Insurers must urgently respond to threats posed by frontier AI and encryption-breaking quantum computers, the Australian Prudential Regulation Authority has warned.

Anthropic’s Claude Mythos, Google DeepMind’s Gemini and OpenAI’s GPT series represent a step change in cyber risk, the regulator says.

APRA wants insurers and other entities it regulates to be “at least starting” to map where cryptography is relied on across systems, data and third-party providers, including long-lived data and critical infrastructure.

It plans to step up supervisory engagement over the coming year.

“You need to be moving on this issue now,” APRA member Therese McCarthy Hockey told the Australian Finance Industry Association Risk Summit today.

“We will want to see evidence that boards understand the risk, recognise their obligation to act and are advancing plans to meet the Australian Signals Directorate’s recommended timeline.”

APRA has it “on good authority frontier AI presents a paradigm shift”, Ms McCarthy Hockey says.

“The threat horizon posed by these advanced AI models has moved sharply nearer and will likely bring forward the timeline for correlated threats such as encryption-breaking quantum computers.

“The challenge before us is to act with speed, ambition and confidence.”

Related article: Cryptographers urged to be ‘quantum-ready’

Quantum computing uses the rules of quantum physics to exponentially increase computing power. It is expected to transform pricing, portfolio construction, logistics and fraud detection, but will also crack passwords in just minutes.

“Every email or data file hacked or stolen going back years, which criminals were unable to unlock at the time, would become vulnerable,” Ms McCarthy Hockey said, adding cryptographically relevant quantum computing could become a reality years earlier than expected.

“All of us – businesses, regulators, governments and agencies – are in another race against time to prepare for this threat before Q-Day arrives ... Putting in place the right quantum resilience will take time and considerable investment – it’s not an overnight exercise – and all this in the face of the accelerating arrival of Q-Day.”

New AI models can identify vulnerabilities that previously escaped detection. For example, Mythos can autonomously link a series of minor vulnerabilities to create a major breach.

Ms McCarthy Hockey says this is “turbocharging the ability of cyber adversaries to find vulnerabilities they can exploit ... The risk is that security teams become overwhelmed trying to patch vulnerabilities and fend off attacks coming faster than ever before.”

Companies need to identify weaknesses before bad actors can, she adds.

“For Australian financial institutions, frontier AI is not just a cyber risk issue. It’s third-party risk, a concentration risk and a sovereign access risk.

“A critical business process, control or cyber defence capability that depends on a single offshore frontier AI model may be disrupted not only by an outage or cyber incident but by a regulatory decision made overseas.”

Boards and senior managers must understand third‑party and operational dependencies and “act now” to strengthen core controls rather than wait for access to frontier models, APRA says.

“The scale of this challenge, the speed with which it’s evolving and the borderless nature of the threat, require those of us on the right side of this battle to work together,” Ms McCarthy Hockey said.

Read the speech here.

---

From the latest Insurance News magazine: Why Anthropic's Mythos model seems to be inspiring equal amounts of consternation and confidence in cybersecurity circles

---