SEBI forms cyber-suraksha.ai task force on AI risks

What triggered SEBI’s latest cyber alert

The Securities and Exchange Board of India (SEBI) on Tuesday flagged emerging cybersecurity risks linked to advanced artificial intelligence tools that can rapidly identify system vulnerabilities. In its circular and advisory, SEBI said that the rapid evolution of AI-driven vulnerability identification tools, including those similar to “Mythos”, could increase the risk of exploitation at scale. The regulator highlighted concerns around data confidentiality, application integrity, and the reliability of outputs from such tools.

SEBI framed the risk as systemic, not isolated. It said the securities market ecosystem is highly interconnected, and a weakness at one participant can create cascading impact across the system. That interconnectedness, SEBI said, makes coordinated, continuous vulnerability management and information sharing essential.

Why AI-led vulnerability detection is different

SEBI’s advisory focused on tools that can scan and detect weaknesses quickly and at scale. It cautioned that the same capability that can strengthen defence can also be used to exploit gaps faster, potentially expanding the blast radius of a breach. The regulator’s note specifically mentioned the risk that advanced AI tools could accelerate exploitation of known and unknown vulnerabilities.

SEBI also pointed to risks beyond immediate breach scenarios, including data confidentiality issues and potential questions around integrity and reliability when AI outputs are used in security workflows. The regulator’s messaging positioned these risks as relevant across intermediaries and infrastructure providers, given operational dependencies in the market.

Cyber-suraksha.ai: the new SEBI task force

To address AI-linked cyber threats, SEBI constituted a task force named cyber-suraksha.ai. It includes representatives from market infrastructure institutions, qualified registrars and transfer agents, regulated entities, and other stakeholders.

SEBI said the task force will assess cybersecurity risks arising from AI models and AI-led detection tools, develop mitigation strategies, and facilitate sharing of threat intelligence and best practices. It will also review the cyber posture of third-party service providers and vendors. Separate reporting noted the task force’s remit includes reporting cyber incidents, malicious activities, and system vulnerabilities to strengthen India’s securities market cybersecurity framework.

SEBI also said a meeting of the task force has already been held to assess risks posed by AI platforms like Mythos and to discuss mitigation measures.

SEBI’s advisory: immediate and medium-term steps

Alongside the task force, SEBI issued a detailed advisory outlining measures for regulated entities. The steps span basic cyber hygiene as well as architecture-level upgrades.

The regulator asked entities to patch systems promptly and conduct regular vulnerability assessments, including using AI tools where appropriate. It also advised strengthening API security and enhancing monitoring through Security Operations Centres (SOCs). SEBI directed entities to ensure continuous risk assessments that explicitly include AI-related scenarios.

On hardening posture, SEBI asked entities to adopt measures such as zero-trust architecture and system hardening to reduce attack surfaces. It also directed regulated entities to engage with vendors for timely updates and to develop long-term strategies for using AI in both threat detection and mitigation.

Market-SOC onboarding and continuous monitoring

SEBI asked entities to expedite onboarding to the Market-SOC framework set up by exchanges. The regulator linked this to the need for real-time monitoring and threat detection in the context of rising AI-driven risks.

It also directed market infrastructure institutions and other intermediaries to report cyberattacks, vulnerabilities, and malicious activities on a priority basis. The emphasis on fast reporting reflects SEBI’s view that coordinated response and information sharing are central to preventing cascading disruption.

Key directives at a glance

What SEBI’s chairman said at IMC Capital Markets conference

Ahead of the Tuesday circular, SEBI chairman Tuhin Kanta Pandey spoke about AI-linked cyber risk at the IMC Capital Markets conference in Mumbai on Monday. He said powerful AI systems, including models such as Claude Mythos, can strengthen and undermine market resilience.

Pandey said such tools can identify weaknesses faster, but can also exploit vulnerabilities at speed and scale. He reiterated that in an interconnected securities market, a single weak link can create wider risks. He added that SEBI is in active engagement with market participants and stakeholders and would “soon issue an initial advisory” addressing risks from advanced AI systems and AI-driven detection capabilities.

Finance minister’s warning and the broader policy context

Finance minister Nirmala Sitharaman, speaking in Mumbai on April 26, 2026, identified AI-powered cyberattacks as the single gravest systemic threat facing Indian financial markets and outlined a five-point reform agenda for SEBI. She cited a record 366 IPOs in FY2025-26 raising Rs 1.9 lakh crore as evidence that market depth and regulatory capacity need to scale together.

Sitharaman listed attack vectors including automated discovery of vulnerabilities, malicious interference with source code, software supply chain attacks, and coordinated intrusions that evolve in real time to evade detection. She noted SEBI’s Cybersecurity and Cyber Resilience Framework (effective April 2025) and SEBI’s Data Analytics and Digital Forensics Laboratory that uses AI and machine learning models to detect complex market manipulation patterns and network-based fraud.

She also pointed to concentration risk, saying NSDL and CDSL hold over $1 trillion in dematerialised securities, and warned that a successful attack on a major exchange or depository would not remain contained.

Other SEBI priorities mentioned alongside the cyber push

Pandey separately said progress on a centralised KYC framework is expected by June, aimed at enabling a single, interoperable KYC across the financial sector. He flagged authentication as the key bottleneck and warned that without robust verification, pooled data could become “untrustworthy”.

SEBI also proposed changes to norms governing securitised debt instruments (SDIs), including allowing single-asset securitisation by RBI-regulated entities, winding up of securitisation transactions, and easing certain structural restrictions to boost market development.

Timeline of key developments

Why this matters for market participants

SEBI’s messaging makes AI-led cyber risk a coordination problem as much as a technology problem. By directing priority reporting of incidents and pushing Market-SOC onboarding, the regulator is signalling that detection, response, and information sharing must operate continuously across the ecosystem.

The creation of cyber-suraksha.ai also formalises a mechanism for developing uniform mitigation strategies and reviewing vendor and third-party exposure, an area SEBI explicitly highlighted. The next steps, based on SEBI’s advisory, centre on faster patching, routine vulnerability assessments, tighter API security, and implementation of zero-trust and hardening measures.

Conclusion

SEBI’s Tuesday advisory and the formation of the cyber-suraksha.ai task force mark a focused regulatory response to AI-driven vulnerability detection risks. Regulated entities have been asked to strengthen monitoring, accelerate remediation, and report incidents on priority, while also tightening third-party and vendor controls. SEBI’s parallel work on centralised KYC, expected to show progress by June, underscores that cyber resilience and trusted digital processes are moving together on the regulator’s agenda.