Module: | MODULE B: RISK MANAGEMENT
Q407: Consider the following statements regarding the integration of Cyber Risk and deep-fake AI fraud into the Integrated Risk Management (IRM) framework, as per recent Reserve Bank of India (RBI) guidelines for 2025-2026:
1. Under the latest Integrated Risk Management guidelines, cyber-security incidents such as ransomware attacks are explicitly treated and mapped as high-priority Operational Risk.
2. Financial losses resulting from deep-fake video fraud perpetrated by external syndicates are classified under "Internal Fraud" due to the compromise of internal bank verification systems.
3. The RBI mandates continuous and real-time scenario analysis specifically for emerging digital threats like AI-driven deep-fake fraud to build digital operational resilience.
Which of the statements given above is/are correct?
2. Financial losses resulting from deep-fake video fraud perpetrated by external syndicates are classified under "Internal Fraud" due to the compromise of internal bank verification systems.
3. The RBI mandates continuous and real-time scenario analysis specifically for emerging digital threats like AI-driven deep-fake fraud to build digital operational resilience.
Which of the statements given above is/are correct?
✅ Correct Answer: B
The correct answer is B. Statement 1 is correct: As per the evolving integrated risk landscape and recent RBI thrusts towards digital operational resilience (2025-2026), cyber-security incidents (like ransomware, DDoS attacks, and data breaches) are explicitly treated as severe Operational Risks.
They typically map to "Business Disruption" or "External Fraud" under Basel event types.
Statement 2 is incorrect: The classification depends on the actor.
If a deep-fake video fraud is perpetrated by an external organized syndicate, the event is strictly classified as "External Fraud", because a third party committed the act of deception and theft.
The failure of the internal verification system is a control failure, but the event type itself remains External Fraud, not Internal Fraud.
Statement 3 is correct: RBI's updated cybersecurity and IT outsourcing frameworks heavily emphasize proactive risk management.
This mandates that banks conduct dynamic, real-time scenario analysis to evaluate their vulnerability and build resilience against emerging, sophisticated digital threats like AI-driven deep-fake frauds.
Therefore:
Option A is incorrect because Statement 2 is false.
Option B is correct as both Statement 1 and 3 are true.
Option C is incorrect because Statement 2 is false.
Option D is incorrect because Statement 2 is false.
They typically map to "Business Disruption" or "External Fraud" under Basel event types.
Statement 2 is incorrect: The classification depends on the actor.
If a deep-fake video fraud is perpetrated by an external organized syndicate, the event is strictly classified as "External Fraud", because a third party committed the act of deception and theft.
The failure of the internal verification system is a control failure, but the event type itself remains External Fraud, not Internal Fraud.
Statement 3 is correct: RBI's updated cybersecurity and IT outsourcing frameworks heavily emphasize proactive risk management.
This mandates that banks conduct dynamic, real-time scenario analysis to evaluate their vulnerability and build resilience against emerging, sophisticated digital threats like AI-driven deep-fake frauds.
Therefore:
Option A is incorrect because Statement 2 is false.
Option B is correct as both Statement 1 and 3 are true.
Option C is incorrect because Statement 2 is false.
Option D is incorrect because Statement 2 is false.