Risk management for market infrastructure institutions in the AI era

Following the formation of the ‘Cyber-Suraksha.ai’ task force by market regulator the Securities and Exchange Board of India, and its meeting to review the risks posed by AI platforms like Mythos, a detailed advisory has been issued to all market participants.

Consisting of representatives from market infrastructure institutions (MII, financial entities that provide essential facilities such as trading, clearing, settlement, and depository services, to keep capital and securities markets running), registrars to an issue and share transfer agents, all regulated entities, and other related stakeholders, the task force is mandated to not just examine cybersecurity risks posed by AI based models and come up with uniform mitigation strategies, but also facilitate sharing of threat intelligence, report on cyber incidents or malicious activities, and also review the cybersecurity posture of third-party application service providers, including the current empanelled vendors.  

The advisory to market entities includes updating all operating systems and applications with the latest patches on an immediate basis to mitigate any identified/known vulnerabilities; conducting vulnerability assessment, using both conventional and suitable AI tools; and undertaking security audits on a regular/continuous basis. The advisory also emphasises adopting secure configurations, disabling unnecessary services and default accounts, and enforcing solutions like least privilege and Zero Trust Network Access (ZTNA) to minimise attacks.

KFin Technologies, one of the country’s largest registrar and transfer agents, and a central record-keeping agency (CRA), sees this advisory as an indicator of how AI-led cyber risks are shifting the onus from addressing isolated breaches to continuous monitoring of vulnerabilities and exposure across market infrastructure. Srinivas Yadav Karri, Chief Information Security Officer, KFin Technologies Ltd, sees this as a clear message by Sebi. “Market infrastructure entities must demonstrate not just compliance, but leadership in cyber trustworthiness,” he says. Currently, for market-related entities, Karri says AI-related systemic risks stem from interconnected platforms, reliance on third-party vendors, and the accelerating pace of AI-driven vulnerability detection.

While Anthropic has given access to Claude Mythos Preview to a bunch of big tech/ frontier tech firms such as Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorganChase,  Microsoft, and NVIDIA, it has, to date, held back from making the model available to the public in general. Indian entities still lack access to such advanced agentic AI models. In such a scenario, Karri says the priority is to build resilience against the unknown through layered defences, continuous monitoring, and stress-testing systems against emerging scenarios. “The ecosystem must anticipate that AI-led vulnerabilities will evolve faster than traditional defences, making scenario-based testing, incident response readiness, and proactive regulatory collaboration indispensable,” he says.

For the MII ecosystem, AI-related risks will now require them to have an elevated preparedness around some key areas. Karri points at areas such as patch management, third-party risk management, and adoption of safeguards around AI becoming even more critical as artificial intelligence sees fast-paced advancement. “At KFintech, our preparedness framework integrates multi-layered defences, encrypted APIs, and disciplined patch management. Incrementally, we are evaluating advanced scenario-based testing, enhanced supply chain transparency through SBOM practices, and deeper collaboration with regulators,” he adds.