
Meet the Authors
Financial regulators across Singapore, India, Japan, Hong Kong, and Australia issued binding AI cybersecurity deadlines directly tied to Claude Mythos capabilities.
South Korea moved from a National Security Council emergency review to active Mythos deployment for national cyber defense in under one month.
SAP and ERP environments across Asia Pacific now face board-level AI cybersecurity obligations that attach to where operations run, not headquarters location.
Anthropic’s Mythos model changed the policy conversation around AI and cybersecurity by showing how quickly frontier systems could identify and exploit vulnerabilities. That capability changes the operating question for enterprises: how quickly can they find exposed systems, and how much control do they still have once exploitation begins?
The US response has centered on federal systems and voluntary industry cooperation. A June 2 executive order created a voluntary framework for frontier AI developers, while CISA followed with a directive that accelerates remediation timelines for federal agencies.
Across Asia, the response took a different shape. Financial regulators, national security agencies, and cybersecurity authorities issued advisories, circulars, joint requests, and board-level deadlines that treated AI-enabled cyber risk as a governance obligation.
What follows is a reference map of that response: where governments moved, which obligations are forming, and what it means for enterprises operating across the region.
The Binding Tier — Financial Regulators Moved First
Singapore, India, Japan, Hong Kong, and Australia show the clearest regulatory pattern. Their responses differed by instrument, deadline, and coverage, but shared one feature: AI-enabled cyber risk became a board, regulatory, and resilience issue.
Singapore issued some of the region’s most detailed expectations. The Cyber Security Agency released an April 15 advisory on frontier AI risks, with new expectations for AI inventories, access controls, abuse testing, output monitoring, and human oversight in financial transaction decisions. Two days later, the Monetary Authority of Singapore issued its own advisory, explicitly citing Claude Mythos and GPT-5.4-Cyber as triggers and warning that a reactive cybersecurity posture was no longer sufficient.
India added a hard compliance marker. The Reserve Bank of India issued separate advisories for commercial banks and payment system operators, with a June 30 deadline for board-approved gap assessments and time-bound remediation plans. CERT-In separately released a blueprint calling for critical internet-facing vulnerabilities and crown-jewel assets to be remediated within 12 hours.
Japan’s Financial Services Agency and Bank of Japan issued a joint request to financial institutions on May 22, with an implementation window of about one month. The most significant requirement was that financial institutions were told to prepare for the active shutdown of priority services and IT systems if that became necessary to contain risk.
Hong Kong’s Securities and Futures Commission issued Circular 26EC32 on June 2. The circular cited an increase in cyber incidents and placed responsibility with senior management. Its emphasis on current asset inventories, exposed systems, patching, detection, and recovery made AI-enabled cyber risk part of regulated-firm governance.
The Australian Prudential Regulation Authority warned regulated entities that AI adoption was outpacing risk management maturity, while the Australian Securities and Investments Commission required its May 8 open letter to be tabled at boards and risk governance committees. The Department of Home Affairs separately issued a frontier AI advisory for Commonwealth government entities, telling agencies they did not need access to the most advanced models to improve their defenses.
South Korea — the Most Complete Response
South Korea moved from emergency review to active use of the same technology in less than a month. On May 13, the National Security Council convened an interagency meeting and directed emergency measures across private, public, and military sectors, calling for real-time sharing of vulnerability information.
The response then moved into financial regulation. In late May, the Financial Services Commission relaxed South Korea’s strict network separation rules for qualifying financial firms, allowing them to use cloud-based AI tools for cybersecurity work. The change allowed financial firms to use cloud-based AI tools for cybersecurity work, including vulnerability assessment, security software testing, and defensive system development.
The Ministry of Science and ICT followed with a broader private-sector plan on May 29. It created a central vulnerability management function through the Korea Internet and Security Agency and extended oversight to companies in sectors including finance, healthcare, and energy. It also set up a channel for vulnerability and patch information to reach 28,000 companies, the military, and the National Intelligence Service.
South Korea’s most notable move came on June 3, when the Korea Internet and Security Agency joined Anthropic’s Project Glasswing. That gave KISA access to Mythos for defensive work. The country that treated Mythos as a national security concern in May was using it as part of national cyber defense by June.
The Second Wave — Governments Building Toward Requirements
Taiwan, Indonesia, and Malaysia have not issued binding directives on the scale of other governments in Asia. Still, each government has begun to define AI-enabled cyber risk as a policy issue, creating a path toward stronger requirements.
Taiwan’s Administration for Cyber Security warned in mid-May about AI-driven cyber threats, explicitly naming Claude Mythos and GPT-5.5. Its guidance emphasized cybersecurity basics, including vulnerability management, recoverable backups, continuity planning, least-privilege access, multifactor authentication, and disabling unnecessary external services. The response placed resilience and recovery at the center.
Indonesia’s response is moving through legislation. Its Cyber Security and Resilience Bill is advancing through parliament and includes a provision requiring AI use in critical information infrastructure to remain under human control and supervision. The bill shows how AI risk is being written into critical infrastructure governance.
Malaysia is also active. The National AI Office is examining financial-sector AI risk, while a Cybercrime Bill targeting AI-enabled impersonation was scheduled for parliamentary consideration in June. Existing technology risk and cyber rules already give regulators tools to act, but the country has not yet issued a Mythos-specific or frontier-AI cyber directive.
China — A Different Regulatory Posture
China’s response does not fit the same pattern as the rest of the region.
The Ministry of State Security warned users and developers about AI relay services that provide indirect access to models such as Claude and GPT. The Cyberspace Administration of China also launched a four-month enforcement campaign against AI application “chaos,” covering areas such as model registration, content labeling, data poisoning, deepfakes, and platform review controls.
China’s Cybersecurity Law amendments, which took effect in January, added a new AI article covering algorithmic development, training data, ethical norms, risk monitoring, and safety oversight. Together, those actions point inward. Beijing’s response centers on frontier AI access, deployment, and governance inside China, while other governments in the region focused more directly on enterprise hardening and incident readiness.
What This Means for SAPinsiders
- Location of operations determines compliance exposure. Every jurisdiction covered here regulates behavior and activity. An enterprise operating a financial platform, healthcare system, or energy asset in Singapore, India, Japan, Hong Kong, Australia, or South Korea faces AI-cyber obligations that attach to the asset and the activity — determined by where operations run, not where the company is headquartered.
- Financial sector framing signals a systemic risk reclassification. The fact that financial regulators — not just cybersecurity agencies — led the response across most of the binding tier is not incidental. When markets regulators treat AI-enabled cyber exposure as a board governance issue, they are categorizing it alongside capital adequacy and operational risk. That reclassification has compliance, insurance, and liability implications that have not yet fully worked through enterprise risk frameworks.
- SAP enterprises in Asia operate inside the emerging compliance perimeter. The obligations forming across this region — board-level gap assessments, asset inventories, patching timelines, access controls, and human oversight requirements — map directly onto SAP system landscapes. ERP environments running finance, supply chain, and critical operations are the systems these regulators are writing rules around.




