Majority of banks yet to adopt AI in cybersecurity: BIBM

Application of artificial intelligence (AI) in disaster recovery (DR) planning remains almost entirely non-existent in Bangladesh's banking sector, according to a recent survey.
The Bangladesh Institute of Bank Management (BIBM) survey revealed that about 95 per cent of institutions admitted that they had not used AI for this purpose and continued to rely on traditional, manual, and table-top exercises to develop and test their DR plans.
Only 5.0 per cent of the surveyed institutions had started exploring such an application, making it a highly niche and experimental use case.
The survey findings were presented at a roundtable discussion on "Adoption of AI in Cyber Security Management of Banks: Bangladesh Perspective," held at the BIBM auditorium in the city on Wednesday.
Md. Shihab Uddin Khan, Professor and Director (Research, Development & Consultancy) at BIBM, presented the keynote paper at the discussion.
Nurun Nahar, Chairman of the BIBM executive committee and Deputy Governor of Bangladesh Bank, attended the event as the chief guest.
Mohammad Ali, Managing Director and CEO of Pubali Bank PLC; Mohammed Ishaque Miah, MD & CEO of Bangladesh Data Center and Disaster Recovery Site Ltd. and CISO (Lien), Bangladesh Bank; and Osman Ershad Faiz, Additional Managing Director & Chief Operating Officer of Eastern Bank PLC, took part in the discussion.
The BB deputy governor said: "Considering the paramount importance of online/digital banking as well as cybersecurity and cyber risk management in banks, the central bank has been issuing updated guidelines continuously such as ICT Security Guidelines (2023), Guidelines to Establish Digital Bank (2025) ,Guidelines on Cloud Computing (2023), CBS Features and Controls (2024), etc".
Ms. Nahar said she believes that if the banking system follows those ICT security guidelines properly, banks will be able to mitigate IT-related risks at their tolerance level.
Mr Mohammad Ali said the coexistence of banking policies and artificial intelligence (AI) is extremely important.
There is a need for a comprehensive policy on how banks will implement AI in practical applications, he said, adding that currently, the use of AI in the banking sector is still at an 'early learning stage'.
Mr. Ishaque Miah said investment in IT cannot be treated as peripheral, rather it must be considered as a core investment.
"Cybersecurity or IT investment is not an outside issue; rather, it should be seen as an integral part of banking operations", he said.
According to the BIBM survey, the majority of banks in the country remain far from adopting AI for automating incident response in cyber security operations.
According to the survey, about 70 per cent of banks have no automation, 46 per cent of them totally lack it while 24 per cent others remain at the planning stage for integrating AI into their cybersecurity response systems.
The findings indicate that actual implementation remains at a very early stage, with most banks exercising caution in adopting AI-driven solutions.
The survey also revealed that only 27 per cent of banks had achieved partial automation-mostly focusing on simple, repetitive security tasks-while a mere 3.0 per cent had fully automated systems in place, highlighting the limited maturity of AI applications in this area.
According to the survey data, only 32 per cent of banks currently have a formal AI adoption policy for AI-driven banking.
On the other hand, nearly 68 per cent of the surveyed banks do not have any formalised guidelines in place, highlighting a significant gap in strategic governance and risk management related to AI deployment in the banking sector.
In addition, around 40 per cent of banks have established a formal internal policy regarding the adoption of AI for cyber security purposes, while the remaining 60 per cent have not.
The findings suggest that a majority of banks were at early stages of formalising AI governance within their cyber security strategies.
The BIBM survey showed that most of the banks lack structured AI training, while the existing programmes are limited in scope and inadequate to address AI-driven cyber security challenges.
It also suggested introducing a unified, multi-tiered training framework to ensure both foundational AI-security literacy and advanced specialisation.
A lack of AI expertise within the sector underscores the urgency of developing local technical capacity and specialized training programs to support AI-driven cybersecurity initiatives, the survey observed.

sajibur@gmail.com