BIS: Cyber stress tests boost bank cybersecurity investment

The study identifies 'laggard' European banks that underinvest in cybersecurity relative to their risk profiles, using confidential supervisory data from the European Central Bank.

By exploiting the 2024 ECB Cyber Resilience Stress Test (CyRST) as a quasi-natural experiment, researchers found that following the CyRST announcement, these laggard banks increased their cybersecurity investment by approximately 80% compared to their peers.

This response was particularly strong among laggards subject to high-intensity supervisory oversight, demonstrating a clear disciplining effect.

The CyRST was purely qualitative, with no direct capital implications or public disclosure of individual bank results, allowing the study to isolate the 'scrutiny channel' as the primary mechanism driving this behavioral change.

This suggests that the credible threat of direct examination, rather than formal penalties or market discipline, can effectively motivate banks to enhance their operational risk management.

Cyber risk poses a significant operational and systemic threat to the global financial system, with localized attacks capable of rapid propagation across interconnected networks.

Cybersecurity investments, while providing private operational benefits, also generate positive externalities, meaning a better-protected bank reduces systemic risk for all.

This public-good property often leads to systemic underinvestment, as banks internalize only a portion of the broader benefits.

This underinvestment problem creates a crucial role for supervisory intervention, particularly when traditional tools like capital consequences or market discipline through disclosure are not directly applied.