APRA pushes for collective defence strategy against emerging cyber threats
Australia's prudential regulator has urged financial institutions to adopt a collective defence strategy against frontier AI-enabled cyber threats, warning that no organisation can fight the risk alone.
Speaking at the 2026 AFIA Risk Summit in Melbourne, Australian Prudential Regulation Authority (APRA) member Therese McCarthy Hockey said the rapid advancement of frontier AI models had created a "paradigm shift" in cyber security risk that demands industry-wide collaboration.
"In an ever more interconnected financial system, instability in one part of the system can quickly destabilise other areas," McCarthy Hockey said. "The scale of this challenge, the speed with which it's evolving and the borderless nature of the threat, require those of us on the right side of this battle to work together — at an industry level, a national level, and even at an international level."
APRA's call comes in the wake of Anthropic's release of its Mythos AI model, which the company said had surpassed "all but the most skilled humans at finding and exploiting software vulnerabilities."
The Five Eyes cyber security agencies subsequently issued a joint statement warning that frontier AI models were set to "fundamentally transform both offensive and defensive cyber capabilities," adding that "the timeline is not years, it is months."
'Team Australia' mentality
McCarthy Hockey described the collective defence approach as a "Team Australia" mentality, comparing it to how financial institutions already share scam intelligence.
She said larger organisations that gain early access to frontier AI models have a responsibility to share what they learn with smaller peers and suppliers.
"Where one institution learns something material about AI-enabled vulnerabilities, model limitations, jailbreak techniques, or defensive use cases, the system as a whole benefits when that knowledge is shared quickly and safely," she said.
APRA has begun hosting roundtables alongside the Australian Securities & Investments Commission and the Australian Signals Directorate to facilitate the exchange, with major service providers and payments system companies also included.
McCarthy Hockey said early signs from those forums were encouraging, noting that some of the country's largest financial institutions had volunteered to share their technical expertise with smaller organisations.
"This open approach to community-building correctly recognises that making the system more resilient is an investment in making themselves more resilient," she said.
AI governance at work
The speech underscores a growing expectation that AI governance and cyber resilience are no longer solely the domain of technology teams.
APRA's own thematic review of 11 financial institutions, conducted last year, found that governance, risk management, and operational practices were not keeping pace with the speed of AI adoption, a gap that points to workforce capability and organisational culture as much as technology investment.
McCarthy Hockey also flagged that a recent World Economic Forum white paper found AI deployment in cyber security was closely tied to organisational size and resources, with smaller entities tending to lag due to financial constraints, skills availability, and data maturity.
"Don't wait for the latest and greatest technology or mistake access to frontier AI models for resilience," she said. "Real resilience comes from the governance, controls, data discipline, testing and contingency planning that sit around the technology."
