial Powers Consultation Paper canvases two options for delayed continuous disclosure obligations, where immediate disclosure could threaten national security or safety, and there's obviously a tension between protecting shareholders through timely disclosure and their national security concerns. Be keen to hear your thoughts on that proposal, and some of the sort of practical considerations that will need to be worked through to make sure that that tension is being appropriately balanced.

Simone: Yeah, it's a really mature conversation going on in all the different parts of government at the moment. So, we've been more than consulted, we've been deeply and closely involved. Absolutely, when it comes to Australia being best equipped to deal with events and knowing events are coming and the harm they can cause the economy, like we absolutely, as regulators and government, we do work together, so we understand this is one part in so many considerations. This is a pretty extensive package, and you've got to kind of feel for those in government, and the minister have got to get their head around all of this, and this is an important part, so the balance here is continuous disclosure and transparency of our market is also amazing, awesome, and fantastic, and also really important. It's great we're being listened to more than listened to, you know, working with Treasury, working with Home Affairs, we're kind of the lead voice in this. So it's a very respectful and mature conversation. There will be changes that come out of the consultation package, that's good, because like this is a constantly changing environment that will create that balance, and the balance has to be, you know, thinking about when, when, and who could trigger this, because you're really trading off going back to the, we've got to be really clear on who makes decisions in that, you know, and how they're made, and what's the reference to it..

Valeska: And how quickly, as well…

Simone: Exactly, that's what we're trying to really nail down, for the same reason that's all part of our preparation, because we don't want you can imagine, for example, if we got all this wrong, that actually knowing this existed, you could have some super bad actor thinking, well, this is a good way to create a level of kind of chaos or lack of confidence in the market, if you had a regulator that, if we weren't taking our disclosure kind of responsibilities really seriously, and how important this is. This could be used in all sorts of permutations and combinations that can create additional harm, right? So, but the good thing is that's well respected, well understood, and from Treasury Home Affairs, working with APRO, working with the RBA, and so, and I think our comments on that will be, you know, entirely consistent.

Kate: Yeah. Cyber risk doesn't appear amongst our 2026 enforcement priorities, Is that because it's an endurance? Do you consider it to be sort of an enduring enforcement priority, or will it be back on the agenda because of all the mythos, you know, things we've just been talking about?

Simone: So, mythos wouldn't drive us to have it as an enforcement priority, because as we keep saying, mythos is just kind of today's rising threat. Cyber is front and center in our corporate priorities, so we have - we actually come out annually with our five corporate priorities areas where we focused on the sort of flow into our enforcement priorities. There are certainly enduring priorities, and really, you could think about cyber as part of that, resilience as part of that, but front and center in amongst the five, and there's only five, and we do a lot, like we're one of the broadest regulators in the world, it's a lot

Kate: You've got a lot on your plate…

Simone: There's a lot, resilience is always in amongst those five, now for the last couple of years I've been there, and I can, I cannot see that changing, and when we think about resilience, it's both have quite acute responsibilities, for example, in financial markets infrastructure, including in this space and beyond market integrity rules. However, it's also, you know, more broadly across the economy with the opportunity and the, but the opportunity for threat or harm that AI presents, and that's, you know, that probably really want to emphasise that message. We think there is so much immense potential in AI. You know, AI is going to be part of meeting the productivity challenge. We work at ASIC because we kind of really care about Australia and financial services and the economy of Australia. We're required by ACT to do so, to try and make it more efficient and fair, and have better participation in it. AI is part of that. That said, we have to kind of live in the world of today, where we can see the other side, which is the threat. So, we've all got to do our part and communicate crisply, clearly, be straightforward, be, you know, simple as we can be, but act now in terms of the rising threat in and around cyber that frontier AI presents.

Valeska: Thank you. Thank you for your time. To close it out, we always ask our guests for their favorite cyber-themed TV show, film, book…what's yours?

Simone: Oh so, I don't, I spend a lot of time reading for work on about work, so when I'm not working, I tend to just do something and read or see or watch something completely different. To be honest with you, I'm re-watching Peaky Blinders at the moment, so although you know it's not particularly cyber, I suppose, but then in a way it's not irrelevant, is it? I mean, they're kind of shiny, they seem a bit different and new, but they're just criminals, and actually, I remember in one of the episodes, I think the kind of Italian mob leader said, you know, oh, they, you let one in and then they're in, and you never get them out again. About the peaky blinders coming down the canals from Birmingham to London, kind of, is that not what we're worried about in this kind of post-mythos world, right? You find one vulnerability, yeah, they seem it seems shiny new and distracting, but it's just kind of criminal behavior, like flat out criminal behavior. One vulnerability they get in, you in, you can get them out again. What's the harm it's going to do?

Kate: Thank you. Thank you very much. So, I think that was a very timely conversation, wasn't it? Given ASIC's letter on Friday, and I think what really resonated for me was just the urgency of the need to take steps, given the threat that these front frontier AI models pose.

Valeska: Yeah, I think that's right. And there are a lot of practical steps that organisations should be taking. I mean, firstly, the letter itself says that that letter should be tabled by boards, but also re-looking at risk frameworks and governance frameworks and making sure they're fit for purpose, doing the same with incident response plans and playbooks. And also, really thinking about the end to end understanding of the risk profile and the accumulation of risks as well. Simone spoke quite a bit about how looking at risks in isolation may not give the full picture of the systemic issues, which is what ASIC is particularly focused on. So, yeah, really interesting.

Kate: And I think really, what it all comes back to, I think, from Simone's perspective, is that these are fundamentals of good governance. There isn't anything sort of new in, in cyber necessarily. This is across the board. How do organisations demonstrate good governance in this space?

Valeska: Thanks for listening to this episode of The Cyber Brief. Check the show notes for resources from this episode or visit allens.com.au/cyber for our latest thinking. Don't forget to follow to keep up to date on what's ahead for cyber risk, governance, and emerging threats, as we interview some of the most respected voices in the industry.