Indian BFSI sector hit by cyberattacks at 1.6x global average: BCG-DSCI report
Synopsis
Key Takeaways
India's banking, financial services and insurance (BFSI) sector is absorbing cyberattacks at 1.6 times the global average, with reported incidents more than doubling from 1.4 million in 2021 to 2.9 million in 2025, according to a joint report released on Thursday, 28 May. The findings, published by Boston Consulting Group (BCG) and the Data Security Council of India (DSCI), paint a sobering picture of a sector caught between rapid digitisation and an AI-accelerated threat landscape.
Scale of the Threat
The report reveals that the mean time to contain a breach in India currently stands at 263 days — a figure that continues to rise — underscoring widening gaps in cyber response and remediation capability. This places Indian financial institutions significantly behind global best practices, where containment benchmarks have been tightening.
Notably, mid-sized financial institutions are identified as disproportionately exposed. Rapid digitisation and deep system interconnections have elevated their risk profiles to levels comparable with larger players, without a corresponding increase in cybersecurity investment. This asymmetry, the report warns, is one of the sector's most pressing structural vulnerabilities.
AI Rewrites the Rules of Cyber Risk
Nisha Bachani, Managing Director and Partner at Boston Consulting Group and lead author of the report, said: 'AI has rewritten the economics of cyber risk, compressing the time available for attacks and reducing the cost of launching sophisticated threats.' She added that defence and remediation cycles are still lagging behind, and that the gap between attack speed and response capability is most acute for mid-tier organisations, where risks are high but budgets remain constrained.
The report describes the current environment as a 'synchronous security challenge' — institutions must simultaneously defend against AI-powered attacks, deploy AI tools for their own cybersecurity, and secure the AI systems they have already embedded in operations. Traditional cybersecurity models, it concludes, are no longer adequate.
What CISOs Are Prioritising
The data on industry sentiment reinforces the urgency: 76 per cent of Chief Information Security Officers (CISOs) now rank AI-enabled attacks among their top cyber priorities for 2026, while 83 per cent are actively embedding AI into cyber operations. Meanwhile, 71 per cent of organisations have reached AI-assisted maturity in security operations centres, with a growing cohort beginning to adopt autonomous or agentic security systems.
Regulatory Baseline and What Comes Next
Vinayak Godse, CEO of DSCI, said frontier AI is accelerating the convergence of cyber risk, digital scale, and business resilience in the BFSI sector. He added that the ability to secure AI-driven operations will define future competitiveness and trust in the financial system.
The report acknowledges that regulatory engagement in India has helped build strong cybersecurity baselines. However, it argues that the next phase must move beyond control-heavy compliance frameworks toward a synchronised resilience model — one that integrates business, risk, legal, and technology functions. It also calls for stronger cross-institutional collaboration to improve threat intelligence sharing and tighten third-party risk management frameworks.
With breach containment times rising and AI-driven attack volumes climbing, the sector's ability to close the investment and response gap — particularly among mid-tier players — will be closely watched in the months ahead.