How the 2026 IBM i Marketplace Survey Resonates with Sri Lanka’s BFSI Sector

For over a decade, the IBM i community has looked to the annual marketplace survey to benchmark trends and plan for the future. The 2026 IBM i Marketplace Survey Results by FORTRA, representing the viewpoints of 320 IBM i professionals worldwide, reveals a significant shift in the landscape. While stability and reliability remain the platform’s hallmarks, new priorities—ranging from artificial intelligence to a pressing need for specialized talent—are reshaping how organizations approach their Power Systems environments.

The 2026 IBM i Marketplace Survey Results by Fortra highlight major trends among IBM i users globally and many of these trends have direct implications for Sri Lanka’s banking and financial services landscape. Key survey findings include:

• IBM i skills shortage now ranks as the top concern globally, surpassing cybersecurity.
• Organizations are continuing to invest in IBM i infrastructure, with a strong emphasis on modernization and upgrade cycles.
• Cybersecurity remains a critical priority.
• High Availability & Disaster Recovery have emerged as top priorities for IBM i users worldwide.

For Sri Lanka’s BFSI sector, where technology underpins digital transformation, these global patterns mirror local strategic realities and challenges.

1. Skills Shortage: A Critical Local Constraint

Global Insight

The survey identifies a widening gap in IBM i expertise — more organizations are struggling to find and retain talent with deep skills in IBM i programming, administration, and modernization. For the first time since 2017, cybersecurity is not the number one concern among IBM i professionals. In 2026, the top spot belongs to IBM i skills, which has been steadily climbing the rankings over the past few years.

Sri Lankan Reality

Sri Lanka’s broader IT and banking sectors are already experiencing skill shortages in advanced technologies including AI, cloud, and cybersecurity. This is due to brain drain, limited specialized training, and a mismatch between academia and industry needs.

• In 2022, Bank of Ceylon reported 224 total employee exits (voluntary resignations + retirements) — with about 58% due to resignation, indicating significant turnover pressures during Sri Lanka’s economic crisis.
• In its 2023 annual report, the bank noted increased pressure on retention due to migration and macroeconomic stress, with retention rates dropping from 98% to 95% as employees moved overseas.
• This suggests a continued turnover risk in 2023 across BOC (Bank of Ceylon).

• From the 2024 Annual Report of Seylan Bank PLC Employee Turnover Ratio 2024: 13.52%. This reflects the proportion of staff who left the bank during the year (including resignations and other separations).
• The report also shows total employee departures and new recruitment details:
• Employee Turnover (actual turnover count) is 425 employees.

• In 2024, Ceylinco Life Insurance recorded 103 employee exits, an increase from 96 departures in 2023, showing a rise in staff movement year-on-year. The employee turnover ratio increased to 14% in 2024, up from 13% in 2023, indicating a slight increase in workforce attrition relative to total headcount. Overall, the data suggests a modest upward trend in employee turnover compared to the previous year.

For BFSI, the need for talent is acute because unique systems like IBM i often require specialized expertise. At the same time, newer digital initiatives demand skills in cloud platforms, data analytics, and API-based integrations — a skill set in short supply locally.

Impact on BFSI

• Slow modernization and automation of core banking applications.
• Higher operational risk if critical IBM i skills reside with a few individuals.
• Increased costs due to reliance on international consultants or contractors.

2. Modernization and Core Banking Transformation

Global Insight

Around 70% of organizations globally plan hardware or software upgrades to take advantage of new IBM i 7.6 capabilities and improved security features, with many embracing hybrid or cloud models.

Sri Lankan Context

Sri Lankan banks are actively investing in technology modernization. For example, Commercial Bank has upgraded its core infrastructure with new systems, including hardware and software enhancements, to bolster capacity and customer experience. In 2023, the bank implemented a new IBM Power system/IBM i and upgraded key platforms such as its ComBank Digital and Flash apps, updated teller and loan origination systems, and reinforced security systems. These moves reflect a broad modernization of core systems and digital platforms (Annual Report 2023).

