India’s market regulator has warned that fast-evolving AI tools could amplify cyber vulnerabilities across the securities ecosystem.
In an advisory issued on Tuesday, the Securities and Exchange Board of India (Sebi) said it has constituted a task force named cyber-suraksha.ai, which includes market infrastructure institutions and other related stakeholders.
“Due to the interconnectedness and interdependency of market participants in the securities market ecosystem, a periodic coordinated approach for vulnerability management, information sharing and monitoring/assessment is required to prevent a cascading impact,” said Sebi in a circular.
The regulator cautioned regulated entities about the rising risks from emerging technologies, particularly AI-driven vulnerability identification tools such as Claude Mythos.
These systems can detect weaknesses at scale and speed, raising the possibility of their exploitation, while also raising concerns about data confidentiality, application integrity, and the reliability of outputs, it said.
Sebi has also directed entities to immediately update their operating systems and applications to the latest patches to address known vulnerabilities and to consider virtual patching as an interim measure when fixes are unavailable.
Regular checks
It has mandated regular, continuous vulnerability assessments using both conventional and AI-based tools, along with security audits aligned with its cybersecurity and cyber resilience framework.
Market participants will have to engage closely with third-party vendors to ensure timely patch deployment.
Exchanges and depositories have been tasked with ensuring vendors assess risks posed by AI-led models and implement safeguards such as patching, vulnerability testing, continuous monitoring, and system hardening.
Further, Sebi has tightened the norms governing system changes, mandating full documentation, impact analysis, and rigorous testing for all such changes.
It has prescribed enhanced API security through updated inventories, strong authentication and whitelist-based connections.
Market participants have also been asked to strengthen the security operation centre (SOC) monitoring, including reviewing low-priority alerts and integrating automated response systems.
Sebi has also pushed eligible entities to onboard the market-wide SOC platform set up by the National Stock Exchange of India and BSE for real-time threat detection.
“All regulated entities need to prepare a long-term plan for the usage of AI in detection and autonomous/agentic mitigation,” it added.
The regulator also suggested other measures, including recalibrating risk assessments for AI-accelerated threats, AI-enabled SOC transformation, and continuous vulnerability management using AI tools.
