In response to the increasing concerns surrounding the Mythos AI tool, the Securities and Exchange Board of India (Sebi) has issued a warning to market participants regarding the cybersecurity risks associated with advanced artificial intelligence tools designed for identifying vulnerabilities. To tackle these burgeoning threats, Sebi has established a new task force named ‘cyber-suraksha.ai.’
Sebi noted in its advisory: “The rapid evolution of emerging technologies, including AI-driven vulnerability identification tools (e.g., Claude Mythos), has introduced new dimensions of risks for regulated entities.”
The advisory further stated that these tools “may increase risk exposure by enabling the identification and potential exploitation of existing vulnerabilities at speed and scale,” while also raising worries about “data confidentiality, application integrity, and the reliability of outputs.”
To counter the cyber risks stemming from AI tools like Mythos, Sebi has formed the ‘cyber-suraksha.ai’ task force, which includes representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), regulated entities (REs), and various stakeholders.
This task force is tasked with “closely examining the cybersecurity risks posed by AI-based models and developing a uniform strategy to mitigate the dangers associated with these models.”
Sebi has instructed the task force members to promote the exchange of threat intelligence, best practices in vulnerability management, use cases, and response protocols to address emerging threats effectively.
Moreover, they are required to report urgently any cyber incidents, malicious activities, significant attack vectors, and information about vulnerabilities that could enhance the cybersecurity posture of the securities market ecosystem.
Additionally, Sebi has directed the task force to review the cybersecurity preparedness of third-party application service providers, including accredited vendors.
The regulator emphasized the importance of updating operating systems and applications with the latest patches to address previously known vulnerabilities. In cases where patches are not available, they have advised considering virtual patching to safeguard systems and networks.
Regular vulnerability assessments utilizing both traditional and AI-based tools, along with continuous security audits, have also been mandated in line with Sebi’s Cyber Security and Cyber Resilience Framework.
Furthermore, Sebi highlighted the necessity for stricter oversight of third-party vendors, urging exchanges and depositories to ensure that accredited application providers “carry out comprehensive assessments of the risks arising from the use of AI-led vulnerability detection models” and implement necessary measures like patch updates, VAPT, and ongoing monitoring.
The advisory underscores the need for robust change management practices, enhanced API security measures—such as strong authentication, rate limiting, and whitelist-based access—and continuous monitoring via Security Operations Centres (SOC). It acknowledged the role of the Market SOC (M-SOC), established collaboratively by the National Stock Exchange of India and BSE Limited, as a “centralized security platform” that offers “24×7 real-time monitoring and threat detection,” urging eligible entities to expedite their onboarding process.
Sebi has also recommended periodic risk assessments, including “scenario-based testing… related to cybersecurity in the IT environment of REs,” treating AI-based threats as a significant risk factor. Additional strategies include system hardening, maintaining updated asset inventories, and adopting Zero Trust Network approaches to minimize potential attack surfaces.
Looking ahead, the regulator has called on all regulated entities to “develop a long-term plan for the utilization of AI in detection and autonomous/agentic mitigation,” while recalibrating risk frameworks to effectively address AI-driven threats and enhancing ongoing vulnerability management through the use of AI tools.
