Single successful cyberattack could disrupt markets at national scale, shake public confidence: FM

At SEBI's 38th Foundation Day (April 25, 2026), the Union Finance Minister warned that a single successful cyberattack on a major stock exchange, depository,...

What Happened

At SEBI's 38th Foundation Day (April 25, 2026), the Union Finance Minister warned that a single successful cyberattack on a major stock exchange, depository, clearing corporation, or large broker could disrupt financial markets at a national scale, erase wealth, and shake public confidence in ways that take years to rebuild.
The Finance Minister identified AI-led cyberattack tools as a qualitatively new threat dimension: making attacks faster, more adaptive, scalable, and increasingly autonomous — including automated vulnerability discovery, malicious source-code interference, software supply chain attacks, and coordinated intrusions that evolve in real time to evade detection.
The Finance Minister also flagged deepfake scams and "fin-fluencer" fraud as emerging investor protection concerns, launching Mission Jagrook (investor awareness drive) and the SEBI Check tool at the same event.
SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF), which became operational in April 2025, was cited as the regulatory foundation for market infrastructure cybersecurity.
The broader message: financial market cybersecurity is now a matter of national security and macroeconomic stability, not just a sector-specific compliance issue.

Static Topic Bridges

SEBI: Establishment, Powers, and Mandate

The Securities and Exchange Board of India (SEBI) is the statutory regulator for India's securities and commodities markets. SEBI was first established on April 12, 1988, as a non-statutory executive body. It was granted statutory powers on January 30, 1992, through the SEBI Act, 1992. SEBI is headquartered at the Bandra Kurla Complex, Mumbai, and has regional offices in New Delhi, Kolkata, Chennai, and Ahmedabad. Before SEBI's creation, the Controller of Capital Issues (under the Capital Issues (Control) Act, 1947) was the market regulatory authority. SEBI exercises three categories of powers simultaneously: quasi-legislative (drafts regulations), quasi-executive (conducts investigations, inspections, enforcement), and quasi-judicial (passes orders and rulings on violations).

SEBI established (non-statutory): April 12, 1988
SEBI Act, 1992 (statutory powers): January 30, 1992
Predecessor body: Controller of Capital Issues (Capital Issues (Control) Act, 1947)
SEBI headquarters: Bandra Kurla Complex, Mumbai
Administrative domain: Ministry of Finance, Government of India
SEBI's 38th Foundation Day: April 25, 2026 (founded: April 12, 1988)
Key SEBI-regulated entities: Stock exchanges, depositories, mutual funds, credit rating agencies, brokers, investment advisers, portfolio managers, alternative investment funds

Connection to this news: SEBI's Foundation Day address by the Finance Minister elevated cybersecurity from a compliance requirement to a systemic national security concern, framing the regulator's cyber resilience mandate in explicitly macroeconomic terms.

SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF)

SEBI issued its Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) via circular in August 2024, with the framework becoming operational in April 2025. The CSCRF replaced earlier, fragmented cybersecurity circulars with a consolidated, risk-tiered framework applicable across all SEBI-regulated market participants — categorised by their systemic importance.

CSCRF circular issued: August 2024 (SEBI/HO/...)
CSCRF operational from: April 2025
Applicability: All SEBI Regulated Entities (REs), with differentiated requirements by tier:
Market Infrastructure Institutions (MIIs): Stock exchanges, depositories, clearing corporations — highest standards
Qualified REs: Large intermediaries (mutual funds, large brokers, etc.)
Mid-size and small REs: Proportionate requirements
Key CSCRF requirements for MIIs:
ISO 27001 certification (information security management)
Regular Vulnerability Assessment and Penetration Testing (VAPT)
Mandatory immediate incident reporting via dedicated SEBI portal
Cyber Capability Index (CCI) — periodic self-assessment tool for cyber resilience
Red teaming exercises
Quarterly testing and simulation of cyberattack scenarios
Software supply chain security: CSCRF includes provisions for securing third-party software and APIs

Connection to this news: The Finance Minister's warning about AI-led autonomous attacks directly reinforces why the CSCRF's requirements — red teaming, continuous VAPT, supply chain security — are necessary but may need further evolution to address AI-specific threat vectors.

