NEW DELHI/MUMBAI: India’s largest banks are stepping up cyber defences, hiring, and insurance coverage as concerns grow that advanced AI systems could make cyberattacks faster and harder to contain, exposing gaps in preparedness and protection.
The pressure has risen after a finance ministry meeting with top banking executives on 23 April focused on banks’ preparedness for AI-linked cyber threats. The meeting came weeks after Anthropic unveiled Claude Mythos, a frontier AI model the company said could identify vulnerabilities and conduct cyberattacks at unprecedented speed.
Concerns around AI-enabled attacks have grown since September last year, when a cloud storage server exposed personal banking data of nearly 300,000 individuals, including loan account details linked to several large banks and non-banking finance companies.
India’s largest private lender, HDFC Bank, told Mint it reviews cyber insurance annually and is now widening coverage as risks evolve.
“The bank is continuously strengthening its cyber security posture, including hiring highly-skilled talent across security engineering, developer security operations, red-teaming or simulation of cyber attacks, and AI security,” said Ramesh Lakshminarayanan, group head of information technology and chief information officer at HDFC Bank.
At Axis Bank, teams participate in programmes such as adversarial AI and ‘red teaming’ to simulate attacks. They also receive training in Al-driven threat detection and analytics in the bank’s security operations centre, said Vinay Tiwari, the bank’s chief information security officer.
“Our approach is to build a cybersecurity operating model that is proactive, adaptive and continuously monitored, ensuring resilience against emerging threats, including those driven by AI,” Tiwari added.
4.1 million cyberattacks every month last year, up 15% on year. Reserve Bank of India data recorded 248 cyber incidents involving scheduled commercial banks during the year.
The rise in incidents has raised concerns among banks about their preparedness for faster and more complex attacks.
On 13 April, Cisco Systems, part of Anthropic’s initial Claude Mythos AI trial group, released an eight-page document for banking, financial services and insurance (BFSI) firms on security practices. Mint independently reviewed the document.
Cisco recommended standardising cyber defence and embedding ’active cyber defence’ into bank systems. “Integrating AI into acceptance and validation phases significantly reduces the deployment bottleneck, compressing the transition from code-complete to field deployment from months to days,” the note by Cisco said.
Aditya Varma, leader for public sector security, India and Saarc at Cisco Systems, said risks for banks are rising sharply.
“The truth is that even though banks are more sophisticated than other enterprises in technology adoption, they are also exponentially more exposed to cyber threats. We’re already hearing of malicious large language models such as TA457 and VoidLink that can create threats we don’t even know of today, and all it will take for us to see a WannaCry-level global, multi-billion-dollar disruption is for one of India’s major banks to face an unprecedented outage and attack,” Varma said.
Jayant Saran, partner for forensic and financial crime at Deloitte, added that a lack of ample skilled engineers is compounding the concerns at India’s top banks.
“The average info-sec officer at a bank is a managerial executive, and pretty much none of India’s biggest banks have the kind of engineers with the sophisticated skills that the current level of AI threats will need BFSI firms to have. There’s no answer to this, because there aren’t enough such engineers either. Bank chiefs are already looking for ways to bridge this gap,” Saran said.
India has about 350,000 cybersecurity professionals across roles, against demand for nearly one million engineers, according to staffing industry estimates.
Cyber insurance has also struggled to keep pace.
According to a senior banker, while banks have cyber insurance, most policies do not cover Al-related incidents. “While there are yearly external audits that point out how much and what kind of insurance a bank needs, newer risks will have to be covered through add-ons and products that are hardly available in India,” the banker said.
Insurers and brokers say Al-specific cyber products remain at an early stage.
Smita Tibrewal, chief insurance officer at Generali Central Insurance, said offerings are beginning to emerge in the market, but they remain at a relatively early stage of development.
“Underwriting Al-related cyber risks is complex, primarily because the market is still in its infancy and historical claims data remains limited. This lack of precedent makes risk modelling and pricing more challenging,” she added.
Amit Goel, director at insurance broker Equirus Raghnall Insurance Broking, added that there are very few AI add-ons available to banks, even in enterprise-grade cyber insurance.
“While BFSI has rapidly adopted AI for customer servicing, underwriting, fraud analytics and operations, insurance products have not evolved at the same pace. While some global insurers and Lloyd’s insurance marketplace are evaluating AI extensions, there are very limited structured offerings specific to AI cyber exposures,” he added.
Together, these gaps in capability and coverage are creating a widening risk window for banks.
Abhinav Bansal, head of risk advisory at BCG India, said are rising because they
come from general improvements in AI systems, not from systems built specifically for security testing.
“These threats are likely to thus diffuse across other AI models sooner than later. This can reduce the cost and time of vulnerability discovery of IT systems, reducing the cost and ease of a cyber attack, while increasing the financial damage of it. This is only likely to aggravate. Banks must thus act fast, and be decisive,” Bansal said.