SEBI, through Circular No. HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 dated May 5, 2026, issued an advisory addressing cybersecurity risks arising from advanced AI-driven vulnerability detection tools such as Mythos. Recognising the increasing threat posed by AI-enabled identification and exploitation of system vulnerabilities, SEBI constituted a task force named cyber-suraksha.ai comprising market infrastructure institutions, qualified regulated entities, and stakeholders to coordinate vulnerability management, threat intelligence sharing, and mitigation strategies. The advisory mandates regulated entities to strengthen cybersecurity frameworks through immediate patch management, AI-assisted vulnerability assessments, enhanced API security, continuous SOC monitoring, system hardening, risk assessments, and onboarding with centralized Market SOC platforms. SEBI also directed entities to engage with third-party vendors for security reviews and develop long-term AI-based detection and mitigation plans. The circular reinforces SEBI’s focus on coordinated cybersecurity resilience, operational stability, and protection of the securities market ecosystem from AI-accelerated cyber threats.
Securities and Exchange Board of India.
Circular No. HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 Dated: 05.05.2026
To,
All Alternative Investment Funds (AIFs)
All Bankers to an Issue (BTI) and Self-Certified Syndicate Banks (SCSBs)
All Clearing Corporations
All Collective Investment Schemes (CIS)
All Credit Rating Agencies (CRAs)
All Custodians
All Debenture Trustees (DTs)
All Depositories
All Designated Depository Participants (DDPs)
All Depository Participants through Depositories
All Investment Advisors (IAs) / Research Analysts (RAs)
All KYC Registration Agencies (KRAs) All Merchant Bankers (MBs)
All Mutual Funds (MFs)/ Asset Management Companies (AMCs)
All Portfolio Managers
All Registrar to an Issue and Share Transfer Agents (RTAs)
All Stock Brokers through Exchanges
All Stock Exchanges
All Venture Capital Funds (VCFs)
Dear Sir/Madam,
Subject: Advisory on Emerging Advanced Artificial Intelligence (AI) Tools for Vulnerability Detection (like Mythos)
A. The rapid evolution of emerging technologies including AI-driven vulnerability identification tools (E.g. Claude Mythos) has introduced new dimensions of risks for Regulated Entities. Such tools may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale. It may also introduce concerns relating to data confidentiality, application integrity and reliability of outputs.
B. Due to the interconnectedness and interdependency of market participants in the Securities Market Ecosystem, a periodic coordinated approach for vulnerability management, information sharing and monitoring/assessment is required to prevent a cascading impact.
C. In view of the above, a task force, namely cyber-suraksha.ai, (email id: project-cyber-suraksha.ai@sebi.gov.in) has been constituted comprising representatives from MIIs, QRTAs, all QREs, and other related stakeholders with the following mandate to:
i. Closely examine the cybersecurity risks posed by AI based models and devise a uniform mitigation strategy against the risks posed by such models.
ii. Facilitate sharing of threat intelligence, best practices on vulnerability management, use cases and playbooks to respond to the threat vector etc.
iii. Report on a priority basis, cyber incidents or malicious activities, significant attack vectors, information on vulnerabilities etc. that may be relevant to strengthen the cyber security posture of the securities markets.
iv. Review the cyber security posture of the third party application service providers including empaneled vendors.
D. A meeting of the task force cyber-suraksha.ai was convened (with MIIs and QRTAs) to review the risks posed by AI platforms like Mythos and discuss the mitigation measures. Based on the consultation with the said task force, an advisory is enclosed at Annexure-A.
E. This advisory should be read in conjunction with the applicable SEBI circulars (including but not limited to Cybersecurity and Cyber Resilience framework) and any subsequent updates issued by SEBI from time to time.
F. This circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
Yours Faithfully,
Deputy General Manager
Phone: 022-26449599
Email: mamtar@sebi.gov.in
Annexure-A
1. Update all operating systems and applications with the latest patches on immediate basis to mitigate any identified/known vulnerabilities. As an interim measure for the vulnerabilities where patches are not available, virtual patching can be considered for protecting systems and networks.
2. Conduct Vulnerability Assessment (Using conventional and suitable AI based Vulnerability Assessment Tools where possible) and undertake security audits on a regular/continuous basis in accordance with Cyber Security and Cyber Resilience Framework of SEBI.
3. Engage with the respective RE’s third party vendors to release timely patches and deploy them appropriately. Exchanges and Depositaries shall direct their empaneled application vendors (providing COTS solution to respective members) to undertake comprehensive assessment of the risks arising from the use of AI-led vulnerability detection models. Based on the assessment, vendors shall implement appropriate safeguards including updating patch, VAPT, continuous monitoring, hardening measures etc.
4. Change Management: Any change in the systems (including minor changes) should encompass full documentation, thorough impact analysis, structured review, rigorous testing and secure deployment to ensure operational resilience and system stability.
5. API Security:
a. Inventory of all APIs and the applications using the APIs should be updated regularly.
b. Ensure strong authentication and authorization mechanisms to enable secure verification of end-user client identity as well as limit the information access/ transfer to users/ systems based on least privilege.
c. API rate limiting and throttling to prevent and detect abuse.
d. Connections through APIs to be strictly on a whitelist-based approach.
6. SOC Monitoring:
a. Regular day-to-day monitoring of the systems and networks must be carried out vigorously. SOC alerts should be adequately examined including the low-priority alerts.
b. Implement enhanced security orchestration and Automated Response (SOAR) playbooks integrated with Security Incident and Event Management (SIEM) solutions, after thorough testing wherever feasible.
c. The Market SOC (M-SOC), established by NSE and BSE, which serves as a centralized security platform, provides 24×7 real-time monitoring and threat detection across digital infrastructure. In the view of enhanced risks posed by AI-driven attacks, all eligible REs (not on boarded with any M-SOC) shall expedite the onboarding.
d. MIIs are required to conduct awareness and handholding programs, including periodic workshops to ensure a smooth onboarding process and integration with M-SOC.
7. Risk Assessment: The Cyber Security and Cyber Resilience Framework (CSCRF) of SEBI has mandated periodic Risk Assessment of the REs including their Third Party Service Providers to enhance visibility and conduct a reasonably accurate assessment of the overall cybersecurity risk posture. Risk assessment shall include comprehensive scenario-based testing for assessing risks (including both internal and external risks) related to cybersecurity in REs’ IT environment. The capability of AI based models may also be considered as one of the risk scenarios.
8. Implement system hardening by adopting secure configurations, disabling unnecessary services and default accounts, and enforcing solutions like least privilege, Zero Trust Network (ZTNA) to minimize the attack surface.
9. Periodically update Asset Inventory and Software Bill of Materials for all critical applications including open source stack.
10. MIIs and other Regulated Entities shall seek guidance from their respective IT committees for mitigating risks emanating from AI-led vulnerability detection models. Further, all REs need to prepare a long-term plan for usage of AI in detection and autonomous/agentic mitigation. Also, undertake other measures including recalibration of risks for AI accelerated threats, AI augmented SOC transformation, and continuous vulnerability management using AI tools.
****************
