India’s Mid-Sized BFSI Players Face Highest Cyber Risk Due To Lower Security Spending: Report

India’s mid-tier banking, financial services and insurance (BFSI) firms have emerged as the most vulnerable to cyberattacks as digital expansion has outpaced cybersecurity spending, according to a report by the Data Security Council of India (DSCI) and Boston Consulting Group (BCG).

The report has revealed that mid-sized private banks, small finance banks, non-banking financial companies (NBFCs) and urban cooperative banks have operated in a high-risk environment because of their growing digital infrastructure and lower cyber defence investments compared with larger institutions.

It also noted that Indian BFSI entities have faced 1.6 times more cyberattacks per organisation than global peers. However, only 38 per cent of Indian BFSI firms have spent more than 10 per cent of their IT budgets on cybersecurity, compared with 76 per cent globally.

Reported cyberattack cases in the sector, including ransomware, phishing, identity theft and data breaches have more than doubled over the last four years, rising from 1.4 million in 2021 to 2.9 million in 2025. The average cost of a data breach has also increased by 7 per cent to $2.5 million during the period.

AI-Powered Threats Have Outpaced Cyber Defences

According to the report, advancements in artificial intelligence (AI) have changed the scale and speed of cyberattacks. The report noted that new AI systems and frontier models have lowered the cost of carrying out attacks while reducing the time needed to exploit vulnerabilities.

The time taken to exploit security gaps has fallen by 94 per cent to 44 days from 745 days earlier. At the same time, the cost of carrying out attacks has declined by 70 per cent.

It also warned that AI-powered cyberattacks, including deepfake-based fraud, identity theft and AI-generated phishing attempts, have become major concerns for financial institutions.

A survey conducted among chief information security officers (CISOs) in the BFSI sector has shown that 43 per cent believe attackers have moved faster than their organisations’ cyber defences. However, only 19 per cent have reported increasing cybersecurity budgets by more than 10 per cent.

The report said that many institutions have directed additional spending toward AI-based security tools, but overall budget increases have remained limited.

Third-Party Risks Adds To Concerns

The report has highlighted that third-party and supply chain risks are one of the biggest concerns for BFSI institutions. It said financial entities have become increasingly dependent on external technology providers, payment systems, cloud infrastructure and software vendors.

According to the survey, only 49 per cent of firms have reported mature cybersecurity practices related to third-party and supply chain risks.

Vulnerabilities in external systems have affected multiple institutions at the same time because of the interconnected nature of the financial sector.

Need For Stronger Cyber Governance

Cybersecurity can no longer remain limited to IT departments and compliance teams, the report noted. It has called for stronger coordination between business units, technology teams, legal departments and risk management functions.

It has also recommended that BFSI institutions strengthen AI-related governance, improve monitoring of external vendors and increase investments in cyber resilience.

“To be truly ready, every BFSI institution must now simultaneously curb AI-powered attacks, deploy AI for defence, and secure its own AI systems as one unified effort,” the report said.