Amid rising concerns over the Mythos AI tool, the Securities and Exchange Board of India (Sebi) has cautioned market participants about the growing cybersecurity risks posed by advanced artificial intelligence tools used for vulnerability detection. The capital markets regulator has also set up a new task force, ‘cyber-suraksha.ai’, to address these emerging threats.

“The rapid evolution of emerging technologies, including AI-driven vulnerability identification tools (e.g., Claude Mythos), has introduced new dimensions of risks for regulated entities,” Sebi said in its advisory.

It added that such tools “may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale,” while also raising concerns around “data confidentiality, application integrity, and reliability of outputs.”

What is cyber-suraksha.ai?

In a bid to counter cyber risks from AI tools like Mythos, Sebi has constituted a task force, ‘cyber-suraksha.ai’, comprising representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), regulated entities (REs), and other stakeholders.

The task force has been mandated to “closely examine the cybersecurity risks posed by AI-based models and devise a uniform mitigation strategy against the risks posed by such models.”

What will be the focus area of the task force?

The regulator has directed the representatives of the task force to facilitate the sharing of threat intelligence, best practices in vulnerability management, use cases, and response playbooks to tackle emerging threat vectors.

Additionally, they have been mandated to report, on a priority basis, any cyber incidents or malicious activities, significant attack vectors, and information on vulnerabilities that could help strengthen the cybersecurity posture of the securities market ecosystem.

Further, Sebi has directed them to review the cybersecurity preparedness of third-party application service providers, including empanelled vendors.

What are the key advisories for stakeholders?

The regulator has advised entities to immediately update operating systems and applications with the latest patches to address known vulnerabilities. In cases where patches are unavailable, they have been asked to consider virtual patching to protect systems and networks.

It has also directed regular vulnerability assessments using both conventional and AI-based tools, along with continuous security audits in line with Sebi’s Cyber Security and Cyber Resilience Framework.

Further, Sebi emphasised the need for stronger oversight of third-party vendors, directing exchanges and depositories to ensure that empanelled application providers “undertake comprehensive assessment of the risks arising from the use of AI-led vulnerability detection models” and implement safeguards such as patch updates, VAPT, and continuous monitoring.

The advisory also stresses robust change management practices, enhanced API security measures—including strong authentication, rate limiting, and whitelist-based access—and continuous monitoring through Security Operations Centres (SOC). It highlighted the role of the Market SOC (M-SOC), jointly established by National Stock Exchange of India and BSE Limited, as a “centralized security platform” offering “24x7 real-time monitoring and threat detection,” urging eligible entities to expedite onboarding.

Sebi has also called for periodic risk assessments, including “scenario-based testing… related to cybersecurity in REs’ IT environment,” with AI-based threats considered as a key risk scenario. Additional measures include system hardening, maintaining updated asset inventories, and adopting Zero Trust Network approaches to minimise attack surfaces.

Going forward, the regulator has asked all regulated entities to “prepare a long-term plan for usage of AI in detection and autonomous/agentic mitigation,” while recalibrating risk frameworks to address AI-driven threats and strengthening continuous vulnerability management using AI tools.