The Growing Importance of Resilience in Cybersecurity

Amid ongoing and widespread digitalization, cybersecurity has become a critical point of focus for businesses across industries, but especially for banks and other financial service providers. In addition to being inherently attractive targets for bad characters, organizations across the finance sector are also tasked with navigating the complex integration of myriad emerging banking technologies and standardized real-time payment systems, as well as new and constantly shifting regulations around data privacy and security. 

To better understand how banks should be approaching cybersecurity in today’s increasingly challenging and complex digital ecosystem, Egon Zehnder’s Director Development Program included a session on the topic by Nandkumar Saravade, the former founding CEO of the Reserve Bank of India’s (RBI) ReBIT, and a leading expert and advisor on cybersecurity and fraud risk management strategies. Throughout his talk, Saravade frequently stressed the importance of resilience in adapting to and mitigating security risks, while highlighting a variety of relevant case studies to provide an overview of evolving cyber threats facing the financial services industry. What follows are key insights from the gathering. 

From real-time transactions and account visibility to cross-border payment standardization, there are plenty of incredible perks emerging from unprecedented technological advancement and innovation in the banking sector. However, as Saravade noted early in his presentation, an over-eagerness toward digital transformation can sometimes distract us from addressing the unforeseen risks that come with the integration of new systems, leading to complacency and blind spots across an organization’s cybersecurity strategy. 

“The potential which fintech and the infusion of technology offer traditional banking and beyond is so exciting, and we’ve seen the results of this in India like no other country has,” he said. “But we also have to acknowledge the dark side to see that risks are properly mitigated and we’re able to harness technology in the manner it should be.” 

More specifically, Saravade explained how cybersecurity has evolved in recent years and now requires a much more holistic approach built on a foundation of constant awareness and resilience. While many banks are understandably rushing to implement the latest advanced technology to satisfy consumer demands and remain competitive, an abrupt expansion of solutions and providers also implies an expansion of potential threats, as well as a significantly higher burden for security teams when it comes to something as fundamental as controlling access to private networks.  

To illustrate what can happen in the absence of strong access controls, Saravade shared a 2021 case study, in which an ex-employee of a large Indian bank was able to hack into its system by placing an unidentified laptop with key logging malware to unlock passwords, resulting in the execution of a fraudulent transfer of INR 145 crores. Importantly, this criminal breach succeeded despite the bank’s sizable investment in a new security operation center, and the inability of the center’s operators to notice the addition of a new device on their network demonstrates the rising complexity of today’s risk landscape, underscoring the importance of ensuring exhaustive training for security teams and the reconfiguration of networks to safeguard against emerging risks. 

Fortunately, a catastrophe was ultimately avoided in this case, thanks to the RBI blocking funds from being withdrawn after identifying and flagging the transaction, but other banks may not be so lucky in the future. 

“This is an important case because it highlights the wide range of risks, including people getting unauthorized access to networks, networks not being configured to detect and remove unidentified devices, security operation centers not catching things, and so on,” said Saravade. “This is a very scary scenario for anybody who runs a bank’s IT system, as these kinds of lapses can easily lead to major incidents.”

Another great benefit of technological advancement in banking has been the introduction of standardized payment systems. There is perhaps no better example of this than India’s Unified Payments Interface (UPI), an intuitive real-time network so popular in the country, Saravade notes, “that people have stopped carrying money, and they don’t even remember online banking passwords, because everything is happening through QR codes, online transfers, and so on.”

However, on April 12, 2025, we also learned the hard way that even the most positively transformative solutions are infallible when the UPI system went dark for up to 5 hours, leaving many consumers without access to their funds. It turned out that this particular event was caused by one bank not following guidance related to the UPI’s check transaction API, which resulted in a crippling configuration error. While the issue was ultimately resolved, Saravade suggests that it highlights the unpredictable nature of new and complex payment technologies in the midst of widespread adoption, and the urgent need for flexibility among banks to ensure they can respond quickly and effectively to such disruptions. 

“This is the issue with complex systems, because when they’re getting built, nobody can envision how they’ll behave at a future date and as more users get added and different scenarios play out,” he said, further stressing the need for more resilient strategies and the potential dangers of becoming overly dependent on standardized solutions like UPI. “I think one of the key principles now is that you cannot prevent everything, because so much is unforeseeable. So, response is really the key to resilience—you have to monitor well, and then you have to respond quickly to figure out what’s going on and take the appropriate measures.”

To drive home the sheer complexity and evolving nature of today’s risk landscape, Saravade spent much of his presentation highlighting some of the most prevalent cybersecurity threats facing the banking industry today, as well as what he anticipates might be in store for the future. 

More specifically, Saravade noted that ransomware, in which access to databases is seized by hackers seeking financial compensation, remains very common, although isn’t as widely perpetrated against highly regulated entities like banks. The growing utilization of deepfake technology to commit identity theft, as well as instances of criminal fraud more broadly, however, do remain a major concern for financial institutions, as these events can not only result in monetary losses, but also cause significant damage to a bank’s reputation, particularly in the age of “virality” and social media. 

But while many institutions have spent years adapting their cybersecurity strategies and tech stacks to combat more well-known fraud tactics, Saravade notes that most are currently focused on understanding the potential implications of rapidly advancing artificial intelligence (AI), which he admits remain entirely uncertain. “Everybody today is talking about AI-powered cyber-attacks,” he said, “but I don’t think anybody has really figured out how they might work and how to defend against them.” 

However, Saravade does believe that AI will have an unavoidable impact on cybersecurity systems and strategies, but also that it’s difficult to determine whether the positives will outweigh the negatives. On one hand, AI is increasingly being leveraged for code writing, which should theoretically lead to enhancements in both security and efficiency. But on the other, AI’s code writing abilities are based on imperfect human training and have the potential to repeat the same mistakes, which could be more easily exposed by criminals using their own AI tools to identify and exploit system vulnerabilities. 

“This is a constant ongoing battle and, again, is part of the complexity, but also part of how software engineering quality control operates,” he said. “With AI coming in, the code quality probably should improve, but some of the logical fallacies which have been learned from human coders may remain, and an attacking AI system may be able to find holes in that.” 

Although it might be impossible to predict the role of AI in shaping the future of cybersecurity, Saravade was adamant that mitigating any emerging threats will require banking leaders to prioritize not only technological investment but also people and management processes. In other words, even the most powerful tech stack won’t be a substitution for having people on your team who are both supremely capable and trustworthy. 

“Improving people processes and anything that is not specific to technology is becoming very important to look at,” he said. “Because technology problems have management workarounds, but management problems can’t be solved by using technology. That is the well-known principle.”