← Field Notes
Benchmarks & Readiness·16 May 2026·3 min read

ASIC Says Cyber Is Now a Licensing Obligation. AI Is Why.

ASIC's May 2026 letter tells every AFS licensee that AI-accelerated cyber risk is a board issue. The first penalty — $2.5 million — is already in.

The letter every licensee needs to read

ASIC just told every licensed financial services firm in Australia that cyber resilience is a core licensing obligation — not an IT issue. The reason: frontier AI models are accelerating cyber threats faster than most firms can respond. If you hold an AFS licence, this letter needs to be on your board agenda this month.

On 8 May 2026, ASIC Commissioner Simone Constant issued a letter to all AFS licensees and market participants. The language was unusually direct. “Cyber risk has entered a new era,” Constant wrote. “The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise.” The letter sets out 12 specific steps ASIC expects entities to take — from reassessing cyber plans and patching systems promptly, to managing third-party risks and deploying AI defensively.

Most significantly, ASIC requires entities to table the letter at their ultimate board and risk governance committees. Not forward to your IT contractor. Table at the board. This is ASIC making cyber resilience a governance issue, formally and in writing.

A $2.5 million precedent

This isn’t aspirational guidance. In February 2026, ASIC secured a $2.5 million penalty against FIIG Securities Limited — the first time the Federal Court has imposed civil penalties for cyber security failures under AFS licensee obligations. FIIG’s failures over a four-year period led to a 2023 cyber attack where 385 gigabytes of confidential data were stolen and leaked onto the dark web: driver’s licences, passports, bank accounts, tax file numbers. Approximately 18,000 clients were affected.

The court also ordered FIIG to pay $500,000 towards ASIC’s costs and engage an independent expert to overhaul its systems. The message from the regulator is clear: cyber failures are licensing breaches, and the penalties will scale with the harm.

$2.5M

First cyber penalty under AFS licensing

FIIG Securities, Feb 2026

$56,600

Avg cost per attack for Australian SMEs

Up 14% year on year

43%

Of all attacks target smaller businesses

ASD Cyber Threat Report

Why this hits smaller firms hardest

The letter applies to all AFS licensees, not just the big four banks. That includes accounting firms, financial advice practices, mortgage brokers, and insurance brokers. And the data suggests smaller firms are the least prepared.

Smaller businesses represent 43% of all cyber attacks in Australia. The average cost of a cyber attack on an Australian small business hit $56,600 in 2024–25, up 14% year on year, according to the Australian Signals Directorate’s Annual Cyber Threat Report. Australia now receives a cybercrime report every six minutes.

The AI acceleration is the new variable. Where a vulnerability might previously have sat undetected for months, AI tools now enable attackers to scan for and exploit weaknesses in days or hours. ASIC’s specific reference to “accelerated vulnerability discovery and exploitation” is the regulator acknowledging this shift — and expecting licensees to match the pace.

We wrote recently about APRA raising similar governance expectations for regulated entities. The pattern across Australian financial regulators is converging: cyber resilience is a board-level governance obligation, and “we outsource IT” is not a defence.

Three actions for this month

ASIC listed 12 steps. For a smaller firm, three matter most right now.

First, run the free Cyber Health Check at cyber.gov.au. It takes about 15 minutes, is completely anonymous, and generates a tailored action plan based on your answers. ASIC specifically recommends it in the letter.

Second, audit access privileges. Who has admin access to your practice management software? Are former employees still in the system? Shared passwords still in circulation? ASIC flagged regular access reviews as a core expectation — and this is where most small firms have the biggest gap.

Third, patch promptly. ASIC called this out because AI is compressing the window between a vulnerability being disclosed and being exploited. If you’re running software with known updates pending, the regulatory position is now that delay is a governance failure, not an IT oversight.

Key takeaways

ASIC’s May 2026 letter to all AFS licensees declares cyber resilience a core licensing obligation — not an IT issue — citing AI-accelerated threats as the reason for urgency.
The first-ever Federal Court penalty for cyber security failures under AFS licensee obligations was $2.5 million against FIIG Securities, which exposed 18,000 clients’ data after a four-year governance gap.
Smaller businesses represent 43% of all cyber attacks in Australia, with average costs hitting $56,600 in 2024–25 — up 14% year on year, per the ASD’s Annual Cyber Threat Report.
Every AFS licensee must table ASIC’s letter at their board and risk governance committees and take 12 specific steps, starting with the free Cyber Health Check at cyber.gov.au.

Sources

ASIC — Calls for Urgent Cyber Uplift as AI Accelerates Cyber Threats (May 2026)

ASIC — FIIG Securities Ordered to Pay $2.5 Million Over Cyber Security Failures (February 2026)

Australian Signals Directorate — Annual Cyber Threat Report 2024–25

Assumptions & methodology
  1. The $56,600 average cyber attack cost and 14% year-on-year increase are from the Australian Signals Directorate’s Annual Cyber Threat Report 2024–25. This figure represents average self-reported losses for small businesses (0–19 employees).
  2. The 43% figure (smaller businesses representing 43% of all cyber attacks) is from Australian cyber crime reporting data as cited in industry analysis of ASD reporting. “Smaller businesses” in this context typically refers to organisations with fewer than 50 employees.
  3. The “cybercrime report every six minutes” figure is from ASD reporting and represents total cybercrime reports across all Australian organisations, not limited to financial services.
  4. FIIG Securities’ $2.5 million penalty is from Federal Court proceedings initiated by ASIC (media release 26-021MR, February 2026). The 18,000 affected clients and 385 GB of stolen data are from the ASIC media release and court findings.
  5. AFS licensee refers to Australian Financial Services licensees — any entity authorised to provide financial services under the Corporations Act 2001. This includes financial advisers, accounting firms with AFS licences, mortgage brokers, insurance brokers, and investment firms.

Next

Three in Four Tradies Back AI. One in Eight Uses It.

Read →

Field Notes are general commentary on AI trends for Australian businesses. They don’t constitute professional advice. Talk to your accountant, lawyer, or IT adviser before acting on anything specific to your situation — or talk to us if you want help working out where AI fits.

Want to know where AI fits in your firm’s risk posture?

Book a call and we’ll walk through what ASIC’s letter means for your practice — and where the gaps typically sit for firms your size.

Book a call →