AI Asymmetry: MeitY, CERT-In, CSIRT-Fin and SISA warn India’s BFSI sector is losing the speed war against attackers
India’s banking, financial services, insurance and payments sector is now facing an “AI asymmetry” problem: attackers are using artificial intelligence to move faster than the institutions, regulators and defensive systems built to stop them.
That is the central warning of the second edition of the Digital Threat Report 2025–26, released jointly by the Ministry of Electronics and Information Technology (MeitY), the Indian Computer Emergency Response Team (CERT-In), the Computer Security Incident Response Team in Finance (CSIRT-Fin), and payments-security firm SISA. Tasks that once required specialist teams, real budgets and weeks of planning can now be carried out at machine speed by comparatively low-resource attackers — and the report warns that offensive capability is advancing on a faster curve than the defensive and regulatory mechanisms meant to contain it.
The report backs that warning with a striking number: six of the seven forward-looking predictions made in last year’s edition have already reached full-scale realization. Not “trending toward.” Not “partially observed.” Fully realized. The individual threats behind that number will sound familiar to anyone who follows cybersecurity — social engineering, credential theft, supply-chain compromise, cloud exploitation — but the real story is the speed at which they moved from hypothetical to operational. The report frames this as a structural shift: the gap between a threat being identified and a threat being exploited at scale has collapsed from years to, in some cases, weeks.
Why this matters specifically for BFSI
The sector’s defensive posture has traditionally assumed a rough parity of effort: a sophisticated attack required a sophisticated, well-resourced attacker. AI tooling breaks that assumption. It lowers the cost of mounting a convincing social-engineering campaign, automating reconnaissance, or probing supply-chain weaknesses, while regulatory and institutional defenses — audits, compliance cycles, board-level risk reviews — still move on the older, slower timeline. The report is effectively arguing that this mismatch, not any single new exploit technique, is the defining risk of the coming period.
The disappearing breach
A second, subtler point in the report deserves attention: modern attacks increasingly don’t look like attacks at all. Instead of a visible intrusion — malware alerts, obvious system compromise — the report describes damage arriving disguised as legitimate sessions, approved payments and ordinary workflows, indistinguishable from genuine activity until harm has already occurred.
For an industry built on the assumption that a completed transaction is a trustworthy one, this is a meaningful reframing. It suggests that detection strategies built around spotting anomalies or known malicious signatures are increasingly insufficient, because the attacks are engineered specifically to look normal.
A framework for why controls fail anyway
Perhaps the most practically useful contribution is the report’s “Anatomy of Cyber Failure” — a four-layer framework for understanding why organisations with seemingly adequate security controls still suffer major breaches. Rather than treating each incident as an isolated failure, it reconstructs breaches as chains of compounding weaknesses across layers, letting institutions identify recurring patterns and direct investment toward the gaps that matter most, rather than the ones that are easiest to fix.
This is a notable departure from the incident-by-incident post-mortems that typically follow breaches. It implicitly critiques a common industry habit: patching the specific vulnerability that was exploited in the last incident, without addressing the underlying organisational conditions that allowed it to cascade.
What the report is asking institutions to do next
The report doesn’t stop at diagnosis. It lays out an 18-month roadmap moving institutions from shoring up foundational controls, to building continuous monitoring and assessment capability, to eventually achieving more resilient security architecture as an end state. That sequencing is itself a statement: the authors are explicitly rejecting the idea of periodic, point-in-time security reviews in favor of continuous, always-on risk assessment — a philosophy echoed by CERT-In Director General Dr. Sanjay Bahl, who frames cyber resilience as a shared responsibility across institutions, regulators and the broader digital supply chain, rather than a box-ticking compliance exercise.
SISA’s founder and CEO, Dharshan Shanthamurthy, makes a case that’s worth taking seriously beyond the press-release framing: that BFSI’s entire business model rests on trust — that transactions are genuine, systems behave as intended, and money moves securely through an interdependent network of institutions. When that trust breaks, he argues, the damage is never contained to one firm; it ripples across the wider financial system. That’s a reasonable description of systemic risk in a sector where institutions are deeply interconnected, and it’s the underlying justification for why the report positions cybersecurity as a central business function rather than a peripheral technical one.