Home/News & Resources/Blog/A Minute to Midnight: Why Australian Organisations Can’t Wait on Cyber Resilience
7 mins read

A Minute to Midnight: Why Australian Organisations Can’t Wait on Cyber Resilience

May 21, 2026
Topics: News & Resources Audit & Certification Information Security

ASIC’s open letter to industry is a watershed moment. As AI supercharges the threat landscape, a new certification framework is offering a credible path to verified, trusted digital governance. 

The clock is at a minute to midnight – if you aren’t on top of your cyber resilience already, the time to act and prepare is right now. – ASIC Commissioner Simone Constant, May 2026

Australia’s financial regulators are not known for understated language. So when ASIC Commissioner Simone Constant issued an open letter to industry using the phrase “a minute to midnight,” the message was unmistakable: the window for voluntary, gradual cyber uplift has closed. The time for action is now. 

The letter, shared widely on LinkedIn by ASIC and published as a formal media release, represents a significant escalation in regulatory posture. It is not a consultation paper or a guideline. It is a direct call to action – backed by recent enforcement – that positions cybersecurity readiness as an existential corporate governance obligation, not merely a technology concern. 

The AI Inflection Point 

What makes this moment different from previous regulatory warnings is the explicit acknowledgement of artificial intelligence as a force multiplier for cyber threats. The ASIC letter notes that frontier AI models are now able to discover and exploit vulnerabilities far faster than organisations can patch them  compressing timelines that once gave IT teams breathing room into a matter of hours or days. 

Cyber risk has entered a new era. The advent of frontier AI models creates opportunity, but also materially increases risk, with the ability to expose vulnerabilities far faster than many realise. Weaknesses that once seemed isolated can now have a system-wide domino-effect, enabling new forms of exploitation that were previously out of reach for most malicious actors. – ASIC Commissioner Simone Constant, May 2026

Critically, ASIC is not telling organisations to fight AI with AI. The Commissioner’s call is emphatically a return to first principles: consistent execution of well-established controls, clear governance structures, and adequate resourcing. Sophisticated tooling cannot substitute for the fundamentals. 

ASIC’s 12-step framework spans a broad spectrum of operational readiness, including:

  1. Reassessing cyber plans and refocusing efforts on today’s most critical risks 
  2. Reviewing governance and risk frameworks to account for interrelated, cascading vulnerabilities 
  3. Identifying and protecting critical assets and systems 
  4. Strengthening cybersecurity fundamentals through regular validation of core controls 
  5. Minimising attack surfaces by reducing exposure to untrusted networks 
  6. Reviewing user access and privilege, monitoring for insider threat indicators 
  7. Patching systems promptly, accounting for AI-accelerated vulnerability discovery 
  8. Implementing layered, defence-in-depth architectures that assume breach 
  9. Maintaining and exercising incident response plans, including business continuity for high-priority services 
  10. Enhancing supply chain and third-party risk management 
  11. Addressing the human element through security culture and awareness 
  12. Ensuring board-level visibility and accountability for cyber risk.

From Compliance to Verified Trust 

Regulatory compliance, while necessary, addresses only part of the challenge. The harder problem is demonstrating to customers, partners, boards, and regulators that an organisation’s security posture is not merely self-assessed – but independently verified. This is where certification frameworks become strategically important. 

Intertek SAI Global Australia has responded to this moment with a timely and significant innovation: the Data Trust Tricertification - described as the world’s first integrated management system certification covering all three pillars of responsible digital governance simultaneously. 

ISO/IEC 27001 

Information Security Management System – protecting data confidentiality, integrity, and availability.

ISO/IEC 42001 

AI Management System – governance, transparency, fairness and accountability for AI.

ISO/IEC 27701 

Privacy Information Management System extending security controls to personal data governance.

Officially launched at AISA Cybercon 2025 in Melbourne, the program was met with significant interest from industry leaders who recognised both its technical rigour and its market timing. In an environment where clients, procurement teams, and regulators are demanding evidence of digital responsibility, independent certification across all three domains is a powerful differentiator. 

As data and AI continue to transform the way businesses operate, building and demonstrating trust has never been more critical. Our Data Trust Tricertification gives organisations a clear, structured pathway to ensure their systems, data, and AI frameworks meet the highest global benchmarks of integrity and assurance. – Dr. Anand Shankaran, Vice President – Intertek Inform and Business Assurance, Australasia

Why Integration Matters 

A common failure mode in enterprise security is siloed governance. Information security is owned by the CISO, privacy sits with Legal or Compliance, and AI governance – where it exists at all – is being improvised by teams as they go. This fragmentation creates exactly the kind of interrelated vulnerabilities that ASIC is warning about: gaps between systems where accountability is unclear and controls don’t connect. 

