Our offer: No cost board briefing on Frontier AI (Mythos) - Hype vs Reality
In recent weeks, there has been a significant increase in the media about the impacts of AI on cybersecurity. While this issue has been with us for some time, recent developments at Anthropic (and the Mythos Preview) have crystallised the risk.
We are often asked what this means for boards and expectations on directors in this "new world". From financial services to health care, mining and energy, all boards are now keen to understand how these developments impact their governance obligations.
In the interests of collaborating with industry to combat this threat together, we are offering a board briefing to our priority clients. This is a "no cost" briefing on what we are seeing in the AI space, the impact on cyber security and how this is changing the expectations on the board room.
We would like to offer our priority clients a briefing on these recent developments and how they impact board expectations. We bring insights from recent high-profile incidents, but also look to help navigate the hype vs reality.
If you would like a briefing from our market-leading cyber and board advisory team, please let us know. No cost, relevant insights and key recommendations.
Please email [email protected] if you are interested in accepting this offer.
News from HSF Kramer
The cyber and data security landscape continues to evolve at pace. It can be challenging to keep up, so we have collated our “top 10” cyber stories from the last month, so you don’t have to. Here we go!
Cyber Top 10
1 | In the biggest news of this month, it has been reported that AI firm Anthropic revealed details of its unreleased frontier model, Claude Mythos Preview, exposing a meaningful shift in AI‑driven cyber capability. The model can autonomously identify and exploit critical software vulnerabilities at unprecedented scale and speed, without human oversight, leading Anthropic to withhold public release and launch Project Glasswing with a limited group of trusted partners to support defensive remediation efforts. Read more here and here. |
2 | Around the same time, Anthropic confirmed it was investigating reports of unauthorised access to Mythos via a third-party contractor environment, arising from misuse of existing permissions. Anthropic stated there was no evidence of misuse and that its core systems were not breached. Read more here. |
3 | In a third Anthropic‑related development, the Australian Government has reported that it has engaged with the company over potential cybersecurity risks associated with the Mythos model. Officials have reported concerns about the model’s ability to uncover “thousands” of vulnerabilities in operating systems and web browsers, prompting close coordination with software providers. Read more here. |
4 | OpenAI has rolled out a major new ChatGPT update with the launch of GPT‑5.5, as the company pushes the tool further into everyday professional use. The update is designed to reduce back‑and‑forth prompting by letting ChatGPT plan, use tools and check its own work, alongside new “workspace agents” that are aimed at business and enterprise users. While the release stands on its own, it also comes as rivals like Anthropic continue to release more capable models, demonstrating how competition is steadily driving rapid upgrades in AI systems. Read more here. |
5 | APRA and ASIC have both released open letters warning about AI‑related risk, and the messages land in a similar place: adoption is accelerating faster than governance, assurance and cyber resilience. In our view, a large portion of the APRA letter is “throat clearing” and scene setting. This context is not new. It’s just that we are starting to see evidence of the threats and risks. To make a few observations, APRA’s emphasis on operationalising AI governance and strengthening controls is directionally sound but largely reinforces expectations already articulated in CPS 230 and related prudential standards. The section on consistent government frameworks is a useful contribution for boards to look at – these are simple but good questions that the board can put to its management team. There is nothing new in the treatment of third‑party concentration and opacity (this has long been a concern and the CrowdStrike outage brought light to this). We think the more challenging issue is managing fourth‑and fifth‑party dependencies where visibility remains limited. ASIC’s open letter takes a sharper tone, urging firms not to wait for “advanced AI tools” before strengthening cyber fundamentals. Commissioner Simone Constant stresses that cyber resilience is a core licensing obligation, not an IT hygiene task. Read more here and here. |
6 | The US and Australia have flagged a joint crackdown on the growing threat posed by North Korean operatives infiltrating organisations as remote IT workers. Security agencies have warned that North Korean actors are using stolen/fake identities to obtain remote roles (often through third‑party recruiters or contractor arrangements) enabling them to access corporate systems and generate revenue for the regime. The tactic presents both cyber and insider risk concerns, with authorities urging organisations to strengthen identity verification, vendor oversight and remote work controls as part of broader efforts to disrupt these schemes. Read more here and here. |
7 | Sri Lanka’s Finance Ministry suffered from a cyber scam that saw US$3.7 million stolen from a payment meant to repay debts to Australia. Hackers reportedly accessed government email systems and changed banking details, allowing the money to be diverted before the issue was noticed. The breach was only discovered when Australian officials queried the missing funds, prompting an investigation by Sri Lankan authorities with support from Australia. Read more here. |
8 | The ASD has released updated guidance on the cyber security risks and opportunities associated with frontier AI models. Building on its earlier announcements, ASD says its understanding of what frontier models can and cannot do is becoming clearer, noting that while these technologies introduce new considerations, they do not fundamentally change the cyber risk equation. The ASD’s message is simple – strong cyber basics like identity management and patching remain one of the most effective ways to manage AI‑related risks. Read more here. |
9 | The Cyber Incident Review Board (CIRB) has been appointed, chaired by Narelle Devine and comprising of six standing members. The CIRB will be supported by an Expert Panel (yet to be appointed) drawn from public and private sector specialists. The Board will play a pivotal role in strengthening national cyber resilience. It will review significant cyber security incidents, identify lessons learned, and make recommendations to uplift cyber security practices across government, industry and the community. Read more here. |
10 | A recent sweep of more than 75,000 dark web listings by NordVPN and NordStellar found a wide range of Australian personal data for sale at bargain prices, including credit card details for as little as US$10 and Netflix accounts for under US$5. Off the back of this, a complete Australian “full identity” can now be bought for around $200, often containing enough personal and financial information to enable full impersonation. Much of this data originates from past breaches, meaning the uncomfortable reality is that your information could already be for sale. Read more here. |
New Podcast: Cross Examining David Moffatt – The Director Series
We’re excited to announce the first of our Cross-Examining Cyber Director Series. For the next six months, we will speak to some of our leading directors, including David Gonski, Anne Templeman-Jones, John Mullen, Catherine Brenner, just to name a few.
This month we released the first in our series, where we cross-examine David Moffatt.
David has over 40 years' experience in executive leadership positions. He's worked and lived almost everywhere, Australia, the US, Europe and Asia. He's currently the chair of Ventia Services Group, Environmental Remediation and Social Services and Apollo Global Management. David is also the chair of the American Chamber of Commerce here in Australia.
David has first-hand experience dealing with a cyber incident as part of his role at Ventia. His insights are not only considered but come from direct experience.
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Emily Coghlan
Partner, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Kaman Tsoi
Special Counsel, Melbourne
Heather Kelly
Senior Associate, Melbourne
Key contacts
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Emily Coghlan
Partner, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Kaman Tsoi
Special Counsel, Melbourne
Heather Kelly
Senior Associate, Melbourne
Rebecca Gill
Senior Associate, Melbourne
Caitlyn Bellis
Solicitor, Sydney
Brooke Crenfeldt
Solicitor, Sydney
Annabelle L’Estrange
Solicitor, Sydney
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.