SEBI Constitutes Cybersecurity Task Force Amid Mythos Concerns

The new task force, called cyber-suraksha.ai, will devise a strategy to curb risks posed by such AI models and facilitate sharing of threat intelligence to respond to the threat

In an advisory, SEBI directed all regulated entities to update all applications with the latest patches, undertake cybersecurity audits and carry out regular monitoring of their networks

This follows Anthropic’s controlled roll out of Claude Mythos AI model, which can identify and exploit critical software vulnerabilities across major operating systems and browsers

Amid growing concerns over Anthropic’s Mythos, markets regulator Securities and Exchange Board of India (SEBI) has constituted a new task force to assess cybersecurity risks posed by AI models.

In an advisory issued yesterday, SEBI said that the task force, called cyber-suraksha.ai, will devise a uniform mitigation strategy to curb risks posed by such models. It will also facilitate sharing of threat intelligence, best practices on vulnerability management and playbooks to respond to the threat vector.

The task force has also been tasked with reporting cybersecurity incidents and information on vulnerabilities on a priority basis. In addition, it will also review the “cybersecurity posture” of third party application service providers, including empaneled vendors.

SEBI said that the panel will comprise representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), qualified regulated entities (QREs) and other stakeholders.

This comes in the backdrop of Anthropic rolling out Claude Mythos in a controlled manner in April this year. The AI model, which is designed for advanced coding and cybersecurity, can identify and exploit critical software vulnerabilities across major operating systems and browsers, including flaws that have remained hidden for decades.

Given its potential for misuse, Anthropic has restricted access to the model under Project Glasswing. The model has also put governments worldwide on edge due to its ability to uncover and exploit vulnerabilities that could expose power grids, telecom networks, banking systems, and defence infrastructure to cyberattacks.

On Mythos, SEBI yesterday said that the rise of AI-driven vulnerability identification tools like Mythos could potentially heighten risk exposure and may also introduce concerns relating to data confidentiality and reliability of outputs.

In line with this, the markets regulator also yesterday also convened the first meeting of the cybersuraksha.ai task force, which saw participation from MIIs and QRTAs, to discuss mitigation measures related to Mythos. Based on the consultation, the said task force has now issued an advisory for all SEBI-regulated entities (REs):

• Update all operating systems and applications with the latest or virtual patches on an immediate basis
• Conduct vulnerability assessment using AI-based tools and undertake cybersecurity audits
• Engage with third-party vendors to release and timely deploy patches
• Any change in the systems, including minor changes, should have full documentation, thorough impact analysis, rigorous testing and secure deployment
• Inventory of all application programming interface (APIs) and the applications using the said APIs should be regularly updated
• Ensure strong authorisation mechanisms to enable secure verification of end-users
• Limit and throttle API limits to prevent and detect abuse
• Carry out regular day-to-day monitoring of the systems and networks.
• Security operations center (SOC) alerts should be adequately examined, including low-priority alerts.
• All eligible REs shall expedite onboarding on market SOC (M-SOC), centralised cybersecurity platforms established by the NSE and the BSE
• Implement system hardening by adopting secure configurations, disabling unnecessary services and default accounts, and enforcing solutions like zero trust network to minimise the attack surface.
• All REs will also be required to prepare a long-term plan for usage of AI in detection and agentic mitigation.

This comes weeks after finance minister (FM) Nirmala Sitharaman held a meeting with heads of banks and other senior officials from the RBI and the NPCI amid growing concerns over cybersecurity risks posed by advanced AI systems. At the meeting, she stressed the need for a very high degree of vigilance, preparedness, and stronger coordination across financial institutions and banks.

Last week, the Centre also reportedly held talks with the US government and Anthropic to work out a mechanism for Indian companies to gain access to Mythos.