Australia's financial regulator has issued an unprecedented open letter to every AFS licensee in the country, declaring that the rise of frontier artificial intelligence has fundamentally and permanently altered the cyber threat environment — and that the insurance industry, in particular, can no longer afford to treat the risk as someone else's problem.
In a letter signed personally by ASIC Commissioner Simone Constant (pictured) and released today, the regulator was unambiguous: "Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business."
The message carries serious weight for insurers, reinsurers, underwriters and insurance brokers — all of whom hold vast repositories of sensitive policyholder data, rely on complex third-party technology ecosystems, and are increasingly deploying AI tools across claims, underwriting and client-facing operations. They are, in short, both the target of AI-accelerated cyber threats and holders of the policies that must respond to them when they strike others.
ASIC's concern is not that AI creates entirely new risk categories, but that it drastically lowers the cost and complexity of executing sophisticated attacks. Phishing campaigns can now be generated at scale, software vulnerabilities identified and exploited at speed, and social engineering executed with a persuasiveness that once required considerable human effort. The letter notes that what once looked like minor, isolated weaknesses can now be rapidly combined by AI-driven attackers into serious cascading incidents.
For Australian insurers, the warning dovetails with trends already reshaping their business. Cybercriminals are leveraging AI to automate attacks and create more convincing phishing campaigns, and the Qantas breach of July 2025 — which compromised nearly six million customer records — illustrated the importance of monitoring risks beyond internal systems. As Insurance Business Australia has reported, regulators including ASIC and the OAIC have since intensified their enforcement focus on cyber risk management, while recent privacy law amendments now allow individuals to seek legal recourse for breaches caused by reckless conduct.
ASIC Open Letter — May 2026
Australia's cyber threat environment is escalating
Key indicators driving ASIC's urgent call to action for AFS licensees
Hotline calls increase
Rising
ASD Cyber Security Hotline
Orgs hit by ransomware
59%
In the past year — Sophos 2025
Avg cost of a breach
$4.7M
Global average — IBM 2025
Industry AI preparedness gap
Sources: ASIC Open Letter May 2026 · Sedgwick Global Risk Study 2026 · Marsh · IBM · Sophos
insurancebusinessmag.com/au
```
Read next: Major cyber breach hits Australian Schools
The ASIC letter also arrives at a critical inflection point for the cyber insurance product itself. As Insurance Business has reported, AI deployment is increasingly a dual exposure for the sector — adoption brings new liability pathways, while threat actors are weaponising AI in cyberattacks. The question of whether AI-related incidents will be treated as professional errors, data events, or operational mishaps is one the industry is still wrestling with — and Thursday's ASIC letter gives renewed urgency to resolving it.
ASIC's call to action is sweeping. It instructs licensees to reassess cyber plans, protect critical assets, minimise attack surfaces, patch systems promptly, and implement layered defence-in-depth architectures. The regulator specifically flags insider threats as rising, urging regular reviews of user access privileges and action where warning signs are identified. Third-party risk management receives particular attention — a pointed concern for an industry in which carriers, intermediaries, claims managers and technology providers are tightly interwoven.
Read next: Aussie ice cream giant hit by hackers
The governance dimension of the letter may be its sharpest edge. ASIC makes clear that boards cannot simply rely on management assurances. They must demand evidence: test results, independent audit findings, lessons from real incidents. ASIC's assessment aligns with broader findings that only 14 per cent of organisations consider themselves fully prepared for AI deployment, and 31 per cent say they are struggling to keep pace or are behind. As Insurance Business Australia noted in its coverage of ASIC's 2026 risk priorities, rising calls to the Australian Cyber Security Hotline and higher incident response activity have already underscored the need for a sector-wide uplift.
Constant closed the letter with a directive that carries the force of a regulatory requirement: boards must table and discuss it at their highest governance committees. The time to act, she wrote, "is now, not by reinventing your approach, but by ensuring the basics are robust, resourced, and working effectively."
If you haven’t spoken to your clients recently about cyber cover, don’t leave it too long.
