FM Sitharaman's Cyber Alert to Indian Banks: What CISOs Must Do This Week
On April 23, 2026, Finance Minister Nirmala Sitharaman chaired a high-level meeting with MDs and CEOs of scheduled commercial banks, alongside IT Minister Ashwini Vaishnaw, senior officials from the Reserve Bank of India, NPCI, Department of Financial Services, and CERT-In. The subject: advanced AI models that can autonomously discover and exploit software vulnerabilities at a speed and scale that existing banking security infrastructure was never designed to handle. The FM described the threat as "unprecedented" and issued a set of directives that every bank CISO should treat as operational mandates, not policy suggestions.
What Triggered This Meeting
The immediate catalyst is Claude Mythos, a frontier AI model developed by Anthropic that has demonstrated the ability to autonomously find thousands of zero-day vulnerabilities in major operating systems and web browsers, write working exploits without human involvement, and chain multiple vulnerabilities into sophisticated attacks including browser sandbox escapes and kernel-level privilege escalation. Anthropic has opted not to release the model publicly, restricting access to 40 organizations through its "Project Glasswing" defensive initiative.
India isn't alone in responding. US Treasury Secretary Scott Bessent convened a parallel meeting with American bank executives the same week. But the Indian government's response is notable for its speed and specificity: four operational directives issued within days, with the Indian Banks' Association tasked to lead implementation.
This is not a theoretical risk briefing. This is the government telling banks: the threat landscape just changed, and your current defences may not be sufficient.
The Four Directives and What They Mean Operationally
Directive 1: Real-time threat intelligence sharing. Banks must establish coordinated mechanisms to detect and share emerging threats instantly. For most banks, this means moving beyond the current model of periodic threat briefings and sectoral alerts. Real-time sharing requires automated threat feeds integrated into SOC workflows, participation in financial sector ISACs (Information Sharing and Analysis Centres), and API-based integration with CERT-In's incident reporting infrastructure. Banks that don't have a SOC running 24/7 monitoring need to stand one up or engage an MSSP. There is no "real-time intelligence sharing" without real-time monitoring.
Directive 2: IBA-led unified response framework. The Indian Banks' Association will create a coordinated AI-threat response framework across the banking sector. This is the institutional infrastructure that will define how banks collectively respond to AI-driven attacks. CISOs should engage with IBA working groups immediately. Banks that contribute to shaping the framework will have an advantage over those that wait for the framework to be imposed on them.
Directive 3: Cyber talent and specialized agency partnerships. Banks are advised to onboard specialized cybersecurity professionals and partner with advanced security firms. This is an acknowledgment that in-house teams alone cannot counter AI-level threats. For PSU banks with constrained hiring cycles, the practical path is engaging specialized cybersecurity advisory firms and MSSPs rather than waiting for headcount approvals. The talent gap in Indian cybersecurity isn't new, but it just became a board-level problem rather than an HR problem.
Directive 4: Mandatory immediate CERT-In incident reporting. Immediate reporting of any suspicious activity to CERT-In is "non-negotiable." This reinforces the CERT-In Directions of April 28, 2022, which mandate six-hour incident reporting. Banks that have been treating this as aspirational now have a Finance Ministry directive backing it. If your incident response playbook can't produce a CERT-In notification within six hours of detection, fix that this week.
Three Things to Do Before Friday
The FM's directives are strategic. But CISOs need tactical actions they can execute immediately. Here are three.
First, run an emergency vulnerability scan against your internet-facing infrastructure. Claude Mythos found zero-days in production software that had been running securely for years. The implication: vulnerabilities exist in your stack that no scanner has found yet, because no scanner was smart enough to find them. You can't match Mythos's capability, but you can ensure that every known vulnerability is patched. Check your patch currency across web servers, application servers, VPN concentrators, and API gateways. If anything is more than 30 days behind on critical patches, escalate to the CISO today. AI-powered attacks will target the easiest entry points first, and unpatched N-day vulnerabilities are easier than zero-days.
Second, test your CERT-In reporting workflow end-to-end. Don't assume it works because the policy document says it exists. Run a tabletop exercise this week: simulate a breach at 2 AM, and time how long it takes your team to classify the incident, draft the CERT-In notification, get internal approvals, and submit the report. If the answer is more than six hours, identify the bottleneck and fix it. The most common bottleneck we see isn't technical; it's the approval chain. CISOs who need sign-off from three levels of management before notifying CERT-In will never meet the six-hour window. Pre-authorize the CISO to notify CERT-In for defined incident categories without waiting for management approval.
Third, brief your board before the next board meeting. The FM just told every bank in India that AI-driven cyber threats require "unprecedented vigilance." If your board hears about this from the newspaper instead of from their CISO, you've lost credibility at the worst possible moment. Prepare a one-page brief covering: what the FM's meeting addressed, what the specific directives mean for your bank, your current compliance status against each directive, and what additional budget or authority you need to close the gaps.
The banks that respond fastest to this directive won't be the ones with the biggest security budgets. They'll be the ones where the CISO has board-level authority and pre-approved escalation pathways. This is a governance problem as much as a technology problem. — SARC Cybersecurity Practice
What Comes Next
The FM's meeting is a signal, not a conclusion. Expect follow-up actions: IBA will likely issue a framework within 60 to 90 days. RBI may update its Cyber Security Framework for Banks to incorporate AI-specific threat scenarios. CERT-In may issue supplementary directions on AI-related incident classification. Banks that are already aligned with the RBI Master Direction on IT Governance and the DPDP Act's breach notification requirements will absorb these changes more smoothly than those still catching up on baseline compliance.
The window between "the government issued a warning" and "the government issues a mandate" is where prepared institutions differentiate themselves. That window is open now.
SARC's Cybersecurity Practice works with Indian banks on vulnerability assessments, CERT-In compliance readiness, SOC advisory, and board-level cybersecurity risk briefings. If the FM's April 23 directives have exposed gaps in your institution's preparedness, contact SARC's cybersecurity team for an emergency readiness assessment.
Our advisory team is ready to help.
