For years, cyberattacks in financial markets followed a familiar script. Hackers hunted for weaknesses, security teams patched systems, regulators issued warnings, and institutions tried to stay one step ahead.
But now, with frontier AI models like Claude Mythos, the same process has shrunk to minutes instead of days, leaving banks and financial institutions gasping for breath. From U.S. and U.K. to India and Singapore, governments across the globe have warned banks and institutions to brace for far more sophisticated cyberattacks in future.
India’s market regulator, Securities and Exchange Board of India (SEBI) believes a new era has arrived, one where artificial intelligence can scan millions of lines of code, uncover hidden flaws in minutes, and potentially weaponize those vulnerabilities faster than human defenders can react.
That fear has prompted SEBI to issue one of its strongest cybersecurity alerts yet. Its message is blunt: India’s securities ecosystem must prepare immediately for a world where AI systems are capable not just of identifying software weaknesses, but exploiting them at machine speed.
Also Read: SEBI Flags Claude Mythos in Advisory, Asks Indian Markets to Level-up Defense
SEBI Chairman Tuhin Kanta Pandey has indicated that the regulator intends to strengthen oversight through continuous assessment, rapid incident reporting, and proactive threat mitigation. Industry executives say the warning has already triggered urgent reviews across major institutions, with firms reassessing patch cycles, third-party exposure, cloud access policies, and AI-driven attack scenarios.
What makes matters more complicated is the obscurity around Claude Mythos. Anthropic has allowed its preview version to be used under Project Glasswing to select tech giants, MNCs, research institutions and governments. However, according to media reports, the Indian government is still in the negotiation phase with Anthropic over the latter allowing the use of Claude Mythos Preview.
In this article, we have spoken to cybersecurity experts and market watchers to understand the gravity of the SEBI advisory against Claude Mythos and whether India’s digital infrastructure could respond swiftly to AI led cyberattacks.
“The Defining Cyber Threat of This Decade”
Speaking to AI FrontPage, New Delhi based Cyber law expert Pavan Duggal describes the rise of AI-led vulnerability discovery as a fundamental turning point.
“It is the defining cyber threat of this decade. What previously required a dedicated researcher operating for weeks can now be attempted at machine speed and machine scale across thousands of targets.”
He warns that the longstanding assumption of “security through obscurity and human-effort scarcity” no longer holds.
“This is not an incremental threat. It is a phase transition in the cyber threat landscape, and the regulatory and operational response must be of corresponding ambition.”
The warning comes at a time when financial systems are becoming deeply interconnected, increasingly automated, and heavily dependent on cloud infrastructure, APIs, third-party vendors, and digital trading systems. In such an environment, even a single breach at one institution could ripple across the wider market infrastructure. That systemic risk is precisely what has regulators worried.
According to officials familiar with the matter, SEBI believes the threat posed by advanced AI vulnerability detection tools goes far beyond conventional cyber risks. These systems are capable of discovering “zero-day” vulnerabilities, hidden software flaws unknown to developers or security teams, before patches are available.
Unlike traditional hackers who may take weeks or months to identify and exploit such weaknesses, AI models can reportedly complete the process in hours or even minutes.
Global Regulatory Perspective
Ahmedabad based Hirak Raval, a transnational business consultant, says India’s response aligns with a growing international consensus.
“AI is shifting cyber threats from isolated breaches into potential system-wide shocks. SEBI’s advisory reflects a global awareness, but fragmented frameworks mean vulnerabilities in one jurisdiction can destabilize others,” said Raval.
According to Mr. Raval, U.S. Securities and Exchange Commission focuses primarily on disclosure of AI-related material risks while the European Securities and Markets Authority has warned about systemic risks and overdependence on third-party providers. Similarly the Australian Securities and Investments Commission has publicly urged firms to prepare for frontier AI threats and the Financial Services Agency of Japan maintains strong digital oversight, particularly in crypto.
“India’s proactive stance contributes significantly to resilience, yet true global stability will require coordinated international standards, shared threat intelligence, and hybrid defensive AI strategies balancing autonomy with accountability,” added Raval.
