Indian BFSI sector hit by cyberattacks at 1.6x global average: BCG-DSCI report

Share:
Audio Loading voice…
Indian BFSI sector hit by cyberattacks at 1.6x global average: BCG-DSCI report

Synopsis

India's financial sector is absorbing cyberattacks at 1.6 times the global average, and breach containment now takes 263 days on average — a number that is still climbing. A BCG-DSCI report flags mid-sized banks as the most exposed, caught between enterprise-level risk and startup-level security budgets, while AI is simultaneously the sector's biggest threat and its most promising defence tool.

Key Takeaways

India's BFSI sector faces cyberattacks at 1.6 times the global average , per a joint BCG-DSCI report released on 28 May 2025 .
Cyber incidents in the sector more than doubled, rising from 1.4 million in 2021 to 2.9 million in 2025 .
The mean time to contain a breach in India stands at 263 days and continues to rise.
Mid-sized financial institutions are most exposed, carrying large-player risk levels without equivalent cybersecurity investment.
76% of CISOs rank AI-enabled attacks as a top priority for 2026 ; 83% are embedding AI into cyber operations.
The report calls for a shift from compliance-driven frameworks to a synchronised resilience model across business, risk, legal, and technology functions.

India's banking, financial services and insurance (BFSI) sector is absorbing cyberattacks at 1.6 times the global average, with reported incidents more than doubling from 1.4 million in 2021 to 2.9 million in 2025, according to a joint report released on Thursday, 28 May. The findings, published by Boston Consulting Group (BCG) and the Data Security Council of India (DSCI), paint a sobering picture of a sector caught between rapid digitisation and an AI-accelerated threat landscape.

Scale of the Threat

The report reveals that the mean time to contain a breach in India currently stands at 263 days — a figure that continues to rise — underscoring widening gaps in cyber response and remediation capability. This places Indian financial institutions significantly behind global best practices, where containment benchmarks have been tightening.

Notably, mid-sized financial institutions are identified as disproportionately exposed. Rapid digitisation and deep system interconnections have elevated their risk profiles to levels comparable with larger players, without a corresponding increase in cybersecurity investment. This asymmetry, the report warns, is one of the sector's most pressing structural vulnerabilities.

AI Rewrites the Rules of Cyber Risk

Nisha Bachani, Managing Director and Partner at Boston Consulting Group and lead author of the report, said: 'AI has rewritten the economics of cyber risk, compressing the time available for attacks and reducing the cost of launching sophisticated threats.' She added that defence and remediation cycles are still lagging behind, and that the gap between attack speed and response capability is most acute for mid-tier organisations, where risks are high but budgets remain constrained.

The report describes the current environment as a 'synchronous security challenge' — institutions must simultaneously defend against AI-powered attacks, deploy AI tools for their own cybersecurity, and secure the AI systems they have already embedded in operations. Traditional cybersecurity models, it concludes, are no longer adequate.

What CISOs Are Prioritising

The data on industry sentiment reinforces the urgency: 76 per cent of Chief Information Security Officers (CISOs) now rank AI-enabled attacks among their top cyber priorities for 2026, while 83 per cent are actively embedding AI into cyber operations. Meanwhile, 71 per cent of organisations have reached AI-assisted maturity in security operations centres, with a growing cohort beginning to adopt autonomous or agentic security systems.

Regulatory Baseline and What Comes Next

Vinayak Godse, CEO of DSCI, said frontier AI is accelerating the convergence of cyber risk, digital scale, and business resilience in the BFSI sector. He added that the ability to secure AI-driven operations will define future competitiveness and trust in the financial system.

The report acknowledges that regulatory engagement in India has helped build strong cybersecurity baselines. However, it argues that the next phase must move beyond control-heavy compliance frameworks toward a synchronised resilience model — one that integrates business, risk, legal, and technology functions. It also calls for stronger cross-institutional collaboration to improve threat intelligence sharing and tighten third-party risk management frameworks.

With breach containment times rising and AI-driven attack volumes climbing, the sector's ability to close the investment and response gap — particularly among mid-tier players — will be closely watched in the months ahead.

Point of View

A compromised institution may not even know the full extent of its exposure. The report's framing of a 'synchronous security challenge' is accurate but also convenient: it risks becoming an excuse for inaction if institutions treat AI defence as a future investment rather than an immediate operational imperative. The real structural problem is the mid-tier gap — dozens of digitised lenders and insurers operating at systemic scale but without the security architecture to match. India's regulatory push has built a compliance floor, but compliance and resilience are not the same thing, and the distance between them is where the next major breach will occur.
NationPress
13 Jul 2026

Frequently Asked Questions

How bad is the cyber threat facing India's BFSI sector?
India's BFSI sector is facing cyberattacks at 1.6 times the global average, with incidents rising from 1.4 million in 2021 to 2.9 million in 2025, according to a BCG-DSCI report released on 28 May 2025. The mean time to contain a breach stands at 263 days and is still increasing.
Which institutions are most at risk?
Mid-sized financial institutions are identified as the most exposed segment. Rapid digitisation has elevated their risk profiles to levels comparable with larger players, but their cybersecurity investments have not kept pace, creating a significant vulnerability gap.
How is AI changing the nature of cyber threats in banking?
AI is compressing attack timelines and reducing the cost of launching sophisticated threats, according to BCG Managing Director Nisha Bachani. Institutions must now simultaneously defend against AI-powered attacks, use AI for their own defence, and secure their internal AI systems — a challenge the report calls 'synchronous security'.
What are Indian CISOs prioritising for 2026?
76 per cent of CISOs rank AI-enabled attacks among their top cyber priorities for 2026, while 83 per cent are embedding AI into cyber operations. Additionally, 71 per cent of organisations have reached AI-assisted maturity in their security operations centres.
What does the BCG-DSCI report recommend?
The report recommends moving beyond control-heavy compliance frameworks toward a synchronised resilience model integrating business, risk, legal, and technology functions. It also calls for stronger cross-institutional collaboration on threat intelligence sharing and tighter third-party risk management frameworks.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 2 months ago
  2. 2 months ago
  3. 4 months ago
  4. 1 year ago
  5. 1 year ago
  6. 1 year ago
  7. 1 year ago
  8. 1 year ago
Google Prefer NP
On Google