Banks and regulators strengthen defences against AI-powered cyber threats

Government agencies, financial regulators and banks are beginning to strengthen their defences against a new generation of artificial intelligence (AI)-powered cyber threats. The measures do not yet form a single, unified defence framework. However, recent developments involving the Ministry of Finance, the Securities and Exchange Board of India (SEBI), the Indian Cyber Crime Coordination Centre (I4C) and the Reserve Bank Innovation Hub (RBIH) show that the response is moving beyond warnings. Regulators are tightening cyber controls, financial institutions are being asked to prepare for AI-enabled attacks and AI-based systems are already being deployed to detect financial fraud. The meeting that put AI risk on the financial agenda On April 23, 2026, Finance Minister Nirmala Sitharaman chaired a high-level meeting with bank heads and senior officials from the Reserve Bank of India (RBI) and the Ministry of Electronics and Information Technology (MeitY) to discuss AI-related risks to financial systems. The meeting followed growing concern over Anthropic’s Claude Mythos Preview, a restricted-access AI model reported to be capable of identifying and potentially exploiting software vulnerabilities at unusual speed and scale. The Ministry of Finance said on X that the emerging threat was “unprecedented and requires a very high degree of vigilance, preparedness and better coordination across financial institutions and banks”. Banks were urged to take pre-emptive measures to protect their systems, customer data and financial assets. The meeting indicated that AI-enabled cyber risk was no longer being viewed as a distant possibility, but as an operational threat requiring immediate preparation. SEBI moves from warning to action On May 5, 2026, SEBI issued an advisory on advanced AI tools used for vulnerability detection. The regulator explicitly referred to Claude Mythos while warning that such models could identify and potentially exploit vulnerabilities at a speed and scale beyond conventional approaches. SEBI said these capabilities could threaten data confidentiality, application integrity and the reliability of system outputs. The regulator also warned that the interconnected nature of securities markets meant that a breach at one institution could have cascading consequences across exchanges, depositories, brokers, mutual funds and other market participants. The advisory requires regulated entities to: Immediately patch operating systems and applications, or use virtual patching when official fixes are unavailable. Conduct regular vulnerability assessments and penetration testing using conventional and suitable AI-based tools. Undertake comprehensive risk assessments of third-party vendors and application service providers. Document system changes and conduct impact assessments before implementation. Secure application programming interfaces (APIs) through strong authentication, rate limiting and allow-listed connections. Expand Security Operations Centre (SOC) monitoring to cover all systems, including low-priority alerts that might otherwise be ignored. SEBI has also directed regulated entities to accelerate their onboarding to Market SOC, the centralised, round-the-clock security monitoring platform jointly operated by the National Stock Exchange and BSE. Financial institutions must also include the capabilities of advanced AI models as a threat scenario in their periodic risk assessments. Over the longer term, they are expected to develop plans for agentic and autonomous mitigation systems capable of detecting and responding to threats with limited human intervention. A task force for shared cyber resilience SEBI has also constituted a task force called cyber-suraksha.ai, comprising representatives from market infrastructure institutions, qualified registrars and transfer agents, regulated entities and other stakeholders. The task force will examine cybersecurity risks associated with AI models, develop common mitigation strategies, share threat intelligence and response playbooks, report high-priority cyber incidents and assess the security posture of third-party application providers. The initiative reflects a significant shift in regulatory thinking. Cyber resilience can no longer stop at the perimeter of an individual organisation when exchanges, brokers, depositories, fund houses, vendors and payment systems are deeply interconnected. A practical limitation, however, remains. Indian institutions did not have access to Claude Mythos when the advisory was issued. MediaNama reported that MeitY Secretary S. Krishnan had said the government was discussing access arrangements with US authorities under Anthropic’s Project Glasswing. That distinction is important. SEBI is not asking financial institutions to use Claude Mythos to protect themselves. It is asking them to prepare for the broader class of threats represented by advanced AI models through stronger vulnerability management, monitoring, information sharing and risk assessment. AI is already being used against financial fraud The regulatory response is being complemented by AI-led fraud detection already being deployed across the banking ecosystem. On May 12, 2026, the Indian Cyber Crime Coordination Centre, under the Ministry of Home Affairs, and the Reserve Bank Innovation Hub signed a Memorandum of Understanding (MoU) to strengthen the detection of mule accounts and cyber-enabled financial fraud. The agreement enables I4C to share mule-account intelligence and suspect identifiers from its national Suspect Registry with RBIH. The information will be used to improve AI-driven fraud-risk assessment systems, including MuleHunter.ai, which is already being used by more than 26 banks. Mule accounts are bank accounts used to receive, transfer or conceal money obtained through fraud. By analysing account activity and intelligence gathered across institutions, MuleHunter.ai aims to identify suspicious accounts more quickly than traditional rule-based systems. Home Minister Amit Shah described the collaboration as a “next-gen shield against cybercrime”, saying that data from the Suspect Registry would help AI systems detect and eliminate hidden mule accounts. Unlike SEBI’s advisory, MuleHunter.ai is not a direct response to Claude Mythos . It is designed to counter cyber-enabled financial fraud and the misuse of mule accounts. Together, however, these developments show two sides of the emerging response: strengthening systems against AI-accelerated cyber threats while using AI to improve fraud detection. What this means for financial institutions The April 23 meeting, SEBI’s May 5 advisory and the May 12 MoU represent a clear progression from recognising the risk to issuing regulatory directions and deploying operational tools. There is still no single AI cyber-defence framework covering the entire financial system. However, its foundations are beginning to emerge through closer coordination, mandatory cyber controls, shared threat intelligence, centralised monitoring, vendor-risk assessments and AI-assisted fraud detection. The larger challenge will be execution Patching systems, securing APIs, monitoring low-priority alerts, assessing third-party vendors and sharing intelligence across institutions require sustained investment, skilled professionals and clear accountability. AI may be accelerating the cyber threat landscape. Financial institutions and regulators are now beginning to use the same technology to strengthen their defences.