Banks have traditionally treated trust as an outcome.
The Digital Threat Report 2025–26 suggests it should now be treated as an asset class.
Released jointly by the Ministry of Electronics and Information Technology (MeitY), CERT-In, CSIRT-Fin, and cybersecurity firm SISA, the second edition of the report arrives at a pivotal moment for India’s Banking, Financial Services and Insurance (BFSI) ecosystem. The country’s financial infrastructure is processing record volumes of digital transactions, expanding the use of artificial intelligence, accelerating cloud adoption and deepening its dependence on interconnected digital platforms. Yet the report’s most significant finding is not the increase in cyberattacks or the growing sophistication of threat actors. It is the emergence of trust itself as a primary target.
Across identities, software ecosystems, third-party relationships and financial infrastructure, cyber threats are increasingly exploiting the assumptions that make digital finance possible. In doing so, they are transforming cybersecurity from a technology discipline into a broader challenge of operational resilience, business continuity and systemic stability. The report effectively argues that the next generation of cyber risk will not be defined by how systems are breached, but by how trust is manipulated, exploited and monetized.
A Financial System Operating at Unprecedented Scale
India’s digital finance ecosystem has undergone a transformation unmatched by most major economies. Real-time payments, digital onboarding, API-led banking, embedded finance and cloud-native platforms have reshaped how financial services are delivered and consumed. The efficiency gains are undeniable, but so is the expansion of the attack surface.
The report notes that cyber incidents in India have increased from approximately 1.4 million in 2021 to nearly 2.9 million in 2025, while the BFSI sector experiences cyberattack at roughly 1.6 times the global average. These figures highlight not only the attractiveness of financial institutions as targets but also the increasing complexity of defending highly interconnected environments.
More importantly, the report suggests that the threat landscape can no longer be assessed purely through the lens of attack volume. The greater concern is the convergence of digital dependency and digital concentration. As more institutions rely on common cloud providers, software vendors, payment rails and technology partners, vulnerabilities are becoming increasingly interconnected. A weakness in one part of the ecosystem can now generate consequences across multiple institutions simultaneously.
AI Asymmetry: The New Risk Multiplier
Among the report’s most consequential findings is the concept of AI asymmetry, which it identifies as one of the defining risks facing financial institutions over the coming years.
Traditionally, sophisticated cyber operations required specialist teams, substantial resources and lengthy preparation cycles. Artificial intelligence is rapidly altering that equation. Activities such as reconnaissance, vulnerability identification, social engineering, malware development and phishing campaigns can increasingly be automated and executed at machine speed. The result is that offensive cyber capabilities are advancing on a faster trajectory than many defensive and regulatory mechanisms designed to contain them.
The report cites emerging examples that demonstrate this shift. One referenced case involved GTG-1002, an AI-orchestrated cyber espionage campaign in which artificial intelligence reportedly conducted between 80% and 90% of operational activities across multiple targeted organizations. Another example highlighted an AI model capable of identifying over 23,000 vulnerabilities, including more than 1,000 classified as high or critical severity. These examples illustrate how AI is lowering barriers to entry while simultaneously increasing the scale and speed of cyber operations.
For financial institutions, the significance extends beyond technology. AI is fundamentally changing the economics of cybercrime. When attack capabilities become cheaper, faster and more accessible, cyber risk evolves from an operational concern into a strategic business risk.
Why Trust Has Become the New Attack Surface
A recurring theme throughout the report is that attackers are increasingly targeting trust rather than infrastructure.
Historically, cybersecurity focused on protecting networks, servers and endpoints. Today’s threat actors are increasingly interested in manipulating the assumptions that underpin digital interactions. Deepfake technologies, synthetic identities, AI-generated communications and highly personalized phishing campaigns are enabling attackers to exploit human trust with unprecedented sophistication.
