SEBI Flags AI Vulnerability Tools as New Cyber Risk, Launches Task Force

TL;DR: SEBI warned that AI‑driven vulnerability detection tools could introduce new cyber risks for regulated entities and created a task force to assess those threats, while directing market infrastructure firms to prioritize reporting of attacks and vulnerabilities.

Context: On May 5, India’s Securities and Exchange Board of India (SEBI) issued an advisory highlighting that emerging AI‑based scanners, which automatically probe applications for weaknesses, might themselves become attack vectors or generate misleading results that obscure real threats. The regulator noted that reliance on such tools without proper oversight could increase exposure to supply‑chain compromises or false‑negative findings.

Key Facts: SEBI announced the formation of a task force to evaluate the threats posed by AI‑based vulnerability models and to devise a uniform mitigation strategy for market infrastructure institutes and intermediaries. The task force will also collect and analyze cyber incident reports, malicious activity alerts, and vulnerability disclosures to strengthen the securities market’s cybersecurity framework. In the same advisory, SEBI ordered all market infrastructure firms and registered intermediaries to prioritize the reporting of cyberattacks, discovered vulnerabilities, and any malicious activities they observe.

What It Means: Security teams at exchanges, clearing houses, brokerages, and other regulated entities must now treat AI‑driven scanners as part of their risk assessment rather than a silver bullet. They should validate scanner outputs with manual testing or alternative tools, maintain an inventory of AI models in use, and enforce strict change‑control and provenance checks for any third‑party scanning software. Defenders should also align reporting processes with SEBI’s directive by establishing automated ticketing feeds for vulnerability disclosures and ensuring that incident‑response playbooks include timely notification to the regulator. Relevant mitigations include applying CVE‑based patch management, monitoring for MITRE ATT&CK technique T1195 (Supply Chain Compromise) and T1046 (Network Service Scanning) anomalies, and deploying detection rules that flag unusual scanning patterns from internal AI tools. Looking ahead, market participants should watch for the task force’s forthcoming guidance, any updates to SEBI’s cyber‑risk framework, and potential mandatory standards for AI‑assisted security testing.