The Reserve Bank of India (RBI) released its latest Financial Stability Report on Tuesday, offering a cautiously optimistic outlook on the health of the country's banking sector. While the central bank projects that gross non-performing assets (NPAs)—loans that are not being repaid—will remain unusually low at 1.8% of total lending by the end of March 2026, it also flagged a new and growing concern: AI-enabled cyberattacks are now seen as the biggest near-term threat to lenders.
What the RBI's Stress Tests Show
The RBI's baseline scenario, built from current economic forecasts, suggests that the bad-loan ratio will only edge up to 1.9% by the end of March 2028, even as credit growth accelerated to 14.5% in fiscal 2026. That level is well below the historical average for Indian banks, which have struggled with double-digit NPA ratios in the past. The central bank also sketched out a more severe scenario: if economic growth slows and inflation rises, gross NPAs could climb to between 3.8% and 4.1% by March 2028. Still, even that worst-case figure would be manageable compared to the peak of the bad-loan crisis earlier this decade.
The RBI's assessment comes amid a broader backdrop of improving asset quality, supported by stronger corporate balance sheets and a steady economic recovery. However, the central bank's report also highlights that the traditional credit-risk picture may not tell the whole story.
AI Cyber Threats Take Center Stage
Perhaps the most striking finding in the report is the shift in perceived risk. A survey of large banks and non-bank lenders ranked AI-enabled cyber threats as the top risk over the next 12 months, overtaking traditional concerns like credit quality or liquidity. The RBI pointed to training and awareness gaps as key vulnerabilities, noting that many institutions are not fully prepared to defend against sophisticated, AI-powered attacks.
This matters because cyber incidents can hit banks through operational risk—outages, fraud, and cleanup costs—rather than through borrowers defaulting. A major cyber event can disrupt payment systems, freeze lending operations, and trigger a long, expensive cycle of security upgrades and tighter compliance controls. Unlike a rise in NPAs, which shows up gradually in financial statements, a cyber attack can cause sudden, direct losses that are harder to predict.
What It Means for Investors
For everyday investors, the RBI's sub-2% NPA figure is reassuring: it suggests that the usual worry—borrowers not paying back—is contained, which typically supports steadier bank profits and lower credit-loss charges. But the cyber threat introduces a new variable. Even if the credit cycle stays friendly, bank valuations may start to hinge more on cost discipline and digital resilience, especially as lending grows quickly and more activity moves through apps and online rails.
Investors should watch for how banks are investing in cybersecurity and whether they are disclosing their preparedness. A major cyber incident could dent earnings without ever showing up in NPAs, and the cleanup costs could weigh on profitability for quarters. In this environment, banks that combine strong asset quality with robust digital defenses may be better positioned to weather the next shock.
The RBI's report also ties into broader market dynamics. India's financial system has been stabilizing after recent shocks, as seen in the recovery in the rupee and bond yields, and the central bank's vigilance on cyber risks is a reminder that new threats can emerge even when old ones recede.
Looking Ahead
The RBI's stress tests provide a useful baseline, but they cannot capture every risk. As the central bank itself notes, the cyber threat landscape is evolving rapidly, and the financial sector's reliance on technology is only growing. For now, the message is clear: India's banks are in a strong position on credit quality, but they must stay alert to the digital dangers that could upend that stability.
