India’s Banks Are Losing the AI Cyber Arms Race

A new report from Boston Consulting Group and the Data Security Council of India, “Cybersecurity in the Age of AI,” paints a sobering picture of India’s banking and financial services sector: technology is racing ahead of the defenses meant to protect it.

The Numbers Tell the Story

India’s BFSI (banking, financial services, and insurance) sector is attacked 1.6 times as intensely as the global average. Cyber incidents handled by India’s national response agency, CERT-In, have more than doubled since 2021, from 1.4 million to 2.9 million in 2025. Breach costs are climbing 7% year-over-year to $2.5 million on average, and it now takes 263 days to identify and contain a breach, longer than the global average.

The real shift, though, is on the attackers’ side. Artificial intelligence has collapsed the time needed to exploit a software vulnerability from 745 days in 2020 to just 44 days today, a 94% reduction. The cost of mounting a sophisticated attack has fallen by more than 70%. A frontier AI system, the report notes, can now attempt a full enterprise network attack for roughly $80.

Confidence Gap

Despite strengthening technical foundations, Indian CISOs surveyed for the report expressed limited confidence in their readiness. No single security control area crossed the 50% confidence threshold for withstanding an AI-enabled breach. While 76% of CISOs rank AI-powered attacks among their top four concerns, only 19% have raised cybersecurity budgets by more than 10% to address the threat.

AI governance also lags: only 29% of Indian financial institutions have both a designated AI security owner and a formal policy, even as more banks embed AI in daily operations.

The Weakest Links

Third-party and vendor risk emerged as a particular vulnerability. Over half of surveyed executives cited supply chain risk as a top concern, yet fewer than half have mature controls in place. The report points to a real-world warning sign: a single ransomware attack on a shared technology vendor in July 2024 disrupted payment services for roughly 300 cooperative and regional banks simultaneously.

A Call for “Synchronized” Defense

Rather than recommending more standalone controls, the report argues for a fundamental shift in how banks organize cyber defense one that spans five fronts: aligning cybersecurity with business priorities, breaking down silos between business, risk, legal, and IT teams, treating vendors as extensions of the enterprise, unifying defenses against insider risk and customer fraud, and sharing threat intelligence across the industry rather than working in isolation.

The message from BCG and DSCI is clear. As AI reshapes both offense and defense in cybersecurity, India’s financial institutions that move decisively over the next 12 to 18 months will set the tone for the sector’s resilience and its trustworthiness for the rest of the decade.

Author