Mythos threat ‘real’, says expert as SEBI moves to fortify markets against AI cyber risks

The cybersecurity risks posed by advanced artificial intelligence systems such as Mythos are “real” and could fundamentally reshape how financial institutions manage digital threats, an industry expert warned, as India’s markets regulator steps up its oversight of AI-driven vulnerabilities.

The emergence of large AI models capable of identifying system weaknesses at scale marks a structural shift in cyber defence strategies, said Bruce Keith, cofounder and chief executive of InvestorAi.

“The threat is real. It will change the way financial institutions deal with cyber risk,” Keith said, cautioning that traditional penetration testing cycles may no longer be sufficient in an environment where AI tools can rapidly uncover exploitable gaps.

His comments come amid
heightened regulatory concern following an advisory issued by the Securities and Exchange Board of India (SEBI) on Tuesday.

The regulator flagged emerging risks from AI-based tools used to detect system vulnerabilities, including Anthropic’s Mythos, and announced the formation of a dedicated task force to strengthen cyber resilience across market participants.

SEBI said the rapid evolution of such systems, which can scan and identify weaknesses at scale, raises concerns around potential exploitation, and the reliability of AI-generated outputs in critical financial infrastructure.

“Due to the interconnectedness and interdependency of market participants in the securities market ecosystem, a periodic coordinated approach for vulnerability management, information sharing and monitoring/assessment is required to prevent a cascading impact,” the regulator said in its circular.

Growing debate on AI’s dual-use risks

The move underscores a wider industry debate over the dual-use nature of advanced AI tools — systems that can enhance cybersecurity defences but also lower the barrier for sophisticated cyberattacks.

Keith said the implications extend well beyond financial services, though the risks are particularly acute in markets due to their systemic interconnectedness.

He also called for stronger accountability frameworks governing AI deployment in regulated sectors. “Regulators should be forcing all participants to be responsible for all outcomes from AI and tech tools that they use.,” he said, adding that institutions must have full clarity on how such systems are deployed and governed internally.

‘cyber-suraksha.ai’ task force formed

To address the emerging threat landscape, SEBI has constituted an industry-wide panel named cyber-suraksha.ai, bringing together representatives from market infrastructure institutions (MIIs), qualified registrar and transfer agents (QRTAs), regulated entities, and other stakeholders.

According to the regulator, the task force has already held its first meeting, during which risks arising from AI platforms such as Mythos were assessed alongside possible mitigation frameworks.

Advisory pushes stronger safeguards

Following the initial recommendations of the task force, SEBI has issued a set of advisory measures aimed at tightening cybersecurity standards across the securities market ecosystem.

Recommended measures include regular vulnerability assessments using both conventional and AI-based tools, timely patch management, enhanced monitoring through security operations centres, stronger API security, periodic risk assessments, and adoption of zero-trust architecture to minimise attack surfaces.

The regulator has also directed market participants to coordinate closely with third-party vendors to ensure timely deployment of security updates and conduct comprehensive risk assessments for AI-enabled systems.