Australia’s banking regulator has warned financial firms that new AI tools could make cyber intrusions bigger and faster, saying security measures are not evolving as quickly as AI.
In a letter to banks, the Australian Prudential Regulation Authority (APRA) said many of the sector’s information security frameworks had not kept pace with the pace of change in AI.
The rapid advancement of AI poses a greater risk to the country’s financial sector, according to regulators.
APRA member Therese McCarthy Hockey said that despite the “tremendous opportunities” it offered, “the risks of such a powerful technology cannot be ignored”.
“While we are not proposing to introduce any additional requirements at this stage, we do expect to see significant improvements in how businesses close the gap between the capabilities of the technology they are using and their ability to monitor and control it,” Hockey said.
Referring to a review it conducted, APRA warned that “frontier AI models such as Anthropic’s Claude Mythos, which have the potential to enhance the discovery of vulnerabilities by malicious actors, are expected to further increase the probability, velocity, and scale of cyberattacks.”
Mythos is said to have the ability to identify and exploit vulnerabilities in major operating systems and web browsers. Initial access is limited to a select group of large technology and financial companies through an initiative called “Project Glasswing.”
Anthropic said the measure is aimed at protecting critical systems from such capabilities before similar AI tools are released more widely.
“APRA is hearing clear recognition from regulated entities of the gradual change in cyber practices and the need for continued improvements in their ability to protect IT assets in an evolving threat environment.”
Last week, a spokesperson for Home Secretary Tony Burke said Australia was working with software companies, including Anthropic, on potential cybersecurity vulnerabilities, Reuters reported.
APRA said feedback from industry consultations shows banks are placing too much emphasis on vendor presentations and AI model overviews without sufficient consideration of the potential risks.
“APRA recognized that many boards are still developing the technical literacy necessary to effectively challenge AI-related risks and oversight,” the letter states.