In its 2024 report, Commercial Bank shows strong migration to digital channels with hundreds of thousands of customers adopting digital banking services like Flash Digital Bank Accounts and digital KYC onboarding. This underscores a continuing shift toward modern, cloud-ready digital banking capabilities.

People’s Bank has expanded digital services substantially — including mobile and internet banking, digital wallets, self-service portals, and integration with national payment systems — as part of its strategy to boost financial inclusion and modernize service delivery (ft.lk).

These examples clearly show how Sri Lanka’s major banks are modernizing core systems and digital services, investing in new platforms and technologies, and adapting to evolving customer expectations — all of which support the blog’s section on modernization and core banking transformation with local, real-world evidence.

Impact on BFSI

• Delays in launching digital products such as real-time payments and AI-based services.
• Competitive disadvantage against faster-moving fintech players.
• Higher ongoing costs for on-premises maintenance vs. cloud optimization.

3. Cybersecurity: Elevated Risk and Regulatory Expectations

Global Insight

Despite skills moving up the priority list, cybersecurity remains a top concern, with many organizations increasing their use of security tools and practices.

Sri Lankan Context

Sri Lankan banks face a growing threat landscape as they scale digital channels and integrate fintech services. Cybersecurity investments and compliance are critical to maintaining trust and protecting customer data.

With data breaches and financial crime risks increasing, banks must move beyond basic defenses to advanced threat detection, encryption, and regulatory compliance frameworks.

• Around 20 March 2025, Cargills Bank PLC experienced a major cyberattack by a ransomware group calling itself Hunters International, one of the biggest in Sri Lanka’s history. The attackers accessed the bank’s internal systems and stole a huge amount of data.
• Although the bank publicly described this at first as an “unauthorised access to a peripheral system,” far more was taken — roughly 1.9 TB of data spanning over 1.1 million files — and this data started appearing on dark web leak sites when ransom talks seemingly failed.

• Two customers of Commercial Bank have lodged complaints with the Negombo Divisional Crime Investigation Bureau, alleging unauthorized transfers from their accounts to unknown recipients, as per information obtained from ‘Sri Lanka Mirror’. The incidents occurred on August 27, with approximately Rs. 1.9 million withdrawn from one account and approximately Rs. 500,000 withdrawn from the other. One customer had formally complained to the manager of the Commercial Bank’s Thelwatta Junction branch in Negombo that Rs. 499,999 had been transferred without his acknowledgment to an account at People’s Bank.
• The Criminal Investigation Department (CID) informed the Colombo Chief Magistrate’s Court on September 3, 2025 that over Rs. 6 billion has been illegally transferred from Commercial Bank accounts without the customers’ knowledge. This was done through fake websites that closely resembled the bank’s official ComBank Digital platform (Sri Lanka Mirror).
• In May 2016, the Turkish‑linked Bozkurtlar hacking group reportedly breached and posted data online from the Commercial Bank of Ceylon, one of Sri Lanka’s largest private banks. Attackers published roughly 6.97 GB of files, including backups, web files, and corporate website data — although the bank maintained core customer or transaction data wasn’t accessed or stolen.

The Central Bank of Sri Lanka (CBSL) has issued new regulatory directives requiring banks to report cybersecurity and IT incidents rapidly — reflecting heightened regulatory focus on cyber risk management as digital banking expands. Licensed banks must:

• Report cyber and IT incidents (including breaches, fraud, system outages) within strict timeframes (e.g., within 2 hours of detection).
• Provide detailed and quarterly reporting on cyber incidents to CBSL.

• CBSL’s Circular No. 02 of 2025 explicitly mandates that all licensed commercial and specialised banks report a wide range of cybersecurity incidents — including breaches that affect customer data, unauthorized access, or fraud — to the regulator.

• CBSL’s Banking Act Direction No. 16 (issued under the Banking Act) focuses on Technology Risk Management (TRM) for Licensed Commercial Banks (LCBs) and Licensed Specialised Banks (LSBs). It formalizes regulatory expectations around IT governance, cybersecurity controls, system resilience, and data protection — including strong requirements around data encryption.

