AI cyber threats: Sitharaman urges bank upgrades in 2025-26

Why the finance ministry is raising the alarm

Union Finance Minister Nirmala Sitharaman has warned that Indian banks may need more than decades of strong cybersecurity to withstand artificial intelligence-driven threats. She told banks to adopt a more versatile and proactive posture as advanced AI models can be misused to weaponise software vulnerabilities. The message comes as digitisation expands across banking, payments, and customer onboarding, increasing the number of systems exposed to attack. Sitharaman’s intervention is notable because it ties operational cyber preparedness to systemic stability concerns. It also aligns with the Reserve Bank of India’s tighter cybersecurity expectations for 2025-26 across banks, NBFCs, and payment companies. The immediate focus is on identifying weaknesses that AI-enabled attackers could exploit faster and at greater scale.

What happened at the high-level meeting

Sitharaman’s remarks followed a high-level meeting held on Thursday with Union Minister for Electronics and Information Technology Ashwini Vaishnaw. Participants included the Reserve Bank of India, NPCI, CERT-In, and chiefs of scheduled commercial banks. The meeting assessed risks from advanced AI models, specifically the possibility of these tools being used to weaponise vulnerabilities in software and digital systems. Department of Financial Services Secretary M. Nagaraju and CERT-In Director General Dr Sanjay Bahl also attended. The presence of RBI, NPCI, and CERT-In indicates the discussion went beyond one bank’s controls to sector-wide interdependencies. The meeting also reflects a policy view that cyber risk now has direct implications for payments resilience and public trust.

IBA-led mechanism: not a new committee

Sitharaman directed banks to work under an Indian Banks’ Association-led mechanism to identify vulnerabilities and review vendor dependencies. She clarified that this is not a new committee but a process to drive coordinated action. The emphasis on vendor dependencies reflects rising reliance on third-party technology providers across core banking, cloud, cybersecurity tooling, and payment interfaces. Concentration risk and vendor lock-ins have been flagged by the RBI as a fragility point in a highly interconnected financial ecosystem. The IBA-led format can help standardise expectations, surface common gaps, and reduce response times when a threat emerges. But the article also makes clear the intent is practical execution, not another layer of governance.

Immediate operational directions to banks

Sitharaman urged banks to bring in specialised cybersecurity professionals and agencies to strengthen defensive and monitoring capabilities. She advised banks to immediately report suspicious activity to CERT-In, reinforcing the importance of early escalation. The finance ministry also advised a robust real-time threat intelligence sharing mechanism among banks, CERT-In, and other agencies. The goal is early detection and rapid dissemination of emerging threats, particularly those that can spread quickly across similar technology stacks. Real-time sharing is presented as a way to reduce blind spots across institutions and shorten the time between detection and containment. These steps are framed as essential as attackers increasingly use AI to automate reconnaissance, phishing, and exploit development.

RBI’s tightened expectations in 2025-26

The RBI has significantly tightened cybersecurity expectations for banks, NBFCs, and payment companies in 2025-26. The shift is linked to the RBI’s Master Directions on IT Governance (2024), the DPDP Act enforcement timeline crystallising, and the growing frequency of payment fraud. The article highlights that board-level IT governance is now mandatory, including a dedicated IT Strategy Committee at the board level. It also states that an IT Risk Framework must be approved by the board, not only senior management. Another key change is that a Cyber Crisis Management Plan is mandatory for all covered entities, not just large banks. Third-party risk management has been tightened, including exit clauses, concentration risk monitoring, and annual audits of critical vendors.

What banks are required to implement: operational checklist

The requirements outlined include half-yearly vulnerability assessment and penetration testing of internet-facing and critical internal systems by a CERT-In empanelled firm. A 24×7 Security Operations Centre is mandatory for Tier I and Tier II banks, while SOC functions are required for all regulated entities, with quarterly reporting to the board. A documented Cyber Crisis Management Plan aligned with CERT-In guidelines must be reviewed annually, with half-yearly drills. Independent IT audits by CISA-certified or equivalent professionals are required annually and must be reported to the Board Audit Committee. Patch management requires a formal policy and defined timelines for patching critical vulnerabilities, with ongoing reporting. Incident reporting includes reporting significant incidents via the RBI’s CIMS portal within 6 hours and submitting a post-incident root cause analysis within 21 days.

Core requirements table (as described)

Risk backdrop: breaches, frauds, and RBI red flags

The RBI has warned that expanding digital financial services, cloud-based infrastructure, and interconnected systems have increased the cyberattack surface. It also flagged rising risks of social engineering and phishing scams powered by generative AI tools such as deepfakes. The RBI has pointed to vendor lock-ins and concentration risks due to overreliance on a few major cloud and IT vendors. Separately, India’s banks reported 248 successful data breaches between June 2018 and March 2022, according to a government response in Parliament. Of these, 41 were reported by public sector banks, 205 by private banks, and two by foreign banks. On the fraud side, for April to September 2024, banks reported digital (card and internet) frauds worth ₹514 crore across 13,133 cases, compared with ₹630 crore across 12,069 cases in the same period last year. Internet and card frauds accounted for 44.7% of total frauds by amount and 85.3% by number of cases in that period.

Enforcement signals: penalties and supervisory push

The article notes multiple enforcement actions and supervisory steps that shape bank behaviour. After Union Bank of India was found to have generated seven fraudulent SWIFT messages totalling $171 million in 2016, the RBI penalised it ₹10 lakh. When SBM Bank (Mauritius) at its Indian operations failed to implement SWIFT controls, the RBI imposed a ₹3 crore penalty for non-compliance with time-bound strengthening of SWIFT-related controls. For cooperative banks, the RBI imposed a ₹5.93 crore penalty on Mehsana Urban Co-operative Bank on July 3, 2024, including for not implementing basic cyber security control measures under the RBI framework. Bank of Maharashtra was penalised ₹1.27 crore in August 2024 for violations spanning loan delivery, cyber security, and KYC, and Smriti Nagrik Sahakari Bank was penalised ₹2.5 lakh in July 2025 for failing the comprehensive UCB cyber framework. The RBI has also conducted Cyber Security and Information Technology Examination (CSITE) inspections and issued action points to address deficiencies, distinct from routine annual risk assessment inspections.

Market impact: why investors track cyber readiness

Cybersecurity failures can translate into operational disruption, fraud losses, regulatory penalties, and reputational damage for banks and payments companies. The tighter RBI posture in 2025-26 raises the compliance bar, increasing the need for investment in governance, monitoring, audits, and vendor oversight. The finance ministry’s push for AI-ready defences and real-time threat sharing is aimed at reducing systemic contagion risk, especially where multiple banks depend on similar vendors or common payment rails. The reported scale of digital frauds, alongside breach disclosures and inspection-driven action points, reinforces that cyber risk is not abstract for bank balance sheets and customer trust. For listed lenders, market participants typically watch for governance strength, incident handling discipline, and evidence of readiness for evolving threats, especially those amplified by AI. The RBI has also flagged mule accounts and urged stronger customer onboarding and transaction monitoring systems, linking cyber controls to fraud prevention.

Conclusion

Sitharaman’s warning that existing cyber safeguards may not be sufficient against AI-driven threats has been paired with clear directions on real-time threat sharing, specialist capability building, and an IBA-led vulnerability identification process. The push comes as RBI expectations tighten in 2025-26, with board-level IT governance, incident reporting timelines, vendor risk controls, and mandated testing and drills becoming central compliance themes. The next steps for banks are likely to revolve around implementing the operational checklist, strengthening reporting and coordination with CERT-In, and closing gaps identified through inspections and audits.