Sebi flags risks on Mythos-like AI tools; forms task force, issues advisory

Market regulator warns of AI-driven cybersecurity risks, sets up task force and issues advisory urging regulated entities to strengthen safeguards, monitoring and coordination

The Securities and Exchange Board of India (Sebi) on Tuesday warned of emerging cybersecurity risks from advanced artificial intelligence (AI) tools capable of detecting system vulnerabilities, and asked all regulated entities to strengthen safeguards, monitoring, and coordination.

 

In a circular issued on Tuesday, the regulator said the rapid evolution of AI-driven vulnerability identification tools, such as those similar to “Mythos”, could increase the risk of exploitation at scale, while also raising concerns around data confidentiality, application integrity, and the reliability of outputs.

 

Highlighting the interconnected nature of the securities market ecosystem, Sebi said vulnerabilities at one participant could have cascading effects across the system, necessitating a coordinated and continuous approach to risk management and information sharing.

 

To address these risks, Sebi has constituted a task force named Cyber Suraksha AI, comprising representatives from market infrastructure institutions, qualified registrars and transfer agents, and other stakeholders. The group will assess cybersecurity risks from AI models, develop mitigation strategies, facilitate the sharing of threat intelligence, and review the cyber posture of third-party service providers.

 

The regulator has also issued a detailed advisory outlining immediate and medium-term measures. These include promptly patching systems, conducting regular vulnerability assessments (including using AI tools where appropriate), strengthening application programming interface security, and enhancing monitoring through security operations centres.

 

Sebi has asked entities to expedite onboarding to the Market-SOC framework set up by exchanges, ensure continuous risk assessments — including AI-related scenarios — and adopt measures such as zero-trust architecture and system hardening to reduce attack surfaces.

 

Regulated entities have been directed to engage with vendors for timely updates and to develop long-term strategies for the use of AI in both threat detection and mitigation.