The circular can be accessed here.

The Securities and Exchange Board of India (SEBI) has named Anthropic’s Claude Mythos in a circular dated May 5, ordering every regulated entity in Indian securities markets to immediately overhaul their cybersecurity infrastructure. SEBI is the first Indian financial markets regulator to name a specific AI model in a formal circular; CERT-In had first named Mythos across all sectors on April 26.

The circular covers stock exchanges, depositories, mutual funds, brokers, credit rating agencies, custodians, merchant bankers, and portfolio managers, among others.

SEBI’s concern: Mythos can identify and exploit vulnerabilities “using speed and scale,” threatening data confidentiality, application integrity, and reliability of outputs. Because all market participants are interconnected, one breach can trigger a domino effect across the entire ecosystem.

SEBI has also constituted a task force called cyber-suraksha.ai, comprising representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), and other regulated entities, to examine AI-driven cybersecurity risks, share threat intelligence, report cyber incidents on priority, and review third-party vendor security posture.

What the circular requires:

  1. Patch immediately. All operating systems and applications must be updated right away. Where patches don’t exist yet, entities must use virtual patching, a temporary protective layer applied over a vulnerability when no official fix is available.
  2. Run AI-based vulnerability assessments. Entities must conduct Vulnerability Assessment and Penetration Testing (VAPT), simulated cyberattacks used to find weaknesses before real attackers do, continuously using both conventional and AI-based tools, in line with SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF).
  3. Hold vendors accountable. Entities must engage third-party vendors on timely patching. Exchanges and depositories must specifically direct their empaneled application vendors to run comprehensive risk assessments on AI-led vulnerability detection models and implement safeguards, including patching, VAPT, and continuous monitoring.
  4. Lock down change management. Every system change, including minor ones, requires full documentation, impact analysis, structured review, rigorous testing, and secure deployment.
  5. Secure all APIs. An Application Programming Interface (API) is a connection point that lets different software systems communicate; in financial markets, APIs connect brokers, exchanges, and payment systems. The circular requires:
  • Updated inventory of all APIs and apps using them
  • Strong authentication on a least-privilege basis (users get access only to what they strictly need)
  • Rate limiting and throttling to detect abuse
  • Connections only via whitelist

6. Overhaul SOC monitoring. A Security Operations Centre (SOC) monitors an organisation’s…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: May 6, 2026