Disciplining digital risk: evidence from cyber stress tests
Summary
Focus
Cyber risk has become a major concern for financial stability. As banks become more digital and interconnected, cyber incidents can spread rapidly across networks and disrupt several institutions at the same time. Cyber security investment in financial networks has some of the features of a public good: while stronger protection benefits an individual bank, it also improves the resilience of the wider financial system. As a result, banks may invest less in cyber security than is desirable from a system-wide perspective.
Contribution
We provide new evidence that supervisory scrutiny can reduce underinvestment in cyber security. We analyse the European Central Bank's 2024 cyber resilience stress test, a qualitative exercise designed to assess banks' ability to respond to and recover from a cyber attack. The cyber resilience stress test is particularly useful for this analysis because it had no direct capital consequences and no public disclosure of bank-level results. This allows us to study a separate mechanism: the "scrutiny channel", through which supervisory attention increases the perceived costs of underinvestment and encourages banks to strengthen cyber resilience. Using confidential supervisory data for 109 large euro area banks from 2019 to 2024, we track cyber security spending, operational risk management, specialist staffing and the replacement of outdated IT systems. We first identify "laggard" banks, defined as institutions that invested less than predicted by their cyber risk profile and financial characteristics before the ECB stress test announcement. We then use difference-in-differences and event-study methods to analyse how investment changed after the announcement.
Findings
We document four main findings. First, the stress test announcement increased cyber security investment across the banking sector by around 45%. Second, the response was concentrated among laggard banks. These institutions increased cyber security investment by around 80% relative to other banks. Laggards also reduced reliance on external outsourcing, stabilised specialised cyber staff and adjusted cyber insurance coverage. Third, the stronger response by laggard banks was driven by supervisory scrutiny rather than by cyber incidents or losses. Fourth, the investment response was strongest among laggard banks subject to more intensive supervisory oversight, including deeper reviews and supervisory findings. By contrast, laggards facing less supervisory attention showed little change. This suggests that supervisory scrutiny can strengthen cyber resilience even without direct financial penalties.
Abstract
Investment in cybersecurity in an interconnected banking system has public-good properties: positive externalities can generate systemic underinvestment. Using confidential supervisory data from the European Central Bank, we first identify "laggard" European banks that underinvest relative to their cyber-risk profiles, and then examine how supervisory scrutiny affects their incentives to invest. We exploit the 2024 ECB Cyber Resilience Stress Test (CyRST) as a quasi-natural experiment. In a difference-in-differences design, we find that following the CyRST announcement, laggard banks increased cybersecurity investment by about 80% relative to their peers. The response is stronger among laggards subject to high-intensity supervisory oversight, consistent with scrutiny exerting a disciplining effect. Overall, the results suggest that targeted supervisory scrutiny may help mitigate underinvestment incentives and strengthen banks' operational risk management.
JEL classification: G21, G28, G32, L86, K23
Keywords: cyber risk, bank supervision, stress test, IT investment
