The report cautioned that rapid advances in AI can increase the sophistication, speed and scale of cyber incidents.
| Photo Credit:
istock.com

The evolving cyber threat landscape necessitates continuous investment in technological and cybersecurity capabilities by banks and non-banking financial companies (NBFCs), RBI said in the latest Financial Stability Report (FSR).

The report noted that AI-enabled cyber threats emerged as the leading perceived risk over the next 12 months.

FSR highlighted that India remains exposed to cyber attack risks, with a relatively high volume of cyberattacks (the country ranks third after Russia and Ukraine) compared to other emerging market economies.

The report stated that geopolitical tensions can heighten cyber risk concerns and reinforce the need for vigilance against evolving threat activity. Reflecting this concern, 42 per cent of surveyed institutions indicated that geopolitical uncertainty has increased the likelihood of cyberattacks

The aforementioned observations come in the backdrop of cyber risk becoming a key financial stability concern in an increasingly digital and interconnected financial system.

“Cyber incidents can disrupt critical financial infrastructure through service outages, data loss, and payment system interruptions, while also eroding public trust in the financial system.”

“The rapid adoption of digital financial services in recent years has expanded the attack surface for malicious actors, contributing to a global rise in cyberattacks since 2020,” per RBI’s survey of 33 Scheduled Commercial Banks and 10 Upper Layer NBFCs.

AI-enabled threat preparedness

The report cautioned that rapid advances in AI can increase the sophistication, speed and scale of cyber incidents. Survey responses indicate that AI-enabled threat preparedness is at varying stages of formalisation and implementation within their existing cyber risk management frameworks.

Most respondents classified themselves in the ‘Developing’ or ‘Intermediate’ stages, while a smaller share reported in ‘Mature’ stage. The report said this may be viewed in the context of AI-enabled cyber threats being an evolving risk area, where continued, risk-based strengthening of preparedness measures would be expected, building on entities’ existing cyber security control frameworks.

Accordingly, continued strengthening of threat monitoring, detection, response, employee awareness, incident readiness and resilience capabilities under regulatory guidance would remain important. In this regard, regulatory harmonisation across the financial sector will be crucial.

Third party dependency

Third-party dependency and supply chain risk was ranked as the second most important cyber risk in the survey. 93 per cent of the respondents are partially or substantially dependent on external vendors for cybersecurity-related functions such as security operations center (SOC) monitoring, cloud security, incident response, threat intelligence, vulnerability assessments, etc.

Moreover, operational dependence on third-party technology service providers for critical applications is moderate to very high for three-fourths of the respondents.

The report underscored that increasing reliance on outsourcing introduces supply chain risk, especially where a limited number of service providers support multiple financial institutions simultaneously. A major cyber incident affecting any such provider could propagate rapidly across regulated entities, amplifying operational disruptions and posing risks to financial stability.

Closely linked to third-party risks are challenges related to technology obsolescence and patch management, the report said.

Survey findings suggest that Indian financial institutions are proactively managing technology life-cycle risks. Across key risk categories, including unsupported or end-of life systems, systems awaiting major upgrades, and systems unable to receive vendor security patches, 93 per cent of respondents reported either no or low exposure in their critical services and applications.

This reflects a strong foundation for operational resilience, although continued vigilance remains essential given the rapid emergence of new vulnerabilities.

IT expenditure

As per the survey, 81 per cent of respondents reported IT expenditure of less than 5 per cent of revenue during 2025-26. The reported IT expenditure ratios may, however, vary across entities depending on, inter alia, business model, group-level technology arrangements, technology sourcing/ outsourcing model, and timing of major technology investments.

“Nonetheless, there are signs of strengthening cyber preparedness, as reflected in rising investments in human capital and cybersecurity infrastructure. Between March 2025 and March 2026, around 67 per cent of respondents reported an increase in IT and cybersecurity staffing,” the survey said.

Furthermore, the cybersecurity expenditure as a share of IT expenditure has increased for 71 per cent of the respondents in the last three financial years.

Published on July 1, 2026



Source link

YouTube
Instagram
WhatsApp