• In Bank of Ceylon’s 2024 Annual Report, cybersecurity and information security risks are identified as key operational risk elements, with the bank investing in measures such as intrusion detection, encryption, and security assessments to protect customer data and systems.

• Industry forums such as cyber risk awareness events indicate that sector stakeholders — including senior risk and IT leaders from licensed banks — are being educated on cyber risk, regulatory compliance, data protection laws like the Personal Data Protection Act (PDPA) 2022, and the importance of cybersecurity controls.

These requirements are part of broader regulatory frameworks for Technology Risk Management and Resilience that cover IT governance, cybersecurity risk assessment, incident response, and business continuity.

Impact on BFSI

• Regulatory pressure from the Central Bank of Sri Lanka to enhance digital resilience.
• Rising costs for implementing advanced security tools and training.
• Customer trust risks if cyber incidents occur.

4. High Availability & Disaster Recovery

Global Insight

One of the strongest themes in the IBM i Marketplace Survey 2026 is the continued prioritization of High Availability (HA) and Disaster Recovery (DR). Organizations running IBM i environments consistently rank HA/DR as mission-critical due to increasing uptime expectations, ransomware risks, and regulatory pressure.

Sri Lankan Context

Sri Lankan banks operate in a high-risk environment characterized by:

• Economic volatility in recent years
• Increased digital banking adoption
• Rising cyber threats and ransomware risks
• Strict regulatory expectations from the Central Bank of Sri Lanka

Due to an unexpected power outage at our primary site, LankaPay systems ware experienced temporary service disruption. As a result, interbank ATM transactions, interbank fund transfers (CEFTS), LPOPP government payments, JustPay, LankaPay Cards, GovPay, and LANKAQR systems ware not available. LankaSign Digital Certification Authority is also temporarily unavailable.

• Users across multiple banks (including Commercial Bank, Sampath Bank, NDB, HNB) reported that interbank transfers, ATM operations, JustPay, CEFTS and other LankaPay‑linked services stopped working temporarily.
• According to a notice from LankaPay, this was due to an unexpected power outage at their primary site, which caused downtime and disrupted digital transactions.
• Many transfers appeared pending, with funds debited from accounts but not received by the destination until systems came back online; some users eventually saw reversals.

Impact:
• Interbank transfers were disrupted island‑wide
• Cashless payment platforms were temporarily unavailable
• Customers faced delays and confusion over transaction statuses

Sri Lanka’s BFSI sector reflects these global HA/DR trends but operates under unique regulatory and operational pressures:

• Central Bank of Sri Lanka (CBSL) Banking Act Direction No. 16 mandates licensed banks to maintain robust DR frameworks, document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and conduct regular disaster recovery testing.
• Banks must implement geographically separate DR sites and report IT disruptions promptly.
• Rapid digital adoption in Sri Lanka, including mobile banking and online payments, has heightened the importance of continuous system availability.
• The Personal Data Protection Act (PDPA) 2022 reinforces the need for secure and encrypted data replication as part of resilience planning.

Cyber threats and ransomware attacks in Sri Lanka have accelerated cyber-resilient backup adoption and improved HA practices.

Impact on BFSI

• Compliance with CBSL Direction 16 and PDPA 2022 requires banks to maintain encrypted backups, secure DR protocols, and tested failover plans.
• Banks failing to implement proper HA/DR face potential regulatory action, reputational damage, and audit penalties.
• HA/DR is no longer just technical insurance; it is a competitive differentiator in customer trust and digital service reliability.
• Investments in HA/DR enhance cyber resilience, particularly against ransomware, data breaches, and operational disruption.

Strategic Actions for Sri Lanka’s BFSI Sector

To bridge the gap between current challenges and desired outcomes, Sri Lankan banks can take the following strategic actions:

1. Invest in Skills Development

Challenges:

• Critical IBM i expertise is limited locally.
• Migration and turnover in banks like Bank of Ceylon, Seylan Bank, and Ceylinco Life Insurance exacerbate talent gaps.
• New digital initiatives (cloud, APIs, AI, analytics) require skill sets that are scarce in the local market.

