Australia is the first country with two separate financial regulators — APRA (prudential) and ASIC (markets/corporate) — each issuing distinct named-Mythos compliance directives within two weeks, making it the most active multi-regulator enforcement jurisdiction in the dataset.
ASIC/Reuters: ASIC publishes official letter naming Claude Mythos, orders all licensees to table cyber resilience assessment at the board level, warns 'the clock is at a minute to midnight'
Australia's Securities and Investments Commission published an official industry letter on May 8 (media release 26-092MR) explicitly naming Anthropic's Claude Mythos as a frontier AI model that could expose cybersecurity vulnerabilities at unprecedented speed, scale, and sophistication. ASIC Commissioner Simone Constant ordered all licensees and market participants to reassess cyber plans and table the letter at their ultimate board and risk governance committees — framing cyber resilience as a core licensing obligation with enforcement backstop from ASIC's recent court victory against FIIG Securities Limited. Constant stated: 'The clock is at a minute to midnight – if you aren't on top of your cyber resilience already, the time to act and prepare is right now.' Reuters separately reported that Macquarie CEO Shemara Wikramanayake confirmed the bank is running technology programs to test its potential risks against frontier AI models, though no Mythos-specific access was confirmed.
ASIC's May 8 formal letter — as Australia's corporate and markets regulator, distinct from APRA's April 30 prudential enforcement letter — makes Australia the first country to have two separate financial regulators issue official named-Mythos compliance directives within two weeks, mandating board-level governance action across Australia's entire licensed financial services sector.
High impactRegulatory response
APRA: official industry letter threatens enforcement for inadequate AI risk controls, explicitly naming Anthropic Mythos as a frontier model heightening cyber threats
Australia's prudential regulator APRA published an official letter to all regulated entities — banks, insurers, and superannuation trustees — threatening enforcement action against those failing to adequately manage AI risks. Board member Therese McCarthy Hockey stated: 'Where entities fail to adequately identify, manage or control AI risks in a manner proportionate to their size, scale and complexity, we will take stronger supervisory action and, where appropriate, pursue enforcement.' The letter explicitly named Anthropic Mythos, stating APRA is 'engaging across the sector on the potential for increased cyber threats from high capability AI frontier models such as Anthropic Mythos.' Key gaps cited: information security practices lagging behind AI threat speed, over-reliance on vendor summaries without examining AI risks, and weak board-level technical literacy.
This is the first official enforcement threat issued by a major financial prudential regulator that specifically names Anthropic Mythos by model name, upgrading Australia's posture from sector-level monitoring to formal regulatory response with an explicit enforcement backstop.
Medium impactRegulatory watch
Reuters/iTnews: ASIC, APRA, HKMA, South Korean financial regulators, and Singapore MAS named as monitoring or responding to Mythos-related financial-system risk
Reuters reporting carried by iTnews named ASIC, APRA, HKMA, South Korean financial regulators, and Singapore MAS as monitoring or responding to Mythos-related financial-system risk.
The access story is now also a reaction story: regulators without public access are still adjusting supervision and resilience planning around the model's reported capability.
Entity alerts
Subscribe to alerts for Australia ASIC and APRA.
An email when this entity's evidence status or access log changes. Low volume. Unsubscribe any time.