For DBS CEO Tan Su Shan, the biggest risk keeping her up at night is not just market volatility or geopolitical shocks, but cyberattacks.
“Cyber security. I think the new war is cyber. So what keeps me awake at night is cyber. It’s who’s going to attack who, and how it’s going to happen, how people will get affected,” the chief executive of DBS told CNBC on the sidelines of its annual CONVERGE LIVE event in Singapore.
Her warning underscores a broader shift in how financial institutions are thinking about risk, as cyber threats become increasingly intertwined with geopolitics and rapid advances in artificial intelligence.
Tan said banks are now operating in an environment where cyber risks are constant and evolving, requiring a mindset of perpetual vigilance. “Assume nothing, trust nothing, trust nobody,” she said, describing how DBS approaches cybersecurity internally.
That has translated into continuous “red teaming,” or stress-testing systems by simulating attacks, as well as a culture of what she described as deliberate paranoia. The goal is to anticipate vulnerabilities before attackers exploit them, particularly as AI lowers the barrier for more sophisticated cyber threats, she said.
“We’re constantly being paranoid about cybersecurity… what will separate the winners from the losers is good adoption, smart adoption, safe adoption,” Tan said.
The rise of generative and “agentic” AI has added a new layer of complexity. While these technologies promise productivity gains and operational efficiencies, Tan warned they also expand the attack surface — or all the points at which an authorized user can attack a system — especially when deployed in critical systems.
“When it touches production… make sure that you’ve got all the relevant guardrails,” she said, referring to AI systems that interact directly with customer-facing or core banking infrastructure.
That vigilance has become even more critical as financial institutions deepen their adoption of artificial intelligence. While AI promises efficiency gains and new capabilities, Tan said it also introduces fresh vulnerabilities, particularly as systems become more interconnected and autonomous.
The rise of generative and agentic AI, she noted, has created “fantastic opportunities, but also fantastic challenges and a lot of scariness that comes with it,” especially when it comes to safeguarding sensitive data and core banking infrastructure.
For DBS, that has meant building strict frameworks around how data is handled and monitored. Tan emphasized the importance of “data lifecycle management,” ensuring that data is properly governed from creation to deletion, with clear controls over access, auditability and transparency.
At the same time, the operating environment for markets and banks has grown more volatile, shaped by supply chain disruptions, trade tensions and conflict-driven shocks, from the pandemic to tariffs and now the Iran war.
Tan said these shocks have forced companies to rethink resilience across the board, from supply chains to payment systems. The same principle applies to cybersecurity: institutions must build redundancy, alternative pathways and contingency plans.
“Prepare for the worst, hope for the best, but have that playbook ready,” she said.