AI-Enabled Cyber Threats: The New Threat Landscape

AI-led cyberattack tools represent a qualitative escalation from traditional cybersecurity threats. Key characteristics flagged at SEBI's Foundation Day include:

Speed: AI reduces the time from initial network access to full system compromise from days/weeks to minutes/hours
Adaptability: Machine learning models can modify attack code in real time to evade signature-based detection systems
Scalability: Automated attack tools can simultaneously target thousands of endpoints
Autonomy: AI agents can independently discover vulnerabilities, generate exploit code, and execute multi-stage attacks without direct human control at each step
Supply chain attacks: Inserting malicious code into trusted software updates or libraries (e.g., the SolarWinds attack model) to compromise downstream systems
Deepfakes: AI-generated audio/video impersonation to manipulate market actors, executives, or investors

National Cyber Security Policy (India): Published 2013 by Ministry of Electronics and Information Technology (MeitY); revision under consideration
CERT-In (Indian Computer Emergency Response Team): Established under IT Act, 2000 (Section 70B); designated as the national nodal agency for cybersecurity incident response
CERT-In mandatory incident reporting: Rule issued April 2022 — requires organisations to report cybersecurity incidents within 6 hours of detection
IT Act, 2000 (amended 2008): Primary legislation governing cybercrime in India; Section 66 (computer-related offences), Section 70 (critical information infrastructure protection)
Critical Information Infrastructure (CII): Defined under Section 70 of IT Act, 2000; NCIIPC (National Critical Information Infrastructure Protection Centre) designated as nodal agency for CII protection

Connection to this news: Financial market infrastructure — stock exchanges, clearing corporations, depositories — qualifies as Critical Information Infrastructure (CII) under Section 70 of the IT Act, 2000. An AI-enabled attack on CII of this nature would simultaneously be a cybersecurity incident, a financial market disruption, and a national security event.

Systemic Risk in Financial Markets: The Interconnection Concern

Modern financial market infrastructure is highly interconnected: a compromise at one node (e.g., a depository) cascades through clearing, settlement, and trading systems. This creates "systemic risk" — the risk that the failure of one entity or infrastructure triggers a chain reaction affecting the entire system. The Finance Minister's warning about a "national-scale" disruption reflects this interconnectedness. In India's case:

India's major Market Infrastructure Institutions (MIIs): NSE, BSE (stock exchanges); NSDL, CDSL (depositories); NSE Clearing, ICCL (clearing corporations)
Combined daily trading turnover on Indian exchanges: exceeds ₹3 lakh crore on peak days [Unverified: exact current figure]
Demat accounts in India: Over 18 crore (180 million) as of early 2026 [Unverified: exact figure; refer to NSDL/CDSL for current data]
Interconnection risk: A depository breach could freeze settlement of all trades; a clearing corporation breach could disrupt margin and collateral systems across all brokers
Basel Committee on Banking Supervision (BCBS): Issues cyber resilience principles for financial sector globally; SEBI aligns its framework with international standards
IOSCO (International Organization of Securities Commissions): Issues cybersecurity guidance for securities regulators; India (SEBI) is a member

Connection to this news: The Finance Minister's framing — "erase wealth, shake public confidence" — directly invokes systemic risk theory. A successful attack on Indian market infrastructure would not merely be a technical disruption but a macroeconomic shock affecting investor confidence, financial stability, and economic growth.

Key Facts & Data

SEBI established (non-statutory): April 12, 1988; statutory powers: January 30, 1992 (SEBI Act, 1992)
SEBI's 38th Foundation Day: April 25, 2026
SEBI headquarters: Bandra Kurla Complex, Mumbai; under Ministry of Finance
SEBI CSCRF circular: August 2024; operational from April 2025
CERT-In: Established under IT Act, 2000, Section 70B; nodal agency for cyber incident response
CERT-In mandatory 6-hour incident reporting rule: April 2022
NCIIPC: National Critical Information Infrastructure Protection Centre; established 2014 under NTRO; nodal agency for CII protection under Section 70 of IT Act, 2000
IT Act, 2000 (amended 2008): Primary cybercrime legislation; Section 70 covers CII
National Cyber Security Policy: 2013 (Ministry of Electronics and IT / MeitY)
IOSCO: International Organization of Securities Commissions; SEBI is a signatory member
ISO 27001: International standard for information security management systems (ISMS) — required for MIIs under CSCRF
MIIs in India: NSE, BSE (exchanges); NSDL, CDSL (depositories); NSE Clearing, ICCL (clearing corporations)