SEBI has directed India’s financial market entities to strengthen cyber defences and track open-source software components after Anthropic’s Claude Mythos AI reportedly uncovered more than 2,000 unknown vulnerabilities in seven weeks.
Securities and Exchange Board of India (SEBI) has issued a sweeping cybersecurity directive to all regulated entities across India’s securities ecosystem after naming Anthropic’s Claude Mythos Preview as a new-generation AI threat capable of discovering and exploiting software vulnerabilities at machine speed.
According to the report, the AI model identified more than 2,000 previously unknown vulnerabilities within seven weeks, including flaws that had survived decades of human security review. The system also reportedly generated working exploits on the first attempt in over 83 per cent of cases.
The regulator’s circular, signed on 5 May by Deputy General Manager Mamata Roy, applies to stock exchanges, mutual funds, depositories, credit rating agencies, portfolio managers, merchant bankers, and alternative investment funds.
SEBI warned that the interconnected nature of market infrastructure could allow a single breach to trigger widespread systemic disruption. “Due to the interconnectedness and interdependency of market participants in the Securities Market Ecosystem, a periodic coordinated approach for vulnerability management, information sharing and monitoring/assessment is required to prevent a cascading impact,” the circular stated.
The directive places major emphasis on open-source software supply-chain visibility. Regulated entities have been instructed to maintain updated Software Bill of Materials (SBOM) records and documentation for “all critical applications, including open-source components”.
SEBI also mandated immediate patching, AI-assisted vulnerability assessments, Zero Trust Network Architecture (ZTNA), API security controls, continuous monitoring, and preparations for “autonomous/agentic mitigation” against AI-driven cyber threats.