The Data Trust Tricertification is designed to close these gaps by treating security, privacy, and AI governance as a unified management system rather than three separate compliance exercises. The approach recognises that many controls across ISO 27001, 27701, and 42001 overlap – meaning organisations that pursue all three through an integrated audit process gain meaningful efficiencies over those pursuing each standard in isolation. 

  • Efficiency 

Three certifications from one integrated audit process, with shared controls reducing duplication 

  • Holistic Risk Reduction 

Coordinated management of risks across AI, information security, and privacy operations 

  • Faster AI Adoption 

Governance confidence accelerates AI implementation with stakeholder buy-in 

  • Market Positioning 

Stand out in security-conscious deals and RFPs with independently verified assurance 

  • Regulatory Alignment 

Meet global regulatory requirements through internationally recognised ISO standards 

  • Team Alignment 

Clear roles, evidence-based processes, and continuous improvement across the organisation 

The Road to Certification 

The Data Trust Tricertification pathway follows a structured four-stage process. It begins with a gap assessment – a review of current policies, procedures, controls, and risks across security, privacy, and AI operations. This produces a gap audit report that enables organisations to develop a prioritised improvement plan. Independent certification audits against all three ISO standards follow, with ongoing surveillance audits conducted annually and a full recertification cycle in the third year. 

Intertek SAI Global acknowledges that many organisations will be at different stages of readiness, including those in the early phases of their AI journey. In fact, the program is designed to be most valuable precisely for those organisations – building governance infrastructure before AI initiatives scale, rather than retrofitting controls after the fact. 

Organisations don’t need to wait until their AI use is mature to build effective governance – the Data Trust Tricertification program is designed to help businesses establish the right foundations early, before AI initiatives scale, controls become harder to implement, and maintaining compliance grows increasingly challenging. – Hussain Riaz, Intertek SAI Global Lead AIMS Auditor and Scheme Program Manager  IT and AI Assurance

Organisations that embed security, privacy, and AI governance frameworks early are better positioned to move quickly on new AI opportunities with board and regulatory confidence. Certification is not a constraint on innovation – it is an enabler of it. 

The Bigger Picture 

ASIC’s warning sits within a broader regulatory shift. The Australian Prudential Regulation Authority (APRA) has similarly cautioned that governance and control measures for AI at major financial institutions are lagging behind the pace of adoption. Internationally, frameworks such as the EU AI Act, the Australian ‘Guidance for AI Adoption’ (AI6) framework and NIST AI Risk Management Framework are creating a global baseline expectation that AI use be governed, documented, and auditable. 

The direction is unambiguous. Organisations that build verified, independently certified governance frameworks now will have a material advantage – commercially, operationally, and regulatorily – over those that treat cyber resilience as a back-office concern or a future-state aspiration. 

The clock is already at a minute to midnight. The question is not whether to act, but how quickly – and how visibly – an organisation can demonstrate that it already has. 

Ready to Build Verified Digital Trust?
Learn more

Related Content

ISO/IEC 42001:2023 AI Management System (AIMS)
Management Systems Standards
With the growing development and application of Artificial Intelligence, ISO/IEC 42001 addresses the unique challenges AI poses, such as ethical considerations, transparency, and continuous learning. For organisations, it sets out a structured way to manage risks and opportunities associated with AI, balancing innovation with governance.
Read More
ISO/IEC 27701:2025 Privacy Information Management System (PIMS)
Audit & Certification Management Systems Standards
ISO 27701 (also known as ISO/IEC 27701:2019) is a certifiable extension to ISO 27001 and ISO 27002, providing guidance for Privacy Information Management Systems.
Read More
ISO 27001 Information Security Management Systems (ISMS)
Management Systems Standards
Increased consumer expectations of information security require organisations to implement an effective ISMS framework that preserves the confidentiality, integrity and availability of information.
Read More

Contact Us

Sales Enquiries - fill in the form to ensure we have the details we need to answer your query. For all other enquiries email

assurance@saiglobal.com

Please Note: SAI Global Standards is now Intertek Inform. View Intertek Inform for details.
Chat with us
We have noticed that your visiting our site from
Continue
Or select a different country