




















The circular can be accessed here.
The Securities and Exchange Board of India (SEBI) has named Anthropic’s Claude Mythos in a circular dated May 5, ordering every regulated entity in Indian securities markets to immediately overhaul their cybersecurity infrastructure. SEBI is the first Indian financial markets regulator to name a specific AI model in a formal circular; CERT-In had first named Mythos across all sectors on April 26.
The circular covers stock exchanges, depositories, mutual funds, brokers, credit rating agencies, custodians, merchant bankers, and portfolio managers, among others.
SEBI’s concern: Mythos can identify and exploit vulnerabilities “using speed and scale,” threatening data confidentiality, application integrity, and reliability of outputs. Because all market participants are interconnected, one breach can trigger a domino effect across the entire ecosystem.
SEBI has also constituted a task force called cyber-suraksha.ai, comprising representatives from market infrastructure institutions (MIIs), qualified registrars and transfer agents (QRTAs), and other regulated entities, to examine AI-driven cybersecurity risks, share threat intelligence, report cyber incidents on priority, and review third-party vendor security posture.
What the circular requires:
6. Overhaul SOC monitoring. A Security Operations Centre (SOC) monitors an organisation’s systems for threats around the clock. The circular requires:
7. Include AI as a risk scenario. Periodic risk assessments must now explicitly model AI model capabilities as a threat scenario.
8. Harden systems. Entities must adopt secure configurations, disable unnecessary services and default accounts, and enforce Zero Trust Network Architecture (ZTNA), a security model that requires verification at every step, assuming no user or system is trustworthy by default.
9. Update software inventory. Entities must periodically update their Software Bill of Materials (SBOM), a complete list of all software components, including open-source code, for all critical applications.
10. Build long-term AI defence. All regulated entities must prepare a long-term plan for using AI in detection and autonomous agentic mitigation, where AI systems independently identify and respond to threats without waiting for human instruction, including AI-augmented SOC transformation.
Why this matters: SEBI naming Mythos in a circular is a significant regulatory moment. As MediaNama has reported, no Indian company, bank, or government agency has secured access to Mythos under Project Glasswing, Anthropic’s $100 million restricted access programme. MeitY Secretary S. Krishnan confirmed on April 28 that India is still working out logistics with US authorities.
This creates a structural contradiction: SEBI is ordering Indian financial institutions to defend against a model they cannot access to defend themselves with. Claude Security, Anthropic’s enterprise defensive tool, gives Indian firms an indirect path through Infosys as a named partner, but runs on Opus 4.7, which produces two working exploits on the Firefox 147 benchmark against Mythos’s 181, a 90x capability gap.
MediaNama founder Nikhil Pahwa identified the core problem: “A tool that compresses attack timelines without compressing defense timelines increases systemic risk before it improves security.”
The data localisation conflict also remains unresolved. India’s 2018 rules require payment system providers to store all transaction data on servers within India, while Mythos is hosted on US-based servers. The National Payments Corporation of India (NPCI) has not publicly addressed this.
Finance Minister Nirmala Sitharaman chaired a meeting on April 23 with Reserve Bank of India (RBI), NPCI, Indian Banks’ Association (IBA), and CERT-In officials, calling the Mythos threat “unprecedented.” CERT-In has separately issued a high-severity advisory directing organisations to treat every newly disclosed vulnerability as exploitable within hours, not weeks.
Also read:
For You
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。