SEBI sets up cyber task force as AI tool ‘Claude Mythos’ raises market vulnerability risks

Market regulator SEBI on Tuesday warned stock market entities about growing cybersecurity risks from advanced artificial intelligence-driven vulnerability detection tools.

In a circular, Securities and Exchange Board of India (SEBI) said emerging AI-based vulnerability identification tools such as "Claude Mythos" could increase risk exposure by enabling rapid identification and possible exploitation of system vulnerabilities at scale.

The regulator said such tools could also raise concerns around data confidentiality, application integrity and reliability of outputs.

“Due to the interconnectedness and interdependency of market participants in the Securities Market Ecosystem, a periodic coordinated approach for vulnerability management, information sharing and monitoring/assessment is required to prevent a cascading impact,” the circular stated.

SEBI has constituted a task force called "cyber-suraksha.ai", comprising representatives from market infrastructure institutions, registrars, regulated entities and other stakeholders, to examine cybersecurity risks posed by AI-based models and devise mitigation strategies.

The task force will examine cybersecurity risks posed by AI-based models, devise mitigation strategies, facilitate sharing of threat intelligence and best practices, and prioritise reporting of cyber incidents and vulnerabilities relevant to securities markets, SEBI said.

It will also review the cybersecurity posture of third-party application service providers, including empanelled vendors.

The regulator issued an advisory alongside the circular, asking regulated entities to immediately update operating systems and applications with the latest patches, conduct regular vulnerability assessments and strengthen API security controls.

It also directed exchanges and depositories to ask empanelled software vendors to assess risks arising from AI-led vulnerability detection models and implement safeguards including patch updates, penetration testing, continuous monitoring and system hardening.

SEBI further advised regulated entities to prepare long-term plans for using AI in threat detection and autonomous mitigation, recalibrate risks arising from AI-accelerated threats, and undertake continuous vulnerability management using AI tools.