The new cybersecurity imperative
Safety must match digital scale in banking to maintain trust
 "The new cybersecurity imperative")
For a long time, the strength of a bank was assessed mainly through traditional measures: Capital, liquidity, asset quality and profitability. These measures still remain relevant. However, with increasing digitalisation, another question has become equally important: How well is the bank protected against cyber threats that can disrupt services, compromise data, enable fraud or affect payment flows?
Today, banks are no longer self-contained institutions. They operate through digital platforms, payment networks, cloud services, fintech partnerships, and outsourced providers. Each link improves reach and efficiency, but also creates a potential entry point for risk.
Protecting against these risks cannot be left to technology teams alone. A cyber incident may begin with a malicious link, a compromised credential, a vulnerable vendor, or a technology outage. Its consequences, however, can quickly become institutional, affecting customers, operations, compliance, reputation and, in some cases, the wider financial ecosystem.
Cyber risk is banking risk: The nature of cyber risk is changing rapidly. Cyberattacks are becoming more organised, targeted and difficult to detect. Ransomware, credential theft, phishing, business email compromise, malware, denial-of-service attacks and supply-chain compromises are now part of the regular threat landscape.
Artificial intelligence (AI) is adding a new dimension. Banks can use AI for anomaly detection, security analytics, and fraud monitoring. At the same time, criminals can use it to create more convincing phishing messages, deepfake voices, and highly personalised fraud attempts.
Frontier generative AI tools, such as Anthropic’s unreleased Claude Mythos Preview, point to a sharper risk that vulnerabilities may be discovered, tested and exploited faster than banks and other financial system participants can identify, prioritise, and remediate them.
The response must, therefore, be institutional and system-wide, not episodic. Cyber risk needs to be integrated into enterprise risk management, internal controls, compliance, audit, outsourcing arrangements and supervisory engagement. It should be assessed with the same seriousness as other material banking risks, with clear ownership, escalation, and accountability.
Beyond prevention: Banks must strive to prevent cyberattacks through strong controls, secure systems, vigilant monitoring, and disciplined cyber hygiene. Yet, given the complexity of today’s digital environment, they must also prepare for early detection of unusual activity, impact containment, continuity, and quick recovery.
This requires banks to identify their critical operations, systems, datasets and third-party dependencies. Business continuity and disaster recovery plans must address cyber-specific scenarios, not merely generic outages. Backups must be protected, incident response teams must know their roles, and forensic readiness must ensure preservation of logs, evidence, and audit trails. Communication with customers, regulators and law enforcement must be timely and accurate.
The boardroom dimension: The responsibility for cybersecurity cannot stop with the Chief Information Security Officer, or the technology function. Boards and senior management need not become cybersecurity specialists, but they must ask the right questions. Which services are most critical? What are the major cyber scenarios facing the bank? How quickly can essential operations be restored? Are material vendors and privileged users adequately monitored? Are cyber drills realistic? Are lessons from incidents translated into stronger controls?
The idea is not to overload boards with technical details, but to ensure informed oversight. Cybersecurity should form part of risk appetite, business strategy, outsourcing decisions, internal audit, compliance reviews and crisis preparedness. A bank’s digital growth must be matched by clear accountability.
The customer interface: Many incidents now arise at the customer interface, where fraudsters exploit fear, urgency, misinformation, or a lack of awareness. A customer may be persuaded to share credentials, install a remote access app, disclose an OTP, scan a QR code or transfer funds under deception.
Banks, therefore, need to look beyond system security and strengthen customer-facing controls. Behavioural alerts, transaction monitoring, cooling periods for high-risk transactions, mule account detection, quicker responses to complaints and clear customer communication are all part of safe digital banking. The objective is not to make digital banking difficult, but to make risky behaviour harder to exploit.
Staff behaviour is a key component: Technology investment alone cannot secure a bank. It must be matched by staff training and cyber hygiene, as even a small lapse can create an opening. Employees must handle credentials carefully, use privileged access responsibly, oversee vendor staff, and escalate red flags without delay.
Regulation and collective defence: From a regulatory perspective, the challenge is to keep the framework proportionate, risk-based, and responsive to a fast-changing threat environment. Expectations relating to Information Technology (IT) governance, digital payment security, outsourcing, fraud risk management, and incident reporting are intended to reinforce a common discipline across regulated entities, while allowing technology and business models to evolve. Their effectiveness, however, lies not in formal compliance alone, but in how banks embed them into their systems, processes, controls, and governance frameworks.
India has also built an institutional architecture for coordinated response. The Indian Computer Emergency Response Team (CERT-In), the Computer Security Incident Response Team-Finance Sector (CSIRT-Fin), the Indian Cyber Crime Coordination Centre (I4C), National Payments Corporation of India (NPCI) fraud-monitoring arrangements, and the Reserve Bank of India’s supervisory engagement all form part of this wider ecosystem. The task now is to leverage these channels with speed, accuracy and feedback. A fraud pattern detected by one institution should become an early warning for others, and a vulnerability identified in one part of the system should be addressed before it is exploited elsewhere.
Building security into digital growth: India’s digital financial ecosystem has achieved remarkable scale, brought banking closer to the citizen, and supported wider participation in the formal economy. This scale is a major strength. It also means that safety must be built into products, platforms and partnerships from the design stage itself.
The next phase will bring new challenges. Open banking, embedded finance, cloud concentration, digital currencies, AI-enabled attacks and future developments in quantum computing will test existing security models. Banks will, therefore, need to invest not only in technology, but also in skills, governance, testing, incident response and customer communication. The institutions that do this well will be those that treat cybersecurity not as an afterthought, but as an essential condition for sustainable digital growth.
The author is Deputy Governor, Reserve Bank of India. The views are personal