The Digital Threat Report 2024 identified seven cyber threats that India’s banking, financial services and insurance (BFSI) sector needed to prepare for. Just one year later, the latest Digital Threat Report 2025-26, released by the Ministry of Electronics and Information Technology (MeitY), CERT-In, CSIRT-Fin and SISA, says six of those predictions have already come true.
The report states that this is not merely a sign of rising cybercrime, but of a threat landscape evolving at an unprecedented pace. The time between a new attack technique emerging and being exploited has shrunk from years to months, and in some cases, even weeks.
Recent cyber incidents in India reflect this trend. In July 2025, cryptocurrency exchange CoinDCX suffered a cyberattack that led to losses of around ₹380 crore after attackers compromised an internal operational account. New India Cooperative Bank also faced a cyber incident that disrupted UPI and internet banking services for several days, highlighting how attacks increasingly affect critical financial infrastructure.
Six predictions that became reality
The only prediction that has not fully materialised relates to post-quantum cryptography and quantum computing risks. However, the report warns that threat actors have already begun adopting “harvest now, decrypt later” strategies — stealing encrypted data today with the expectation of decrypting it once quantum computing becomes practical.
Why are threats evolving so quickly?
Experts say the speed of change reflects both a leap in attackers’ capabilities and the slow pace at which organisations are adapting.
Nisha Bachani, managing director and partner at Boston Consulting Group (BCG), told Business Standard that the threat environment has undergone a structural shift.
“Exploit windows have collapsed from 745 days to just 44; meaning the time between a vulnerability being discovered and a weapon being built around it has shrunk by 94 per cent in five years. That is not incremental change. That is a different game entirely,” Bachani said.
She added that India’s BFSI sector is entering this new threat environment while remaining significantly underinvested in cybersecurity, with many institutions still treating cyber risk as an IT compliance issue rather than a business priority.
Dr Vivek N, Professor of Operations and Chairperson – Centre for AI in Business at Great Lakes Institute of Management, Chennai, said the rapid evolution of cyberattacks and the sector’s preparedness gap have together turned last year’s predictions into reality. “The six predictions came true because a genuine jump in attacker capability met a sector that had not yet climbed the difficulty curve,” he told Business Standard.
He pointed to outdated cybersecurity infrastructure, a shortage of skilled professionals and slower adoption of AI-driven security tools across financial institutions.
Identity has become the new battleground
“Attackers are shifting toward legitimate access because it reuses what a real user or system already has, rather than requiring new malware that defences can eventually learn to detect,” said Saurabh Sharma, lead security researcher at Kaspersky’s Global Research and Analysis Team (GreAT).
Sharma said Kaspersky’s investigations found that exploitation of public-facing applications, valid accounts and trusted relationships accounted for more than 80 per cent of attacks investigated in 2025. Nearly 89 per cent of phishing campaigns were aimed at stealing account credentials.
Pavan Karthick M, threat researcher at CloudSEK, said compromising an identity often begins with malware or phishing, but the real objective is the access that identity provides. “Access to an identity means access to everything that identity can reach, human or machine, and the ability to repudiate it. That’s the payoff, and it’s why identity is the target,” he told Business Standard.
“The shift being described — from malware to identity, API and cloud exploitation — is not a new attack trend to be patched onto an existing security architecture. It is an indictment of that architecture,” she said.
The report similarly argues that attacks increasingly appear as legitimate user sessions, approved transactions and trusted workflows, making them much harder to detect using conventional security controls.
AI is widening the gap between attackers and defenders
The report identifies “AI asymmetry” as one of the biggest emerging risks for financial institutions, with attackers using artificial intelligence to automate phishing, malware development and vulnerability discovery at a speed that traditional security teams struggle to match.
“There is a dangerous gap between where AI is being deployed and where it actually needs to be,” Bachani said.
Dr Vivek said banks are investing more in cybersecurity and expanding security teams, but attackers are evolving much faster, making continuous adaptation essential rather than optional.
Quantum risk may be next
The only prediction that has not yet fully materialised is quantum computing-related risk, but experts say that should not lead to complacency.
Dr Vivek said that the threat is not the quantum computer that exists today, but “it is the encrypted data adversaries are quietly harvesting today, to decrypt the moment a capable machine arrives”.
Experts say banks should begin inventorying cryptographic assets, adopting crypto-agile infrastructure and planning migration to post-quantum cryptography now because such transitions could take years.
The report also outlines an 18-month roadmap for the sector, urging institutions to strengthen AI-powered defences, secure identities and cloud environments, improve continuous risk monitoring, and prepare for future quantum-era threats.
The report’s central message is clear: cybersecurity can no longer be treated as a periodic compliance exercise. As cyberattacks evolve at machine speed, resilience will depend on how quickly institutions can detect, adapt and respond.