SEBI Orders Cybersecurity Overhaul as Mythos AI Threatens Indian Securities Markets

India orders infosec red alert in case Mythos sparks crime

Securities regulator urges market players to develop new strategies and nail cyber-basics before AI models fuel mass attacks India's Securities and Exchange Board has advised participants in the nation's equities industry to immediately revisit their information security systems and practices, in case Anthropic's Mythos bug-finding AI sparks a cyberattack spree. The Board is India's equivalent of the USA's Securities and Exchange Commission, or the UK's Financial Conduct Authority. On Tuesday, the Indian regulator issued an advisory that opens with the following observation: In response to those threats, the Board has established a taskforce that will examine the risks posed by models like Mythos, share threat intelligence, report incidents, and initiate a review of cybersecurity at third-party software vendors who supply the regulator and the entities it oversees. The advisory then offers some basic infosec advice: ensure patches are up to date, conduct audits of potential vulnerabilities, conduct inventories of APIs and secure them, run a serious SOC and take its advice, and harden systems by adopting principles such as zero-trust networking and running only essential services. The regulator also told participants in India's equities markets to have their IT committees issue guidance on how to mitigate risks created by AI-led vulnerability detection models, then develop a plan to use AI as part of their infosec armoury. "Also, undertake other measures including recalibration of risks for AI accelerated threats, AI-augmented SOC transformation, and continuous vulnerability management using AI tools," the advisory states. The Board directed the above advice at 19 different classes of company, ranging from venture capitalists to merchant bankers, mutual funds, stock exchanges, and even niche suppliers such as agencies that store know your customer information. Other regulators around the world have also acknowledged the risks Mythos poses. US Treasury Secretary Scott Bessent convened an emergency meeting with the nation's banks a few weeks back. Singaporean regulators did likewise, yesterday. Australian regulators sent local banks a strongly worded reminder that they must develop AI strategies that consider risks the technology creates. Hong Kong's Monetary Authority is working on new infosec guidance for the age of Mythos. India's approach stands out for effectively putting entities it regulates on alert to an imminent threat and ordering them to take action to prevent problems. ®

SEBI Orders Cybersecurity Overhaul Over Mythos Concerns

The Securities and Exchange Board of India (SEBI) has named Anthropic's Claude Mythos in a circular dated May 5, ordering every regulated entity in Indian securities markets to immediately overhaul their cybersecurity infrastructure. SEBI is the first Indian financial markets regulator to name a specific AI model in a formal circular; CERT-In had first named Mythos across all sectors on April 26. The circular covers stock exchanges, depositories, mutual funds, brokers, credit rating agencies, custodians, merchant bankers, and portfolio managers, among others. SEBI's concern: Mythos can identify and exploit vulnerabilities "using speed and scale," threatening data confidentiality, application integrity, and reliability of outputs. Because all market participants are interconnected, one breach can trigger a domino effect across the entire ecosystem. SEBI has also constituted a task force called cyber-suraksha.ai, comprising representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), and other regulated entities, to examine AI-driven cybersecurity risks, share threat intelligence, report cyber incidents on priority, and review third-party vendor security posture. What the circular requires: 6. Overhaul SOC monitoring. A Security Operations Centre (SOC) monitors an organisation's systems for threats around the clock. The circular requires: 7. Include AI as a risk scenario. Periodic risk assessments must now explicitly model AI model capabilities as a threat scenario. 8. Harden systems. Entities must adopt secure configurations, disable unnecessary services and default accounts, and enforce Zero Trust Network Architecture (ZTNA), a security model that requires verification at every step, assuming no user or system is trustworthy by default. 9. Update software inventory. Entities must periodically update their Software Bill of Materials (SBOM), a complete list of all software components, including open-source code, for all critical applications. 10. Build long-term AI defence. All regulated entities must prepare a long-term plan for using AI in detection and autonomous agentic mitigation, where AI systems independently identify and respond to threats without waiting for human instruction, including AI-augmented SOC transformation. Why this matters: SEBI naming Mythos in a circular is a significant regulatory moment. As MediaNama has reported, no Indian company, bank, or government agency has secured access to Mythos under Project Glasswing, Anthropic's $100 million restricted access programme. MeitY Secretary S. Krishnan confirmed on April 28 that India is still working out logistics with US authorities. This creates a structural contradiction: SEBI is ordering Indian financial institutions to defend against a model they cannot access to defend themselves with. Claude Security, Anthropic's enterprise defensive tool, gives Indian firms an indirect path through Infosys as a named partner, but runs on Opus 4.7, which produces two working exploits on the Firefox 147 benchmark against Mythos's 181, a 90x capability gap. MediaNama founder Nikhil Pahwa identified the core problem: "A tool that compresses attack timelines without compressing defense timelines increases systemic risk before it improves security." The data localisation conflict also remains unresolved. India's 2018 rules require payment system providers to store all transaction data on servers within India, while Mythos is hosted on US-based servers. The National Payments Corporation of India (NPCI) has not publicly addressed this.