"The rapid evolution of emerging technologies including AI-driven vulnerability identification tools (E.g. Claude Mythos) has introduced new dimensions of risks for Regulated Entities," the Securities and Exchange Board of India warned in a fresh advisory this week, urging immediate action across the nation's equities markets.
Securities and Exchange Board issues advisory after Mythos surfaced
The Board — India’s regulator for securities markets — told participants to "immediately revisit their information security systems and practices" in light of bug-finding AIs such as Anthropic’s Mythos. The advisory frames the risk succinctly: these tools "may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale" and can raise "concerns relating to data confidentiality, application integrity and reliability of outputs."
Taskforce to examine models, share threat intelligence and review third-party vendors
Alongside the advisory the Board has established a taskforce charged with several concrete duties: examine risks posed by models like Mythos, share threat intelligence, report incidents, and initiate a review of cybersecurity at third‑party software vendors that supply the regulator and the entities it oversees. That sequence of actions positions the Board to combine oversight, information sharing and vendor scrutiny as immediate mitigations.
Technical prescriptions: patching, inventories, SOCs and zero‑trust
The advisory lists practical, familiar controls as frontline defenses. Regulated entities were instructed to:
- Ensure patches are up to date;
- Conduct audits of potential vulnerabilities;
- Conduct inventories of APIs and secure them;
- Run a serious Security Operations Center (SOC) and take its advice;
- Harden systems by adopting principles such as zero‑trust networking and running only essential services.
The Board also directed firms to have IT committees issue guidance on how to mitigate risks created by AI‑led vulnerability detection models and to "develop a plan to use AI as part of their infosec armoury." The advisory explicitly called for "recalibration of risks for AI accelerated threats, AI‑augmented SOC transformation, and continuous vulnerability management using AI tools."
Global regulators have moved too — US, Singapore, Australia, Hong Kong
India is not alone in responding. The source reports that US Treasury Secretary Scott Bessent convened an emergency meeting with the nation’s banks a few weeks earlier. Singaporean regulators "did likewise, yesterday." Australian regulators sent local banks a "strongly worded reminder" that they must develop AI strategies addressing risks the technology creates, and Hong Kong’s Monetary Authority is "working on new infosec guidance for the age of Mythos." The advisory frames India's action as notable because it effectively puts regulated entities on alert and orders them to take preventive measures immediately.
What this means for technologists, policymakers, and capital market participants
- Technologists and security teams: Expect pressure to accelerate remediation cycles. The Board’s checklist — patch management, API inventories, hardened services, and SOC processes — is an immediate operational to‑do list, and the advisory's call for "AI‑augmented SOC transformation" signals an expectation that teams begin integrating AI into detection and response workflows.
- Policymakers and regulators: The newly formed taskforce will be the locus of regulatory activity: examining model risks, sharing threat intelligence, reporting incidents, and auditing third‑party vendors. Those functions create both information flows and potential enforcement levers for the Board.
- Exchanges, mutual funds, VCs and other covered entities: The Board directed its advice at "19 different classes of company," from venture capitalists to merchant bankers, mutual funds, stock exchanges, and niche suppliers such as agencies that store know‑your‑customer information — all are expected to have IT committees issue guidance and to design plans for both defending against and responsibly using AI tools.
India’s regulator has moved from warning to mandate: an advisory, a taskforce, and a vendor review timeline. The Board has signaled that the arrival of bug‑finding AIs like Anthropic’s Mythos is not only a research or product story but an operational risk requiring immediate security hygiene and organised oversight. The next concrete steps — the taskforce’s findings, the threat intelligence it shares, and the outcomes of third‑party vendor reviews — will show whether the advisory’s prescriptions are implemented across the 19 classes of regulated entities and whether those measures blunt the speed‑and‑scale threat the Board described.
Source: The Register — India orders infosec red alert in case Mythos sparks crime spree