Strategic Actions:

• Develop internal IBM i talent pipelines: Establish structured training programs and mentorship to retain core system expertise.
• Invest in upskilling for emerging technologies: Provide continuous learning for cloud, cybersecurity, and data analytics to bridge skills gaps.
• Talent retention initiatives: Offer competitive compensation, career progression, and flexible work arrangements to reduce turnover.
• Strategic outsourcing: Engage international consultants for specialized IBM i or cybersecurity tasks while developing internal capabilities.

Impact:

• Reduced operational risk from knowledge concentration.
• Faster adoption of modernization and digital initiatives.
• Lower dependency on high-cost external consultants.

2. Prioritize Modernization and Core Banking Transformation

Challenges:

• Delays in digital product launches can occur due to legacy infrastructure.
• Maintaining competitive advantage requires upgraded systems and hybrid/cloud-ready platforms.

Strategic Actions:

• Modernize IBM i and core banking systems: Upgrade to IBM i 7.6 or equivalent for improved security, performance, and cloud integration.
• Invest in digital channels: Expand mobile banking, online services, and digital KYC onboarding to meet customer expectations.
• Adopt hybrid cloud strategies: Enable scalable infrastructure for core banking, backups, and analytics without disrupting critical services.
• Integrate modernization with cybersecurity: Ensure new platforms include secure architectures, encrypted data storage, and secure APIs.

Impact:

• Accelerated launch of digital services (real-time payments, AI-driven insights).
• Lower operational costs through optimized infrastructure.
• Competitive advantage against fintechs and modern banks globally.

3. Elevate Cybersecurity Posture

Challenges:

• Rising cyber threats and ransomware attacks.
• Regulatory requirements under CBSL’s Banking Act Direction 16, Circular 02/2025, and PDPA 2022.
• Need for advanced encryption, monitoring, and incident response frameworks.

Strategic Actions:

• Implement enterprise-wide encryption: Protect data at rest and in transit, including backups and replication.
• Adopt proactive cyber threat detection: SIEM, endpoint protection, and anomaly detection for critical IBM i workloads.
• Strengthen incident response and reporting: Align with CBSL reporting timelines and ensure rapid escalation.
• Train staff continuously: Build awareness on cybersecurity risks and regulatory expectations.
• Audit and measure compliance: Regular internal and external audits to maintain governance and regulatory alignment.

Impact:

• Minimized regulatory penalties and reputational risk.
• Enhanced customer trust through robust security practices.
• Reduced vulnerability to cyberattacks and operational disruption.

4. High Availability (HA) and Disaster Recovery (DR)

Challenges:

• Increased reliance on digital channels and core systems raises the cost of downtime.
• RTO/RPO and DR compliance mandated under CBSL Direction 16 and PDPA 2022.
• Legacy IBM i systems may not have modern HA/DR capabilities built in.

Strategic Actions:

• Implement real-time replication and automated failover: Ensure business continuity for core banking, payment networks, and digital platforms.
• Adopt cyber-resilient backup strategies: Immutable, encrypted, and geographically separate backups to protect against ransomware and system failures.
• Conduct regular DR drills: Validate recovery capabilities and minimize risk from human error.
• Integrate HA/DR with cybersecurity strategy: Ensure encrypted replication, monitoring, and failover mechanisms work together seamlessly.
• Measure and report performance: Track RTO/RPO metrics and maintain board-level governance reporting.

Impact:

• Reduced downtime and operational risk.
• Improved regulatory compliance and customer trust.
• Strategic advantage through reliability and cyber resilience.

Conclusion

The 2026 IBM i Marketplace Survey Results underscore challenges and opportunities that are highly relevant to Sri Lanka’s BFSI sector — especially around skills, modernization, cybersecurity, and cloud adoption.

By proactively investing in talent, technologies, and partnerships, Sri Lankan banks can turn these challenges into strategic advantages, enabling resilient, secure, and customer-centric digital transformation in an increasingly competitive and regulated market.

Navigating the New Era of Data Privacy: A Comprehensive Roadmap for Sri Lankan Banks

https://power.fortra.com/resources/videos/2026-ibm-i-marketplace-survey-results-revealed