SEBI Issues Cybersecurity Advisory on AI-Based Vulnerability Detection Tools: Key Mandates for Regulated Entities

Background and Context

The securities market ecosystem is witnessing an unprecedented surge in technology-driven threats. With the emergence of sophisticated artificial intelligence tools capable of detecting and exploiting system vulnerabilities at scale and speed — tools such as Claude Mythos — the Securities and Exchange Board of India (SEBI) has taken proactive steps to address the growing cybersecurity risks facing regulated entities (REs).

Pursuant to Circular No. HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 dated May 5, 2026, SEBI issued a comprehensive advisory directing all categories of market participants to reinforce their cybersecurity frameworks, adopt AI-augmented monitoring capabilities, and align with the centralized threat management infrastructure already established in the securities market.

This circular was issued under the powers vested in SEBI by Section 11(1) of the Securities and Exchange Board of India Act, 1992, which empowers the Board to protect investor interests, promote orderly market development, and regulate the securities market ecosystem.

Entities Covered Under This Advisory

The circular is addressed to a broad spectrum of SEBI-regulated entities, reflecting the interconnected nature of the securities market. The following categories of participants fall within the scope of this advisory:

All Alternative Investment Funds (AIFs)
All Bankers to an Issue (BTIs) and Self-Certified Syndicate Banks (SCSBs)
All Clearing Corporations
All Collective Investment Schemes (CIS)
All Credit Rating Agencies (CRAs)
All Custodians
All Debenture Trustees (DTs)
All Depositories and Designated Depository Participants (DDPs)
All Depository Participants (through Depositories)
All Investment Advisors (IAs) and Research Analysts (RAs)
All KYC Registration Agencies (KRAs)
All Merchant Bankers (MBs)
All Mutual Funds (MFs) and Asset Management Companies (AMCs)
All Portfolio Managers
All Registrars to an Issue and Share Transfer Agents (RTAs)
All Stock Brokers (through Exchanges), Stock Exchanges, and Venture Capital Funds (VCFs)

Why SEBI Acted: The Emerging Threat Landscape

The AI Vulnerability Problem

Advanced AI-powered tools, exemplified by platforms like Claude Mythos, have fundamentally altered the cybersecurity risk environment. These tools enable threat actors to identify vulnerabilities within systems with a level of speed and scale that far surpasses conventional methods. The implications are significant:

Rapid identification and potential exploitation of existing system weaknesses
Elevated risks to data confidentiality and application integrity
Concerns around the reliability and accuracy of AI-generated outputs used in security decisions
Potential for cascading failures across interconnected market participants

Interdependency Amplifies Risk

Given the deeply interconnected structure of the Indian securities market — where exchanges, clearing corporations, depositories, brokers, and fund managers all operate within a shared digital ecosystem — a vulnerability exploited at one node can rapidly propagate across the entire system. SEBI recognized that a coordinated, uniform response mechanism is essential to contain and mitigate such systemic risks.

Formation of Task Force: cyber-suraksha.ai

To coordinate a structured response to AI-accelerated cybersecurity threats, SEBI constituted a dedicated task force named cyber-suraksha.ai (reachable at: project-cyber-suraksha.ai@sebi.gov.in). This task force comprises representatives from:

SEBI Circular on AI-Driven Cybersecurity Risks: Advisory, Task Force Formation & Compliance Obligations for Regulated Entities