The report categorizes this evolution into three broad domains: attacks on human trust, attacks on software trust and attacks on infrastructure trust. Human trust is being challenged through deepfakes, identity fraud and AI-powered social engineering. Software trust is under pressure from supply-chain compromises, malicious dependencies, API abuse and vulnerabilities embedded within interconnected platforms. Infrastructure trust faces risks from ransomware, cryptographic weaknesses, IoT vulnerabilities and future quantum-computing threats.
The common thread across these categories is that breaches increasingly occur where trust is assumed rather than verified. This represents a fundamental shift from conventional cybersecurity models that focused primarily on perimeter defence and technical controls.
The Growing Strategic Importance of Third-Party Risk
One of the strongest messages emerging from the report is that cyber resilience can no longer be viewed solely through an internal organizational lens.
Modern financial institutions operate within extensive ecosystems of cloud providers, fintech partners, software vendors, payment processors and outsourced service providers. These relationships have become essential for innovation and scalability, but they have also created new concentrations of risk. The report highlights several incidents where compromises involving a single trusted vendor generated exposure across multiple institutions simultaneously.
This reflects a broader reality of digital finance. The weakest security control may no longer reside within a bank’s own environment. Instead, it may exist somewhere within its supply chain, software dependencies or partner ecosystem. As financial institutions become increasingly interconnected, organizational resilience becomes inseparable from ecosystem resilience.
The implications extend to governance and risk management frameworks. Traditional vendor due diligence exercises and annual compliance reviews may no longer provide sufficient visibility into continuously evolving cyber risks. Institutions must increasingly adopt dynamic monitoring, continuous validation and deeper scrutiny of critical third-party relationships.
The Compression of Time in Cyber Risk
The report repeatedly highlights another emerging challenge: speed.
Cybersecurity has traditionally relied on a sequence of prevention, detection, investigation and remediation. However, technological advances are compressing the time available for each stage. Threat actors can now identify vulnerabilities, exploit weaknesses and monetize attacks significantly faster than many organizations can detect and respond to them.
One of the report’s most striking observations is that the average breach identification and containment cycle remains approximately 263 days, while vulnerability exploitation windows continue to shrink. In some cases, newly discovered weaknesses are being weaponized within hours rather than weeks or months.
This imbalance creates a structural challenge for institutions that continue to depend heavily on periodic security reviews and compliance-driven assessments. In an environment where attackers operate continuously, resilience increasingly depends on continuous assurance rather than point-in-time validation.
Beyond Compliance Towards Continuous Assurance
The report makes a compelling distinction between compliance and security.
Many institutions successfully satisfy regulatory requirements and maintain mature control frameworks. Yet compliance alone does not guarantee resilience against emerging threats. The report highlights instances where controls passed formal assessments but failed when confronted with real-world adversarial techniques.
To address this gap, the report advocates a shift towards continuous assurance models. This includes ongoing validation of critical controls, adversarial testing, proactive threat simulations and stronger integration between cybersecurity, operational risk and business continuity functions. The objective is not simply to demonstrate compliance but to continuously evaluate whether security assumptions remain valid under changing threat conditions.
This recommendation aligns closely with broader developments across financial regulation and enterprise risk management, where resilience is increasingly measured by an organization’s ability to withstand and recover from disruption rather than merely prevent it.
From Cybersecurity to Trust Security
Viewed narrowly, the Digital Threat Report 2025-26 is a cybersecurity assessment of the BFSI sector. Viewed strategically, it is a report about the future of trust in a digital economy.
Its central argument is that the foundations of digital finance; identity, software, data, infrastructure and third-party ecosystems are becoming increasingly dependent on continuous trust verification. As artificial intelligence accelerates attack capabilities and financial systems become more interconnected, preserving that trust will become a defining responsibility for institutions, regulators and risk leaders.
The report therefore signals a broader shift in risk management thinking. The challenge facing financial institutions is no longer confined to protecting systems from intrusion. It is about maintaining confidence in the digital mechanisms through which finance now operates.
In that sense, the future of cybersecurity may be defined less by the protection of technology and more by the protection of trust itself. And for an economy rapidly digitizing at scale, that distinction may prove to be one of the most important risk conversations of the decade.
