Recently, both of India’s top stock exchanges were forced to restrict website access from overseas IPs after a massive surge in cyberattacks. While core trading operations remained unaffected, the decision to restrict web access highlighted a growing risk facing critical institutions across the globe: cyberattacks aimed directly at financial market infrastructure (FMI). This incident highlights how exchanges, clearing corporations, and depositories are now consistently being targeted. This is done with the intent to disrupt—a clear indication that these systems are being viewed as soft power levers in a hyper connected global economy.

Financial institutions grapple with three structural weaknesses that leave them exposed. First, their external attack surface is sprawling and difficult to map; a promotional microsite launched years ago can still sit online and act as an unseen back door. Second, rapid-fire code changes, AI-generated snippets, third-party packages, and an unending stream of zero-day discoveries inject fresh vulnerabilities into production every day. Third, overstretched teams are battling vulnerability fatigue, so even critical issues often remain unpatched for more than 180 days. The combination of hidden assets, newly introduced bugs, and delayed fixes turns financial-services organisations into a soft target.

These weaknesses are far from theoretical; our 2024 State of Application Security report shows attackers exploiting them at record scale. We had analysed over 1.2 billion attacks across the banking and financial services sector. Attacks targeting known vulnerabilities rose 74%, and bot attacks occurred at double the frequency compared to other industries. APIs, which are integral to how modern trading platforms operate, experienced 30% more attacks per host than websites and were hit by 166% more DDoS attacks, and 32% critical and high severity vulnerabilities remained open for more than 180 days. Verizon’s 2025 Data Breach Investigations Report, which examines confirmed breaches echoes these findings: vulnerability exploits have now overtaken phishing as the primary entry point for attackers.

Attackers routinely switch vectors to match their objectives. During Operation Sindhoor, for example, DDoS traffic against critical BFSI applications and APIs jumped to 2.7 times the 2025 weekly average, illustrating how adversaries pivot to volumetric disruption when their goal is to cripple availability rather than steal data.

Financial infrastructure operates with high uptime expectations, handles sensitive data, and carries economic significance. This makes it attractive not only to cybercriminals but also to politically motivated threat actors.

This is why the security model itself needs to evolve. Expecting internal teams to do it all—including identifying, prioritizing, patching, and mitigating threats in real time—is no longer practical. Especially not for institutions operating at the scale and sensitivity of FMI.

A fully managed Web Application and API Protection (WAAP) model addresses this. It brings together automated scanning, 24x7 monitoring, behavioural threat detection, and expert-driven response. This is about letting internal security teams focus on strategic tasks while a dedicated partner ensures that the surface-level protections are always current and adaptive.

Virtual patching is another critical capability here. It allows businesses to block exploitation attempts instantly, even before a code-level fix is implemented. This is particularly relevant in environments where release cycles are complex or when vulnerabilities are discovered during critical trading periods.

Security in this context is no longer just a compliance requirement. Regulators like SEBI and RBI are tightening norms, but most organizations are struggling with execution. A managed approach helps reduce false positives, brings down response times, and supports audit readiness without creating friction.

Attackers are also timing their efforts more strategically. The assumption that there will be a human response at all times is flawed. Institutions need coverage that is always on, irrespective of the time of day or the number of people available.

What this really comes down to is risk. Institutions in the financial ecosystem carry a responsibility not just to protect themselves but to maintain public confidence in the integrity of the system. Outages or data breaches erode trust. And trust, once lost, takes far longer to recover than any system upgrade.

Cyber threats will continue to escalate in sophistication and frequency. But a shift in approach—from reactive to managed, and from generic to tailored—gives institutions a far better shot at resilience.

About the Author 

Ashish Tandon, Founder & CEO of Indusface, is a first-generation entrepreneur with expertise in technology and business. He has successfully led ventures in security, internet services, and cloud-based communication. Under his leadership, Indusface, a Tata-funded SaaS company, secures 4,000+ global Web, Mobile, and API applications using an award-winning platform integrating DAST, WAF, DDoS & BOT Mitigation, CDN, and threat intelligence. Recognized as Gartner Peer Insights Customers’ Choice, it is PCI, ISO27001, SOC 2, GDPR-certified, and a “Great Place to Work.” An IIM Ahmedabad alumnus, Ashish mentors startups, collaborates on security regulations, and is a former Ranji Trophy cricketer.