ASIC Says Static Cyber Compliance No Longer Applies
ASIC has issued cyber resilience warnings before.
Most have looked broadly similar, but the letter published in May 2026 is materially different, and the reason is not rhetorical but structural.
Enforcement is now precedent-backed because the threat environment has compressed under generative and frontier AI. And accountability has moved firmly into the boardroom.
For executives and boards across financial services, government and large enterprises, the practical implication is the same. The bar for cyber compliance is no longer whether a framework exists, but whether it can be demonstrated to work in real time under real-world attack conditions.
AI has compressed the window in which static controls remain credible
On 8 May 2026, ASIC published an open letter, signed by Commissioner Simone Constant, warning that the misuse of frontier AI models could expose security vulnerabilities at a speed, scale and sophistication previously unseen.
Vulnerabilities are now being discovered and exploited faster than many organisations can patch them. Attack paths evolve dynamically. Defensive measures that were appropriate six months ago can become inadequate within a single quarter.
ASIC’s letter is unambiguous about the consequences. Regulated entities are required to table it at their ultimate board and risk governance committees.
The actions ASIC expects include reassessing cyber plans against the most pressing risks, identifying and protecting critical assets, minimising attack surface, reviewing user access privileges, patching systems promptly, maintaining and testing incident response plans, and actively managing third-party risks.
What stands out is not the list. Most of those actions have appeared in regulatory guidance for years.
What has changed is the frequency at which ASIC expects them to be evidenced. The Commissioner’s letter draws a direct line between AI-accelerated threats and the obsolescence of annual or point-in-time assurance approaches.
In her own words, the clock is at a minute to midnight.
Why point-in-time compliance no longer holds
The traditional model of cyber assurance was built around a stable threat environment. Organisations aligned to a framework, ran annual or quarterly reviews, and treated the resulting documentation as evidence of compliance.
Under AI-driven threat conditions, that model breaks down for three reasons.
1. Vulnerabilities are exposed faster than they are patched
ASIC has explicitly warned that frontier AI tools can identify exploitable weaknesses faster than human-led patching cycles can close them. A control that was effective at the time of the most recent review may already be compromised by the time the next review begins.
2. Attack paths evolve dynamically
Modern attacks combine multiple weaknesses, often across third parties, and adapt in real time. A static list of controls cannot represent whether those controls remain effective against an attack path that did not exist when the list was last reviewed.
3. The court has clarified what “adequate” actually means
In the FIIG judgment, Justice Derrington noted that a successful cyberattack on an entity’s information technology systems does not, in itself, prove that the entity has failed to meet its statutory obligations.
What matters is whether the controls were operationally effective at the relevant times. That distinction can only be evidenced through continuous monitoring, not periodic attestation.
What organisations must now demonstrate, not just document
For regulated industries, the question has shifted. It is no longer a question of whether a cyber framework is in place, but whether the organisation can continuously prove that the controls under that framework are working. The shift can be summarised in three practical priorities.
1. From annual review to continuous validation
Reviews remain necessary, but they are no longer sufficient. Organisations need confidence that controls are operating effectively between reviews, not just at the time of review. That confidence must be supported by live operational data rather than retrospective attestation.
2. From documentation to defensible evidence
ASIC’s FIIG action made clear that documentation alone does not satisfy the AFSL obligations. The court examined whether controls were actually implemented, monitored and adhered to. Boards now need access to evidence demonstrating not only that controls exist but also that they are performing as required.
3. From IT issue to board accountability
Cyber is no longer an operational matter that can be delegated. ASIC requires its May 2026 letter to be tabled at the ultimate board and risk governance committees.
Combined with the Financial Accountability Regime and APRA’s CPS 230, cyber resilience now sits as a personal, board-level accountability. Senior leaders need oversight tools designed for that level of responsibility.
How Ikara helps organisations meet the new standard
Our platform provides a continuous, evidence-based view of how cyber controls and supplier obligations are actually performing across the digital supply chain.
For organisations responding to ASIC’s May 2026 letter and the FIIG precedent, this delivers three practical capabilities.
1. Continuous control validation
Ikara monitors the technical controls that sit beneath cybersecurity and operational risk frameworks, surfacing performance drift before it becomes a reportable incident. Patching cadence, endpoint detection coverage, configuration baselines, and third-party security posture are continuously visible, not only at the time of the annual review.
2. Defensible evidence
When supervisors, auditors or boards ask whether controls were operating effectively at the time of an incident, the answer is supported by operational telemetry rather than narrative reconstruction. This is precisely the gap the Federal Court examined in the FIIG matter.
3. Board-level translation
Senior leaders do not need to see raw security data. They need to see whether the obligations they are personally accountable for are being met. Ikara translates cyber posture into a clear contractual and regulatory view, ready for the board pack.
What boards should do in the next quarter
The FIIG penalty is a benchmark. ASIC’s May 2026 letter is an expectation. The Fortnum Private Wealth proceedings signal continuing intent.
In practical terms, boards have a short window to do three things.
1. Review whether cyber controls are evidenced continuously, not just documented. If the answer is that the organisation relies on policies and quarterly attestations, the FIIG case has already established that as insufficient.
2. Confirm that the ASIC letter has been formally tabled at the ultimate board and risk governance committee, and that the actions identified are being tracked with operational data.
3. Establish a board-level view of cyber posture that links controls to regulatory obligations, so directors with personal accountability can act on what they see.
Cyber resilience has crossed the threshold from advisory guidance to enforceable expectation. Static compliance no longer protects the organisation or the board.
Sources
ASIC calls for urgent cyber uplift as AI accelerates cyber threats
AI threats prompt ASIC cyber resilience warning
Lessons learned from ASIC’s enforcement action against FIIG