India’s Financial Ecosystem: Highly Integrated, Highly Exposed
India’s securities infrastructure processes billions of rupees in transactions every day through stock exchanges, depositories, brokers, clearing corporations, mutual funds, and banks. Pavan Duggal notes that this digital sophistication creates both strength and vulnerability.
“India has built one of the world’s most integrated, real-time, digital-first financial market infrastructures. But that very integration creates dense interdependency. A sustained disruption at a critical node can propagate across the market within minutes,” said Duggal.
He further warns that future attacks may combine technical disruption with synthetic disinformation, amplifying investor panic and market volatility.
SEBI’s Cyber-Suraksha.ai Task Force
To coordinate its response, SEBI has created a dedicated task force called cyber-suraksha.ai, bringing together Market Infrastructure Institutions (MIIs), Qualified Registrar and Transfer Agents (QRTAs), Qualified Regulated Entities (QREs), and other stakeholders. Its mandate includes assessing AI-related cyber risks, developing mitigation strategies, facilitating intelligence sharing, monitoring incidents and evaluating third-party vendor vulnerabilities
Third-Party Vendors: The Weakest Link
SEBI has highlighted growing dependence on software vendors that provide trading platforms, risk systems, analytics tools, and cloud services.
These vendors may become attractive targets if malicious AI tools begin probing commonly used software at scale.
As a result, exchanges and depositories have been directed to ensure empaneled vendors conduct comprehensive AI-focused risk assessments, including vulnerability assessments, penetration testing, patch management, continuous monitoring, system hardening. SEBI has also instructed businesses to maintain complete API inventories, enforce strong authentication, apply rate limiting and restrict access through whitelisting.
Zero Trust and Continuous Monitoring
SEBI is pushing firms toward Zero Trust architecture, where every user, device, and application must continuously verify identity and permissions.
Pavan Duggal says implementation will be challenging.
“Zero Trust is correctly identified by SEBI as the destination architecture, but the path to it is genuinely difficult, particularly for intermediaries operating on legacy stacks.”
He advises firms to treat Zero Trust as a multi-year transformation with board-level sponsorship and ring-fenced budgets.
Business Response: Cybersecurity as Core Strategy
Vipin Malhan, President of Noida Entrepreneurs Association says SEBI’s advisory has fundamentally changed how businesses view cyber resilience.
“Cybersecurity spend is now treated as a core resilience investment. At our organization, we have strengthened API security audits, expanded vendor assessments, implemented AI-driven monitoring
adopted Zero Trust frameworks and automated compliance reporting
To reassure clients and investors, Vipin says firms must publish independent penetration testing results, deploy quantum-resistant encryption, and communicate proactively.
“Firms that adapt quickly will not only comply but also enhance their attractiveness to global investors,” added Malhan.
AI Versus AI: The Future of Cyber Defense
SEBI’s advisory goes beyond strengthening human oversight. It explicitly encourages institutions to explore AI-powered defense mechanisms and autonomous mitigation systems. Pavan Duggal believes this shift is unavoidable.
“AI-powered defense is the only response architecture that can match the speed and scale of AI-powered attack.” However, he cautions that defensive AI must remain explainable, auditable, and subject to human override. “Accountability rests with the regulated entity. It always will,” adds Pavan.
Final Word
The old assumption that defenders have time to study threats and roll out patches may no longer hold true. In a world where AI can compress discovery, exploitation, and attack execution into minutes, cybersecurity becomes a race measured in machine speed rather than human response.
As Hirak Raval puts it, “the future of financial stability depends not only on stronger regulations, but on coordinated global standards, shared intelligence, and hybrid AI defenses that combine autonomy with accountability.”
SEBI’s latest warning is the clearest signal yet that cyber warfare in financial markets has entered a new era. The machines are no longer just protecting the system. They are now among its most formidable adversaries.
Also Read: “Summoning an Alien Species”: David Krueger on Why Superintelligence Could End Us All
