BT Explainer: What will Sebi’s new taskforce on AI do?

Anthropic’s new, but unreleased artificial model (AI) Claude Mythos has caused global alarm given the claims that its advanced capabilities help analyse and exploit software vulnerabilities and previously unknown security flaws in legacy code on a massive scale. It has been a point of discussion among governments and regulators worldwide over fears about the risks it could pose to financial systems.

Finance Minister Nirmala Sitharaman too had held discussions with top banks around these growing AI challenges recently. The Securities and Exchange Board of India (Sebi), which has also raised concerns around Mythos, has now set up a new task force, cyber-suraksha.ai, to analyse and address the issues in detail.

Why Sebi feel the need to set up a separate task force for AI?

The market regulator feels rapid evolution of emerging technologies including AI-driven vulnerability identification tools like Claude Mythos has introduced new dimensions of risks for regulated entities.

These tools may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale, it pointed out.

MUST READ: OpenAI releases GPT‑5.5 Instant as new default AI model on ChatGPT

It may also introduce concerns relating to data confidentiality, application integrity and reliability of outputs, Sebi added.

The securities market ecosystem is interconnected and therefore the regulator believes a coordinated approach for vulnerability management, information sharing and monitoring is required. This will help prevent a cascading impact across the system.

Who is part of the new AI task force?

The taskforce comprises representatives from market infrastructure institutions (MII), qualified registrars to an issue and share transfer agents (QRTAs), all qualified reporting entities (QREs), and other related stakeholders.

A meeting of the task force was convened along with the MIIs and QRTs to review the risks new AI models like Mythos pose and what measures need to be taken to address the risks.

MUST READ: AI-driven shares zoom 850% in less than 3 yrs — Multibagger stock to see more gains ahead?

What is the task force’s mandate?

The task force will closely examine the cybersecurity risks posed by AI-based models and devise a uniform mitigation strategy against the risks posed by them. The task force will also facilitate sharing of threat intelligence, best practices on vulnerability management, use cases and playbook to respond to threats among other things.

Stakeholders will have to report on a priority basis, cyber incidents or malicious activities, significant attack vectors, information on vulnerabilities etc. that may be relevant to strengthen the cyber security posture of the securities markets.

What advisory has been issued following discussions with the task force?

First and foremost, all operating systems and applications must be updated with the latest patches on immediate basis to mitigate any vulnerabilities that have already been identified.

In case of vulnerabilities where security patches are not yet available, virtual patching (essentially a temporary shield) can be considered to protect systems and networks.

Regulated entities will now have to do regular security audits in accordance with Sebi’s cyber resilience framework, and using conventional as well as AI tools vulnerability assessment will have to be conducted.

MUST READ: India’s currency rate not justified by its fundamentals, and it has a lot to do with AI

The advisory further calls on exchanges and depositaries to direct their empaneled application vendors to undertake a comprehensive assessment of the risks arising from the use of AI-led vulnerability detection models, and based on that assessment, vendors will have to implement appropriate safeguards.

To ensure there is operational resilience and system stability, any change, even if minor, in the system will need full documentation; there will have to be thorough impact analysis, structured review and rigorous testing before secure deployment.

The Market SOC (security operations centre), established by the two exchanges NSE and BSE serves as a centralized security platform, provides real-time monitoring and threat detection across digital infrastructure. Given the rising risks posed by AI-driven attacks, all eligible regulated entities that are still not on board with any M-SOC will have to expedite the onboarding.

Sebi’s cyber security and resilience framework mandates periodic risk assessment of regulated entities and their third-party service providers. Capabilities of AI models will also now have to be considered among the risk scenarios. System hardening (tools and techniques to reduce vulnerabilities in IT infrastructure) may also be implemented.

MUST READ: OpenAI launches ChatGPT for Intune app for secure work and study use

What are other regulators like RBI doing?

It has been recently reported that the Reserve Bank of India has been in talks with government officials, banks and regulators in other countries in relation to the risks posed by Claude Mythos.

RBI deputy governor Swaminathan J. had recently termed powerful technology like AI as a “double-edged instrument.”

“If AI is adopted without adequate safeguards, it can amplify existing weaknesses and create entirely new forms of harm. Therefore, the conversation about AI in finance must be balanced. We should neither be taken in by technological hype nor retreat into being defensive,” he had said.