AI-led cyber threats top risk for lenders over next 12 months, finds RBI survey

Banks and non-bank lenders see AI-enabled cyber threats as the biggest risk to their businesses over the next 12 months, according to a Reserve Bank of India (RBI) survey.

The survey, cited in RBI’s Financial Stability Report on Tuesday, was conducted across major Indian banks and NBFCs to assess cyber risk preparedness.

“Survey responses indicate that AI-enabled threat preparedness is at varying stages of formalisation and implementation within their existing cyber risk management frameworks,” it said.

Most respondents classified themselves in the ‘developing’ or ‘intermediate’ stages, while a smaller share reported in the ‘mature’ stage. “Rapid advances in AI can increase the sophistication, speed and scale of cyber incidents,” it said.

Top Indian banks are racing to gauge how vulnerable they are to cyberattacks backed by AI models such as Claude Mythos, seeking help from consultants to submit a report to the regulator by the month-end deadline, Mint reported on 12 June quoting industry executives. Engaging experts is crucial for them due to the paucity of skilled AI engineers within the banks.

In April, the RBI had given banks two months to come up with a board-approved review of their cybersecurity gaps and a time-bound action plan. They were also asked to formulate a comprehensive AI governance and security framework.

On Tuesday, RBI said that cyber risk has become a key financial stability concern in an increasingly digital and interconnected financial system. Cyber incidents can disrupt critical financial infrastructure through service outages, data loss, and payment system interruptions, while also eroding public trust in the financial system, it said.

“While 79% of respondents reported that over three-fourths of customer transactions are conducted digitally, institutions generally viewed their cyber risk exposure as manageable, with 98% rating current risk levels as very low to moderate, suggesting confidence in the adequacy of their existing risk management frameworks,” it said.

This assessment, RBI said, is consistent with operational outcomes, as institutions reported minimal disruption to critical customer services during 2025–26, and incidents that did occur were largely contained within 24 hours.

Nearly one-third of respondents reported a moderate or significant increase in cyber risk compared with a year earlier, highlighting growing uncertainty amid a challenging threat environment.

“The evolving cyber threat landscape necessitates continuous investment in technological and cybersecurity capabilities.”

However, RBI said there are signs of strengthening cyber preparedness, as reflected in rising investments in human capital and cybersecurity infrastructure. Between March 2025 and March 2026, around 67% of respondents reported an increase in IT and cybersecurity staffing, it said.

“Furthermore, the cybersecurity expenditure as a share of IT expenditure has increased for 71% of the respondents in the last three financial years.”