RBI asks banks to assess AI risk gaps, draw action plan by June-end

RBI has directed banks to assess cyber risks from advanced AI models such as Claude Mythos and submit mitigation plans by June-end

The Reserve Bank of India (RBI) has asked banks and other regulated entities (REs) to complete a board-approved gap assessment test and formulate a timebound action plan by the end of June to address risks arising from frontier artificial intelligence (AI) models such as Claude Mythos. 

The exercise requires REs to establish a structured cybersecurity framework, undertake AI-led tests against potential threats, and identify existing vulnerabilities, among other measures, according to people familiar with the matter. 

Frontier AI models are the most advanced general-purpose artificial intelligence systems, trained on vast datasets and capable of performing a wide range of tasks, and Mythos was referred to by Finance Minister Nirmala Sitharaman in April as “a new challenge”. 

Mythos is a frontier AI model developed by US-based artificial intelligence company Anthropic. It is designed to identify software vulnerabilities and other cyber risks, and has shown the ability to discover and potentially exploit security flaws before malicious actors can do so. 

It can assist in identifying so-called ‘zero-day vulnerabilities’ — security flaws unknown to developers that have not yet been patched — and it is the potential for this capability to be exploited maliciously that is causing concern within the sector. 

The regulator’s focus comes at a time when access to Mythos is currently limited to a select group of companies globally, leaving Indian financial sector entities to evaluate other advanced AI models that are already publicly available for potential use-cases across their operations.  Anthropic has expanded the availability of its Mythos AI models to over 15 countries, including India. 

“Financial institutions can start by assessing their external internet-facing infrastructure with any frontier AI model that is capable,” said Kartik Shinde - partner, cybersecurityconsulting, EY India. 

“For RBI and Sebi (Securities and Exchange Board of India)-regulated entities, they are required to do a gap assessment against the Mythos- related advisories which include AI adversarial testing, scanning for existing vulnerabilities using AI, among other things. We have been actively using AI tech in our traditional human-led security testing,”  Shinde added.

 

A senior executive at a fintech company said firms in the sector had sought access to Mythos under controlled conditions to evaluate the model and its safeguards, but were still awaiting approval from Anthropic.

 

The executive added that firms were also assessing whether the use of advanced AI models could raise concerns around data localisation requirements or introduce cybersecurity risks through exposure of internal systems and architectures.

 

Another executive said vulnerabilities identified within critical digital public infrastructure such as Unified Payments Interface (UPI) are routinely patched, adding that the network's permissioned architecture and restricted participation help limit security risks.

 

“Companies will keep finding and fixing vulnerabilities. Patch management has always been a cycle. We track zero-day, 30-day, 60-days, among other issues. The only challenge for the industry is that the speed of deployment must be extremely high, and everyone is trying to improve that in their systems,” the person said.

 

EY India said that it had developed a framework to help banks and other financial sector entities respond to recent regulatory guidance on AI-accelerated cyber threats. This includes identification through assessment, closing exploitable gaps and ensuring durable operating capability.

 

Last week, the Reserve Bank of India (RBI) said it is “fully prepared” to handle cyber security threats related to Mythos and has issued advisories to regulated entities for their preparedness.  

 

"We have issued the required advisories. We remain fully prepared in terms of handling cyber security threats of this nature as well as conventional threats,” said Deputy Governor Swaminathan J, at the post monetary policy press meet. According to Swaminathan, this project will select corporates and financial entities having access to the project. However, details are still awaited.

 

“Once this opportunity opens up, how exactly to make use of it in consultation with the government and with other regulators, we will take further steps,” Swaminathan said.

 

“This system has been engaging our attention, both at the government level and at the financial sector inter-regulatory forum level. RBI in consultation with the government and other regulators, will take further steps once the contours of participation become clear.

 

“We are mindfully prepared in terms of handling cyber security threats of this nature as well as the conventional nature. And we will keep the market informed once we have full details as to how we plan to handle this,” he said.

 

In April, finance minister Sitharaman met bank heads to assess cybersecurity risks associated with emerging challenges linked to artificial intelligence models like Mythos.

 

During the meeting, Sitharaman asked banks to take proactive measures to secure IT systems, safeguard customer data, and protect financial resources. Banks were also advised to promptly report suspicious activities to relevant authorities, including the government;s cyber security agency CERT-In, and maintain close coordination with all concerned agencies.

 

“…A new challenge has emerged in the form of Mythos,” Sitharaman had said.

 

“Not much is known about it yet. The Ministry of Electronics and Information Technology is actively engaging with authorities and governments across the globe, as well as with technology companies, to understand how this will evolve and what kind of preparedness is required in India,” she added.

 

There would be extensive interactions among banks, under the aegis of the Indian Banks’ Association, to assess investment needs, adopt new technologies, and leverage artificial intelligence to counter evolving threats, she said. 

‘Zero-day vulnerabilities’

• Banks required to establish cybersecurity framework, identify existing vulnerabilities, undertake AI-led adversarial testing
• Claude Mythos has exhibited capabilities to identify zero-day vulnerabilities
• Most Indian financial sector entities await access
• They are expected to evaluate other advanced AI models that are already publicly available for potential use cases