The Risk That Keeps a Top Bank CEO Awake at Night

It's not rising interest rates. It's not a recession. It's not even a geopolitical flashpoint. For the CEO of one of Asia's largest banks, the thing that disrupts sleep is a cyberattack that hasn't happened yet.

"Cyber security. I think the new war is cyber. So what keeps me awake at night is cyber," said Tan Su Shan, CEO of DBS Group, speaking to CNBC at the bank's annual CONVERGE LIVE event in Singapore. "It's who's going to attack who, and how it's going to happen, how people will get affected."

That's a striking admission from the head of a bank managing hundreds of billions in assets. And it points to something larger: the center of gravity in financial risk management has quietly shifted.

Zero Trust Isn't Just a Tech Term Anymore

DBS has codified its internal security posture into a phrase that sounds almost philosophical: "Assume nothing, trust nothing, trust nobody." That's not corporate theater. It's the operating principle behind what Tan describes as a culture of "deliberate paranoia."

In practice, this means continuous red teaming—simulating attacks against the bank's own systems before real adversaries can find the same vulnerabilities. It means treating every access point, every data flow, every AI-generated output as a potential liability until proven otherwise.

The zero-trust model has been discussed in cybersecurity circles for years, but Tan's framing elevates it from an IT framework to a leadership mindset. The question isn't whether an attack will come. It's whether the institution will see it coming.

AI: The Double-Edged Upgrade

Here's the tension that makes this more than a routine security story. The same AI capabilities that banks are racing to adopt—generative AI for customer service, agentic AI for autonomous decision-making—are also expanding what security professionals call the "attack surface": the total number of points through which an unauthorized actor can attempt to enter a system.

Sponsored

Advertise with Us

[email protected]

Sponsored

Tan put it plainly: "fantastic opportunities, but also fantastic challenges and a lot of scariness that comes with it."

The risk isn't abstract. When AI systems are integrated directly into core banking infrastructure—touching real customer data, executing real transactions—a compromised model or a manipulated input can cascade in ways that traditional software failures don't. Tan was explicit: "When it touches production... make sure that you've got all the relevant guardrails."

DBS's response centers on what Tan calls "data lifecycle management"—a governance framework that tracks data from creation to deletion, with strict controls on who accesses it, when, and why. In an era where AI models are trained on sensitive financial data, knowing where that data lives and who can touch it isn't a compliance checkbox. It's a core risk function.

The Broader Threat Landscape

The cyber conversation doesn't exist in a vacuum. Tan acknowledged that banks are operating in a macro environment shaped by compounding shocks: pandemic-era supply chain fractures, escalating trade tensions, and active conflict zones. Each disruption creates new pressure points—in payment systems, in correspondent banking networks, in cross-border data flows.

The implication is that cyber resilience and geopolitical resilience are no longer separate disciplines. A state-sponsored attack on financial infrastructure is no longer a theoretical scenario. It's a planning assumption.

"Prepare for the worst, hope for the best, but have that playbook ready," Tan said. The playbook she's referring to includes redundancy in systems, alternative payment pathways, and pre-tested incident response protocols—not just firewalls.

What This Means for Investors and Consumers

For investors watching the financial sector, Tan's comments signal something worth pricing in: cybersecurity is no longer a cost center for banks—it's a competitive differentiator. Institutions that can demonstrate robust, auditable, AI-safe security frameworks will increasingly command premium trust from institutional clients and regulators alike.

For consumers, the calculus is more immediate. The bank holding your savings is navigating a threat environment that changes faster than any regulatory framework can keep up with. The question of whether your financial institution has a "deliberate paranoia" culture—or just a compliance department—has never been more relevant.

DBS itself is not without precedent for scrutiny. In 2021 and 2023, the bank faced significant service outages that drew regulatory attention in Singapore. The gap between security posture and operational resilience is real, and Tan's candor suggests awareness of that gap, if not a guaranteed solution to it.