Why cyber risk matters for financial stability
Cyber incidents are no longer just an IT department’s problem. The RBI’s report frames cyber risk as a core financial stability issue because incidents can disrupt critical infrastructure through service outages, data loss and payment system interruptions, while also chipping away at public trust in the banking system. As digital adoption accelerates, so does the attack surface available to malicious actors. According to the report, global cyberattacks have risen sharply since 2020, and India continues to see a relatively high volume of such attacks compared to other emerging market economies, trailing only Russia and Ukraine in the sample of countries the RBI examined.
That volume matters because Indian banks have moved deep into digital territory. The survey conducted by RBI found that 79 per cent of respondents reported that more than three-fourths of their customer transactions now happen digitally. That level of digital dependence means any disruption, however brief, has the potential to ripple across millions of customers almost instantly.
Banks feel prepared, but the numbers tell a more nuanced story
On the surface, Indian financial institutions appear confident about their cyber defences. As many as 98 per cent of respondents rated their current cyber risk exposure as very low to moderate, and most reported that whatever incidents did occur during 2025-26 caused minimal disruption to customer services and were typically contained within 24 hours.
However, nearly one-third of respondents said their perceived cyber risk had moderately or significantly increased compared to a year earlier, a sign that the threat environment is getting harder to predict even as institutions feel they are managing it adequately. In other words, banks believe they are keeping pace with today’s threats, but they are not entirely sure that pace will hold as the nature of those threats keeps changing.
Investment trends back this up. Between March 2025 and March 2026, around 67 per cent of respondents reported an increase in IT and cybersecurity staffing, and cybersecurity expenditure as a share of overall IT spending rose for 71 per cent of institutions over the last three financial years. Yet 81 per cent of respondents still reported IT expenditure of less than 5 per cent of revenue during 2025-26, a ratio the RBI suggests should be benchmarked against international standards to judge whether Indian institutions are investing enough given the scale of the risks they face.
Why AI has changed the equation
The reason AI-enabled threats have jumped to the top of the risk list comes down to speed and scale. As the RBI’s report notes, rapid advances in AI can increase the sophistication, speed and scale of cyber incidents in ways that traditional attack methods simply cannot match. An AI system can probe for vulnerabilities, craft convincing phishing messages or adapt its approach in real time far faster than a human attacker working alone.
95 per cent of survey respondents named AI-enabled cyber threats among their three most significant risks for the coming year, well ahead of third-party and supply chain risk at 70 per cent, ransomware and malware at 28 per cent, API and application vulnerabilities at 23 per cent, phishing and social engineering also at 23 per cent, and vulnerability or patch management at 14 per cent.
What makes this particularly concerning is that preparedness has not caught up with the perceived threat. Most institutions describe their AI-enabled threat readiness as being in the “developing” (45 per cent) or “intermediate” stage (38 per cent), with only 5 per cent classifying themselves as “mature” and none reaching an “advanced” stage of preparedness.
Separately, the RBI’s Financial Stability Report also devotes attention to the broader implications of frontier AI models for the financial sector’s IT and operational technology systems. The report notes that increased automation of cyberattacks on financial infrastructure creates operational risk for institutions, ranging from service disruptions and financial losses to reputational damage, data breaches and reduced customer confidence.
Beyond individual institutions, the report flags a systemic dimension too: shared vulnerabilities and technology concentration risk, which arise when large numbers of financial entities depend on the same small pool of service providers or shared infrastructure.
The third-party problem
If AI-enabled threats represent the emerging risk, third-party dependency remains the structural one. The survey found that 93 per cent of respondents are partially or substantially dependent on external vendors for cybersecurity functions such as security operations centre monitoring, cloud security, incident response, threat intelligence and vulnerability assessments.
Only 7 per cent of institutions handle these functions mainly in-house, while 77 per cent operate on a hybrid model and 16 per cent rely mainly on third-party support.
This matters because operational dependence on external technology providers for critical applications is moderate to very high for three-fourths of respondents. When a small number of vendors service a large share of the financial sector, a single major incident at one provider could propagate rapidly across multiple institutions, amplifying disruption well beyond what any one bank’s individual defences could contain. The RBI explicitly frames this as a channel through which operational risk at the vendor level can turn into a systemic risk for the financial system as a whole.
Geopolitics adds another layer of uncertainty
The report also links global political tensions directly to cyber risk. 42 per cent of surveyed institutions said that geopolitical uncertainty has increased the likelihood of cyberattacks against them, reflecting a broader pattern where periods of heightened tension between states tend to coincide with more state-affiliated or state-linked cyber activity. This is consistent with the global data the RBI presents, which shows that state and state-affiliated actors, along with non-state groups, have been responsible for a growing share of major cyberattacks worldwide over the past several years.
What the RBI wants fixed
The Financial Stability Report does not stop at diagnosis. It points to specific gaps that need attention. Cybersecurity awareness and training for employees remain areas that require further strengthening, the report notes, given that human behaviour continues to be among the most exploited entry points for cyberattacks. No amount of technological investment fully compensates for an employee clicking on the wrong link.
Forensic preparedness is another weak spot the RBI wants addressed. Strengthening this capability would help institutions respond to incidents more effectively, preserve digital evidence properly, and support regulatory and law enforcement investigations when sophisticated attacks do occur.
The policy response taking shape
On the regulatory front, the Inter-Ministerial Group on the Financial Sector Cybersecurity Strategy, mandated by the Financial Stability and Development Council in August 2025, has continued deliberating on harmonising cybersecurity regulations across the financial sector, building risk frameworks for AI, cloud and quantum computing, strengthening third-party resilience, improving consumer protection, and addressing risks from interconnected critical infrastructure.
The draft strategy is now at an advanced stage, according to the RBI. Once adopted, it will set a governance framework, accountability structures and implementation timelines for regulators, with close coordination between financial regulators, CERT-In, the National Critical Information Infrastructure Protection Centre and technology oversight bodies expected to be essential.
RBI on risks related to AI boom
RBI’s report also sits closely alongside a warning issued just days earlier by the Bank for International Settlements. In its Annual Economic Report 2026, the BIS named the sustainability of the AI boom as a pressure point threatening the global economy.
The Switzerland-based institution credited AI investment with being the single biggest force supporting global growth over the past year, even as tariffs and a blockade of the Strait of Hormuz threatened stagflation. But it warned that the trillion-dollar buildout of AI infrastructure could itself become the trigger for the next financial crisis, pointing to opaque financing arrangements, circular deals between chipmakers and AI labs, and a rapid expansion of private credit lending to AI and IT firms that now makes up around 15 per cent of those funds’ loan books.
The RBI’s own report carries a strikingly similar warning. It notes that AI-related investments are now permeating bond markets, as hyperscalers such as Microsoft, Meta, Alphabet, Amazon, Oracle and Nvidia ramp up capital expenditure on AI infrastructure even as their free cash flows decline, pushing them toward sharply higher debt issuance over the past two years. That debt financing is expected to rise further as spending expands, and the RBI states plainly that an AI-driven asset price correction could pose systemic risks, since banks may be indirectly exposed through their lending to private credit firms and other intermediaries funding the AI boom.