Mint flags AI hacker threat

Mint reported on May 20 that Indian banks are scrambling to harden cyber defences as AI tools make phishing, malware development and intrusion attempts faster and more complex. The report said lenders are adding specialist staff, reviewing incident-response plans and increasing insurance coverage as they prepare for more automated attacks. The story lands against an existing Indian regulatory backdrop that already requires fast reporting of cyber incidents and closer oversight of third-party vendors. That combination has pushed banks to treat AI-enabled threats as an operations problem as much as a technology one. ### Why are banks treating AI tools as a step-change in cyber risk? Mint said the concern inside Indian banks is not only that attacks are increasing, but that AI tools can compress the time needed to craft convincing phishing lures, probe systems and scale fraud attempts. The report described banks responding with more defensive spending, more cyber hiring and more insurance cover. The Reserve Bank of India has warned for years that the “number, frequency and impact” of cyber incidents in banking had increased and required a stronger resilience framework. (livemint.com) RBI’s June 2, 2016 cyber security framework for banks set the baseline expectation that banks maintain robust preparedness on a continuous basis, a standard that now intersects with AI-assisted threats. ### What are Indian banks already required to do when something goes wrong? (livemint.com) A January 19, 2024 RBI circular told banks and other regulated entities to report unusual cyber incidents within six hours of detection, unless stated otherwise. The circular said some entities were reporting late, using email instead of the DAKSH portal, or failing to report incidents at vendors and third-party service providers. (rbi.org.in) CERT-In’s directions dated April 28, 2022 separately require reporting of specified cyber incidents within six hours of noticing them or being brought to notice. Those directions apply across Indian entities and form part of the country’s broader incident-response regime. ### Why do vendors and outsourced technology matter so much here? RBI’s outsourcing directions said regulated entities must ensure service providers report cyber incidents without undue delay so the entity can report to RBI within six hours of detection by the third-party provider. (ikffinance.com) RBI also said incidents at vendors or partners can have a “contagion effect” on customer services. That matters because many banks rely on outside firms for cloud services, software, payments connectivity and customer-facing technology. (cert-in.org.in) A bank may own the customer relationship, but a breach at a vendor can still interrupt services, expose data or trigger reporting obligations. That is why the Mint report’s focus on incident response and specialist hiring fits with existing regulatory pressure on third-party oversight. ### Where does insurance fit into the banks’ response? (rbi.org.in) Mint said banks are increasing insurance coverage as part of their response to AI-enabled cyber threats. Insurance does not replace technical controls, but it can help institutions prepare for costs linked to breach response, business interruption, investigations and recovery. The reporting rules also show why insurers and banks pay attention to response speed. RBI’s 2024 circular criticized delayed reporting and incomplete incident descriptions, while CERT-In’s rules set a six-hour reporting clock for covered incidents. (livemint.com) Those deadlines make documentation, escalation paths and forensic readiness central to any claim or recovery process. ### Why should sports organisations pay attention to a banking story? Sports organisations in India and elsewhere now hold payment data, fan records, employee records and sensitive athlete information, including medical and performance data. The same attack patterns described in banking—AI-assisted phishing, vendor compromise and faster intrusion attempts—can hit leagues, clubs and event operators that run digital ticketing, merchandising and athlete-management systems. The Indian rules cited in this story are banking-specific in part, but the operating lesson is broader: know where sensitive data sits, map which vendors can access it, rehearse incident reporting and keep logs and access controls in order. (ikffinance.com) CERT-In’s reporting framework and RBI’s emphasis on vendor incidents show how quickly a cyber event can become a governance issue, not just an IT problem. A May 20 Mint report is the latest trigger for that work. The next concrete checkpoints remain the same ones regulators already set: six-hour reporting to RBI for covered regulated entities, six-hour reporting to CERT-In for covered incidents, and tighter oversight of vendors handling sensitive systems and data. (livemint.com) (cert-in.org.in)