In 2026 and beyond, cybersecurity will no longer be just an evolving priority. Banks will look at it as an amplified, always-on operating mandate. Many of the foundational shifts, cloud adoption, API-driven ecosystems, partner integrations, and AI-enabled operations, have been underway for years. What changes now is the scale and speed: as these models mature and interconnect, the attack surface expands exponentially, and the cost of failure escalates. IBM estimates the average cost of a breach in financial services at US$6.08 million, well above the global average of US$4.88 million, underscoring why cyber resilience is no longer a compliance checkbox but a determinant of business velocity and customer trust. Instead of being an add-on or perimeter control, resilience will be woven into every transaction, every integration point, and every algorithm, ensuring security is not a separate function but a foundational design principle for speed, trust, and uninterrupted operations.
Large banks are turning cybersecurity into a governed, embedded capability across the enterprise and partner ecosystems. Goldman Sachs’ 2025 proxy statement highlights board oversight via a Technology Risk Subcommittee (formed June 2024) and regular briefings from the CISO on cyber and information-security risk management. HDFC Bank reports a next-gen Security Operations Center for predictive incident management, SOAR to reduce response times, and an AI/ML-enabled SIEM fed by “10,000” logging sources, alongside network micro-segmentation and continuous vulnerability management. JPMorgan Chase describes mandatory security awareness training (including periodic phishing tests), a cybersecurity incident-response plan, and formal governance via its Cybersecurity & Technology Controls Operating Committee, with periodic updates to the Board.
Author - Rajashekara V. Maiya
Vice President and Global Head - Business Consulting, Infosys Finacle
Digital Proliferation and AI: The Catalyst for Threat–Defense Acceleration
The next wave of risk is being driven by identity compromise, rapid vulnerability exploitation, and AI-amplified social engineering. Verizon’s 2025 DBIR flags rising exploitation of vulnerabilities and higher third-party involvement in breaches - both critical in banking ecosystems built on suppliers, SaaS platforms, and cloud services. ENISA adds that by early 2025, AI-supported phishing represented more than 80% of observed social engineering activity, signaling how quickly attacker capability is scaling.
In a composable, ecosystem-first model, security must continuously protect identities, APIs, data flows, cryptographic trust, and third-party dependencies - end to end.
“512 Will Not Be Enough”: Crypto Debt Becomes a Systemic Risk
The “512 will not be enough” theme is most powerful when framed as crypto debt: legacy cryptography that persists in long-tail integrations, older vendor components, and misconfigured certificates. Demonstrations show 512-bit RSA keys can be factored in hours with single-digit dollars of cloud compute - turning weak cryptography into an exploit path. NIST guidance has long treated RSA below 2048 bits as disallowed (after transition periods) for key establishment, reinforcing 2048-bit (or stronger) baselines.
The 2026 priority is crypto-agility, not only key-length hygiene: maintain a cryptographic inventory, automate certificate/key lifecycle management, and design systems so algorithms can be upgraded without breaking applications or partner connectivity.
Post-Quantum Cryptography (PQC) Will Gather Speed: “Harvest Now, Decrypt Later” Makes the Transition Immediate
PQC becomes a 2026 planning reality for two reasons. First, National Institute of Standards and Technology (United States) has released its first finalized post-quantum encryption standards and continues to publish transition guidance. Second, NIST explicitly highlights the “harvest now, decrypt later” threat - adversaries can collect encrypted traffic today for future decryption, which matters for banking data with long retention horizons.
Systemically important markets are translating this into execution. Singapore’s MAS signed an MoU with DBS, HSBC, OCBC and UOB (and technology partners) to collaborate on quantum security for financial services. India’s National Quantum Mission similarly signals that quantum-safe security is moving into national digital infrastructure agendas.
The transition is material: BCG estimates PQC migration can cost roughly 2.5% to 5% of annual IT budgets. The pragmatic 2026 playbook is to establish crypto-agility first, then sequence PQC adoption by data longevity and systemic impact - starting with identity and interconnection pathways.
Security Will Turn “Platform”: From Layered Controls to Embedded-by-Design Resilience
Banks have historically layered security on top of fragmented architectures. In 2026, the shift is toward a platform view of security - built into delivery and operations:
- Build “security-in-the-flow” DevSecOps: threat modeling and automated security testing within CI/CD, not as a late-stage gate.
- Institutionalize partner and API governance: consistent requirements for identity, encryption, logging, resilience and continuous monitoring.
- Unite SRE and SOC outcomes: engineer for measurable detection, response and recovery, delivered as shared platform capabilities.
Regulation is accelerating this direction. In the EU, DORA entered into application on 17 January 2025, and the European Supervisory Authorities have advanced direct oversight of designated critical third-party providers - raising expectations around resilience testing, incident reporting, and third-party risk management.
The AI-Powered Programmable Security Platform Will Elevate Defense (With Guardrails)
AI is a dual force: it makes attacks cheaper and more convincing, but it also improves defense - especially in security operations, vulnerability prioritization, and response automation. IBM finds that organizations using security AI and automation can reduce breach costs by an average of US$2.2 million, strengthening the ROI case for moving from manual SOC workflows to programmable defense.
In 2026, a programmable security platform should deliver three outcomes:
- Risk-based prioritization: focus patching and hardening on what is exploitable and business critical (not scores alone).
- Automated containment: revoke sessions, rotate secrets/keys, isolate workloads, throttle suspicious APIs, and enforce step-up authentication.
- Continuous validation: detect control drift and misconfiguration through validation and simulation, and feed learnings back into engineering backlogs.
Threats Become Increasingly Complex: Social Engineering, Deepfakes, and Liability
Complex threats will intensify - AI-enabled impersonation, lookalike sites, infostealers, and deepfake-enabled fraud - requiring banks to invest as much in human and process controls as in technology. ENISA’s 2025 threat landscape underlines how quickly these methods evolve.
Liability is tightening in parallel. Under GDPR, certain infringements can attract administrative fines up to €20 million or 4% of global annual turnover (whichever is higher). In India, the Digital Personal Data Protection Act, 2023 requires intimation of a personal data breach to the Board and affected individuals in the prescribed form and manner - raising the bar for response speed and transparency.
Research
Datapoints
Research
Datapoints
Research
Datapoints
Market Outlook: Rising Spend, Harder Proof
Security budgets will rise, but the bigger shift is toward provable outcomes - identity assurance, crypto-agility, third-party resilience, and faster recovery. Gartner estimates worldwide end-user spending on information security will reach US$240 billion in 2026.
To win in 2026, banks should align strategy, architecture, and operating model around four imperatives:
- Crypto-agility and PQC readiness: inventory, lifecycle automation, and sequenced migration for long-life data.
- Identity-first controls: stronger MFA, device/session governance, secrets management, and monitoring aligned to credential abuse realities.
- Platform security engineering: DevSecOps by default, automated testing, and policy-as-code enforcement.
- AI-enabled SecOps and resilience-grade third-party oversight: automation where it measurably reduces impact, with governance guardrails and DORA-aligned supplier controls.
The Road Ahead: Banks as Trust-Native, Platform-Resilient Orchestrators
Cybersecurity will be a primary determinant of banking competitiveness from 2026 onwards. Leaders will behave as trust-native orchestrators - able to expose capabilities securely via APIs, manage partner risk continuously, enforce cryptographic standards with agility, and run security operations that are fast, automated, and regulator-ready. Security is no longer a perimeter; it is infrastructure and increasingly, a differentiator.
Let’s Discuss
Fill out the form below and we will get back to you shortly. Alternately, you can also contact our regional offices
